Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit abb116939a78 · 2026-01-20T00:31:50.000Z
GHSA-23hh-2f47-3p4h GHSA-2g59-m95p-pgfq GHSA-354g-gr9q-32q8 GHSA-7f7m-83r3-p644 GHSA-89mp-j99f-xqxm GHSA-8f3h-gvwr-46vx GHSA-gm79-2pvc-wc75 GHSA-rqmc-4j3g-x93f GHSA-xc2j-7277-whgq
diff --git a/advisories/unreviewed/2026/01/GHSA-23hh-2f47-3p4h/GHSA-23hh-2f47-3p4h.json b/advisories/unreviewed/2026/01/GHSA-23hh-2f47-3p4h/GHSA-23hh-2f47-3p4h.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23hh-2f47-3p4h",
+  "modified": "2026-01-20T00:30:27Z",
+  "published": "2026-01-20T00:30:27Z",
+  "aliases": [
+    "CVE-2026-1193"
+  ],
+  "details": "A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1193"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341778"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341778"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734270"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-19T23:16:03Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-2g59-m95p-pgfq/GHSA-2g59-m95p-pgfq.json b/advisories/unreviewed/2026/01/GHSA-2g59-m95p-pgfq/GHSA-2g59-m95p-pgfq.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g59-m95p-pgfq",
+  "modified": "2026-01-20T00:30:28Z",
+  "published": "2026-01-20T00:30:28Z",
+  "aliases": [
+    "CVE-2026-22219"
+  ],
+  "details": "Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22219"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Chainlit/chainlit/releases/tag/2.9.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T00:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-354g-gr9q-32q8/GHSA-354g-gr9q-32q8.json b/advisories/unreviewed/2026/01/GHSA-354g-gr9q-32q8/GHSA-354g-gr9q-32q8.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-354g-gr9q-32q8",
+  "modified": "2026-01-20T00:30:26Z",
+  "published": "2026-01-20T00:30:26Z",
+  "aliases": [
+    "CVE-2026-1178"
+  ],
+  "details": "A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1178"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/LX-66-LX/cve/issues/18"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341772"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341772"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734593"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-19T22:16:02Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-7f7m-83r3-p644/GHSA-7f7m-83r3-p644.json b/advisories/unreviewed/2026/01/GHSA-7f7m-83r3-p644/GHSA-7f7m-83r3-p644.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7f7m-83r3-p644",
+  "modified": "2026-01-20T00:30:28Z",
+  "published": "2026-01-20T00:30:27Z",
+  "aliases": [
+    "CVE-2026-1194"
+  ],
+  "details": "A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1194"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341779"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341779"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734271"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T00:15:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-89mp-j99f-xqxm/GHSA-89mp-j99f-xqxm.json b/advisories/unreviewed/2026/01/GHSA-89mp-j99f-xqxm/GHSA-89mp-j99f-xqxm.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-89mp-j99f-xqxm",
+  "modified": "2026-01-20T00:30:27Z",
+  "published": "2026-01-20T00:30:27Z",
+  "aliases": [
+    "CVE-2026-1179"
+  ],
+  "details": "A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1179"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/LX-66-LX/cve/issues/19"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341773"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341773"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734594"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-19T23:16:02Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-8f3h-gvwr-46vx/GHSA-8f3h-gvwr-46vx.json b/advisories/unreviewed/2026/01/GHSA-8f3h-gvwr-46vx/GHSA-8f3h-gvwr-46vx.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8f3h-gvwr-46vx",
+  "modified": "2026-01-20T00:30:27Z",
+  "published": "2026-01-20T00:30:27Z",
+  "aliases": [
+    "CVE-2026-1192"
+  ],
+  "details": "A vulnerability was determined in Tosei Online Store Management System ネット店舗管理システム 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1192"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341777"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341777"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734205"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.yuque.com/yuqueyonghuexlgkz/zepczx/keenhf9u2bnw5o6g"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-19T23:16:03Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-gm79-2pvc-wc75/GHSA-gm79-2pvc-wc75.json b/advisories/unreviewed/2026/01/GHSA-gm79-2pvc-wc75/GHSA-gm79-2pvc-wc75.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gm79-2pvc-wc75",
+  "modified": "2026-01-20T00:30:28Z",
+  "published": "2026-01-20T00:30:28Z",
+  "aliases": [
+    "CVE-2026-22218"
+  ],
+  "details": "Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker’s session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22218"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Chainlit/chainlit/releases/tag/2.9.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T00:15:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-rqmc-4j3g-x93f/GHSA-rqmc-4j3g-x93f.json b/advisories/unreviewed/2026/01/GHSA-rqmc-4j3g-x93f/GHSA-rqmc-4j3g-x93f.json
diff --git a/advisories/unreviewed/2026/01/GHSA-xc2j-7277-whgq/GHSA-xc2j-7277-whgq.json b/advisories/unreviewed/2026/01/GHSA-xc2j-7277-whgq/GHSA-xc2j-7277-whgq.json
