Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b5e8c2c8dd63 · 2026-01-21T15:49:09.000Z
GHSA-43rr-x62x-q96w GHSA-ggff-9mj3-7246
diff --git a/advisories/github-reviewed/2026/01/GHSA-43rr-x62x-q96w/GHSA-43rr-x62x-q96w.json b/advisories/github-reviewed/2026/01/GHSA-43rr-x62x-q96w/GHSA-43rr-x62x-q96w.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-43rr-x62x-q96w",
-  "modified": "2026-01-20T03:30:28Z",
+  "modified": "2026-01-21T15:47:33Z",
   "published": "2026-01-20T03:30:28Z",
   "aliases": [
     "CVE-2026-1195"
   ],
+  "summary": "MineAdmin improperly refreshes tokens",
   "details": "A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mineadmin/mineadmin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.3"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -27,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mineadmin/mineadmin"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.341780"
@@ -45,8 +70,8 @@
       "CWE-345"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T15:47:33Z",
     "nvd_published_at": "2026-01-20T01:15:56Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-ggff-9mj3-7246/GHSA-ggff-9mj3-7246.json b/advisories/github-reviewed/2026/01/GHSA-ggff-9mj3-7246/GHSA-ggff-9mj3-7246.json
@@ -0,0 +1,92 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ggff-9mj3-7246",
+  "modified": "2026-01-21T15:47:44Z",
+  "published": "2026-01-21T15:47:44Z",
+  "aliases": [
+    "CVE-2026-0895"
+  ],
+  "summary": "mailqueue TYPO3 extension affected by Insecure Deserialization",
+  "details": "## Description\n\nThe extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004). Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension.\n\nMore information about this vulnerability can be found in the related TYPO3 Core Security Advisory [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "cpsit/typo3-mailqueue"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.4.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "cpsit/typo3-mailqueue"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.5.0"
+            },
+            {
+              "fixed": "0.5.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/CPS-IT/mailqueue/security/advisories/GHSA-ggff-9mj3-7246"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0895"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/CPS-IT/mailqueue"
+    },
+    {
+      "type": "WEB",
+      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-001"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T15:47:44Z",
+    "nvd_published_at": "2026-01-20T08:16:01Z"
+  }
+}
