Publish Advisories

GHSA-2jpc-9fjv-pc59
GHSA-333p-mjpr-3q3c
GHSA-5pv5-mj98-fr8x
GHSA-7x88-9hgc-69gf
GHSA-86vf-rp56-mhf8
GHSA-cgh3-rgf8-476j
GHSA-fgpp-q3px-3xhc
GHSA-fmf5-9m5j-xgw3
GHSA-fmmr-9jcw-39gf
GHSA-g2mp-vfg6-8xwm
GHSA-h2cc-wx97-xp8v
GHSA-j79m-9jxq-788r
GHSA-jhmj-fqr7-r4cv
GHSA-m698-rpjv-64j7
GHSA-m7hj-m974-fx49
GHSA-q457-vx59-3fqg
GHSA-rpg5-467j-c25q
GHSA-vcp2-c692-chhh
GHSA-vgxx-5xj5-q97x
GHSA-wgxh-fmm3-r6v6

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-2jpc-9fjv-pc59/GHSA-2jpc-9fjv-pc59.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2jpc-9fjv-pc59",
+  "modified": "2026-04-08T00:30:26Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-4656"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4656"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T23:16:27Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-333p-mjpr-3q3c/GHSA-333p-mjpr-3q3c.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-333p-mjpr-3q3c",
+  "modified": "2026-04-08T00:30:26Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-39933"
+  ],
+  "details": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39933"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gerrit.wikimedia.org/r/q/I1fc7b7e1d234b0aaf9f7d782a65da1451577587e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://phabricator.wikimedia.org/T418179"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T22:16:23Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-5pv5-mj98-fr8x/GHSA-5pv5-mj98-fr8x.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5pv5-mj98-fr8x",
+  "modified": "2026-04-08T00:30:27Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-4394"
+  ],
+  "details": "The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_<id>.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` class outputting the card type value without escaping, combined with `get_value_save_entry()` accepting and storing unsanitized user input for the `input_<id>.4` parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4394"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.gravityforms.com/gravityforms-change-log"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/gravityforms/tags/2.9.25/includes/fields/class-gf-field-creditcard.php#L516"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/gravityforms/tags/2.9.25/includes/fields/class-gf-field-creditcard.php#L577"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/fields/class-gf-field-creditcard.php#L516"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/fields/class-gf-field-creditcard.php#L577"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f38d7b7-6df6-47a2-a9ba-87ef1f039e44?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T00:16:05Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-7x88-9hgc-69gf/GHSA-7x88-9hgc-69gf.json

@@ -0,0 +1,51 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x88-9hgc-69gf",
+  "modified": "2026-04-08T00:30:25Z",
+  "published": "2026-04-08T00:30:25Z",
+  "aliases": [
+    "CVE-2026-28389"
+  ],
+  "details": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28389"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686"
+    },
+    {
+      "type": "WEB",
+      "url": "https://openssl-library.org/news/secadv/20260407.txt"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T22:16:21Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-86vf-rp56-mhf8/GHSA-86vf-rp56-mhf8.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-86vf-rp56-mhf8",
+  "modified": "2026-04-08T00:30:26Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-39937"
+  ],
+  "details": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects non release branches.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39937"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://phabricator.wikimedia.org/T418122"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-212"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T22:16:24Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-cgh3-rgf8-476j/GHSA-cgh3-rgf8-476j.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cgh3-rgf8-476j",
+  "modified": "2026-04-08T00:30:26Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-39934"
+  ],
+  "details": "Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects Mediawiki - GrowthExperiments Extension: 1.45.2, 1.44.4, 1.43.7.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39934"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gerrit.wikimedia.org/r/c/1243874"
+    },
+    {
+      "type": "WEB",
+      "url": "https://phabricator.wikimedia.org/T418222"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-835"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T22:16:24Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-fgpp-q3px-3xhc/GHSA-fgpp-q3px-3xhc.json

@@ -0,0 +1,51 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fgpp-q3px-3xhc",
+  "modified": "2026-04-08T00:30:25Z",
+  "published": "2026-04-08T00:30:25Z",
+  "aliases": [
+    "CVE-2026-28390"
+  ],
+  "details": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28390"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75"
+    },
+    {
+      "type": "WEB",
+      "url": "https://openssl-library.org/news/secadv/20260407.txt"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T22:16:21Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-fmf5-9m5j-xgw3/GHSA-fmf5-9m5j-xgw3.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fmf5-9m5j-xgw3",
+  "modified": "2026-04-08T00:30:26Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-39936"
+  ],
+  "details": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Score Extension.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39936"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gerrit.wikimedia.org/r/q/I1fb2913bc32328cbc4ecd4b4ad4a4788fb98c56c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://phabricator.wikimedia.org/T419186"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T23:16:27Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-fmmr-9jcw-39gf/GHSA-fmmr-9jcw-39gf.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fmmr-9jcw-39gf",
+  "modified": "2026-04-08T00:30:26Z",
+  "published": "2026-04-08T00:30:26Z",
+  "aliases": [
+    "CVE-2026-1342"
+  ],
+  "details": "IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1342"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7268253"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-829"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T00:16:03Z"
+  }
+}