Publish Advisories

GHSA-2wx5-jfx2-287m
GHSA-4p55-phcx-2vg2
GHSA-8g9w-79w6-cw84
GHSA-9rxj-wrx5-6463
GHSA-h376-wgw6-6272
GHSA-mqp2-8ch3-3446
GHSA-pm3x-gpqq-3g4r
GHSA-wv3p-w5rj-f5p6

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-2wx5-jfx2-287m/GHSA-2wx5-jfx2-287m.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2wx5-jfx2-287m",
+  "modified": "2026-01-30T00:31:23Z",
+  "published": "2026-01-30T00:31:23Z",
+  "aliases": [
+    "CVE-2026-1638"
+  ],
+  "details": "A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1638"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/LX-LX88/cve/issues/26"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.343417"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.343417"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.740871"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-30T00:15:57Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4p55-phcx-2vg2/GHSA-4p55-phcx-2vg2.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4p55-phcx-2vg2",
+  "modified": "2026-01-30T00:31:23Z",
+  "published": "2026-01-30T00:31:23Z",
+  "aliases": [
+    "CVE-2026-1624"
+  ],
+  "details": "A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1624"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QIU-DIE/CVE/issues/50"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.343383"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.343383"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.740770"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-29T22:15:53Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-8g9w-79w6-cw84/GHSA-8g9w-79w6-cw84.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8g9w-79w6-cw84",
-  "modified": "2026-01-29T21:30:31Z",
+  "modified": "2026-01-30T00:31:22Z",
   "published": "2026-01-29T21:30:31Z",
   "aliases": [
     "CVE-2025-69516"
   ],
   "details": "A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-1336"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-29T20:16:09Z"

advisories/unreviewed/2026/01/GHSA-9rxj-wrx5-6463/GHSA-9rxj-wrx5-6463.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9rxj-wrx5-6463",
-  "modified": "2026-01-28T21:31:24Z",
+  "modified": "2026-01-30T00:31:22Z",
   "published": "2026-01-28T21:31:24Z",
   "aliases": [
     "CVE-2025-71006"
   ],
   "details": "A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-369"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-28T21:16:09Z"

advisories/unreviewed/2026/01/GHSA-h376-wgw6-6272/GHSA-h376-wgw6-6272.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h376-wgw6-6272",
+  "modified": "2026-01-30T00:31:23Z",
+  "published": "2026-01-30T00:31:23Z",
+  "aliases": [
+    "CVE-2026-1637"
+  ],
+  "details": "A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1637"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/LX-LX88/cve/issues/25"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.343416"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.343416"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.740865"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-29T23:16:11Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-mqp2-8ch3-3446/GHSA-mqp2-8ch3-3446.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mqp2-8ch3-3446",
+  "modified": "2026-01-30T00:31:23Z",
+  "published": "2026-01-30T00:31:22Z",
+  "aliases": [
+    "CVE-2026-1281"
+  ],
+  "details": "A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1281"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-29T22:15:53Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-pm3x-gpqq-3g4r/GHSA-pm3x-gpqq-3g4r.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pm3x-gpqq-3g4r",
+  "modified": "2026-01-30T00:31:23Z",
+  "published": "2026-01-30T00:31:23Z",
+  "aliases": [
+    "CVE-2026-1625"
+  ],
+  "details": "A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1625"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QIU-DIE/CVE/issues/51"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.343384"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.343384"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.740792"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-29T22:15:54Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-wv3p-w5rj-f5p6/GHSA-wv3p-w5rj-f5p6.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wv3p-w5rj-f5p6",
+  "modified": "2026-01-30T00:31:22Z",
+  "published": "2026-01-30T00:31:22Z",
+  "aliases": [
+    "CVE-2026-1340"
+  ],
+  "details": "A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1340"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-29T22:15:53Z"
+  }
+}