github
diff --git a/‎advisories/unreviewed/2026/04/GHSA-2284-8cw5-5697/GHSA-2284-8cw5-5697.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-2284-8cw5-5697/GHSA-2284-8cw5-5697.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-2vh4-chw9-2wfj/GHSA-2vh4-chw9-2wfj.json‎
Lines changed: 56 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-2vh4-chw9-2wfj/GHSA-2vh4-chw9-2wfj.json‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-37pp-wc7r-w5m9/GHSA-37pp-wc7r-w5m9.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-37pp-wc7r-w5m9/GHSA-37pp-wc7r-w5m9.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-4fvm-5vr9-wq7p/GHSA-4fvm-5vr9-wq7p.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-4fvm-5vr9-wq7p/GHSA-4fvm-5vr9-wq7p.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-4qhq-qj7h-c7fx/GHSA-4qhq-qj7h-c7fx.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-4qhq-qj7h-c7fx/GHSA-4qhq-qj7h-c7fx.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-567j-3p8m-25r7/GHSA-567j-3p8m-25r7.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-567j-3p8m-25r7/GHSA-567j-3p8m-25r7.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/04/GHSA-5949-9w89-hx26/GHSA-5949-9w89-hx26.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-5949-9w89-hx26/GHSA-5949-9w89-hx26.json‎
Lines changed: 52 additions & 0 deletions
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2284-8cw5-5697",
+  "modified": "2026-04-05T21:30:21Z",
+  "published": "2026-04-05T21:30:21Z",
+  "aliases": [
+    "CVE-2019-25687"
+  ],
+  "details": "Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionality. Attackers can send POST requests to the submit.php endpoint with malicious PHP code in the action parameter to achieve code execution and obtain an interactive shell.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25687"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46542"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/pegasus-cms-remote-code-execution-via-extra-fields-php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wisdom.com.au/web/pegasus-cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T21:16:47Z"
+  }
+}
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2vh4-chw9-2wfj",
+  "modified": "2026-04-05T21:30:19Z",
+  "published": "2026-04-05T21:30:18Z",
+  "aliases": [
+    "CVE-2026-5594"
+  ],
+  "details": "A weakness has been identified in premAI-io premsql up to 0.2.1. Affected is the function eval of the file premsql/agents/baseline/workers/followup.py. This manipulation of the argument result causes code injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5594"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Ka7arotto/cve/blob/main/premsql-rce/issue.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Ka7arotto/cve/blob/main/premsql-rce/poc.py"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/784462"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355388"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355388/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T19:17:05Z"
+  }
+}
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-37pp-wc7r-w5m9",
+  "modified": "2026-04-05T21:30:21Z",
+  "published": "2026-04-05T21:30:21Z",
+  "aliases": [
+    "CVE-2019-25684"
+  ],
+  "details": "OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitive database information.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25684"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sourceforge.net/projects/opendocman/files"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46500"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opendocman-sql-injection-via-where-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T21:16:46Z"
+  }
+}
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4fvm-5vr9-wq7p",
+  "modified": "2026-04-05T21:30:19Z",
+  "published": "2026-04-05T21:30:19Z",
+  "aliases": [
+    "CVE-2019-25658"
+  ],
+  "details": "a-Mac Address Change 5.4 contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input to registration form fields. Attackers can paste 212 bytes of data into the 'Your Name', 'Your Company', or 'Register Code' fields and click the Register button to trigger a denial of service crash.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25658"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46292"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/a-mac-address-change-local-buffer-overflow-dos"
+    },
+    {
+      "type": "WEB",
+      "url": "http://amac.paqtool.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T21:16:42Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4qhq-qj7h-c7fx",
+  "modified": "2026-04-05T21:30:21Z",
+  "published": "2026-04-05T21:30:21Z",
+  "aliases": [
+    "CVE-2019-25688"
+  ],
+  "details": "Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Attackers can send crafted requests with malicious SQL payloads in the menu_lev1 parameter to extract sensitive database information or modify database contents.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25688"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sourceforge.net/projects/kados"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46505"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.kados.info"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/kados-r10-greenbee-sql-injection-via-menu-lev1-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T21:16:47Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-567j-3p8m-25r7",
+  "modified": "2026-04-05T21:30:21Z",
+  "published": "2026-04-05T21:30:21Z",
+  "aliases": [
+    "CVE-2019-25696"
+  ],
+  "details": "Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Attackers can submit malicious SQL statements in the language_tag parameter to extract sensitive database information or modify data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25696"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sourceforge.net/projects/kados"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46505"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.kados.info"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/kados-r10-greenbee-sql-injection-via-language-tag-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T21:16:48Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5949-9w89-hx26",
+  "modified": "2026-04-05T21:30:20Z",
+  "published": "2026-04-05T21:30:20Z",
+  "aliases": [
+    "CVE-2019-25673"
+  ],
+  "details": "UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25673"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/UniSharp/laravel-filemanager/issues/356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/UniSharp/laravel-filemanager"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46389"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T21:16:45Z"
+  }
+}