Publish Advisories

GHSA-v6c5-9mp4-mwq4
GHSA-292q-v67v-f66g
GHSA-382v-76mx-pqx3
GHSA-3gh2-3c3q-2933
GHSA-45hq-rq49-xwcf
GHSA-4hm5-jmp9-7g72
GHSA-8283-g649-xjrh
GHSA-8pm5-xr39-vfv3
GHSA-9x3w-xc3m-rx49
GHSA-cq4v-33m4-7gj5
GHSA-cr4v-m7hf-7hvj
GHSA-f6mf-xjgg-34j8
GHSA-pqh8-v6gf-267q
GHSA-rq8q-2gpw-5fr2
GHSA-rx39-3p86-f4v2
GHSA-w299-fq8v-qvg7
GHSA-xr9j-2jxx-p2h8

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-v6c5-9mp4-mwq4/GHSA-v6c5-9mp4-mwq4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v6c5-9mp4-mwq4",
-  "modified": "2026-01-27T09:30:29Z",
+  "modified": "2026-01-27T12:31:18Z",
   "published": "2025-11-26T15:34:12Z",
   "aliases": [
     "CVE-2025-13601"
@@ -35,6 +35,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:1323"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:1324"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:1326"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:1327"

advisories/unreviewed/2026/01/GHSA-292q-v67v-f66g/GHSA-292q-v67v-f66g.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-292q-v67v-f66g",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2025-12387"
+  ],
+  "details": "A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12387"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/en/posts/2026/01/CVE-2025-12386"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wcyb/security_research"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pix-link.com/lv-wr21q"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-754"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T12:15:57Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-382v-76mx-pqx3/GHSA-382v-76mx-pqx3.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-382v-76mx-pqx3",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2026-24829"
+  ],
+  "details": "Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24829"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Is-Daouda/is-Engine/pull/7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-122"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T10:15:49Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-3gh2-3c3q-2933/GHSA-3gh2-3c3q-2933.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3gh2-3c3q-2933",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2025-41728"
+  ],
+  "details": "A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41728"
+    },
+    {
+      "type": "WEB",
+      "url": "https://certvde.com/de/advisories/VDE-2025-092"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T12:15:57Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-45hq-rq49-xwcf/GHSA-45hq-rq49-xwcf.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-45hq-rq49-xwcf",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2026-24347"
+  ],
+  "details": "Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://hub.ntc.swiss/ntcf-2025-32806"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T10:15:49Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4hm5-jmp9-7g72/GHSA-4hm5-jmp9-7g72.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4hm5-jmp9-7g72",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2025-12386"
+  ],
+  "details": "Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12386"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/en/posts/2026/01/CVE-2025-12386"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wcyb/security_research"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pix-link.com/lv-wr21q"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T12:15:56Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-8283-g649-xjrh/GHSA-8283-g649-xjrh.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8283-g649-xjrh",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2025-41726"
+  ],
+  "details": "A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41726"
+    },
+    {
+      "type": "WEB",
+      "url": "https://certvde.com/de/advisories/VDE-2025-092"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-190"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T12:15:57Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-8pm5-xr39-vfv3/GHSA-8pm5-xr39-vfv3.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8pm5-xr39-vfv3",
+  "modified": "2026-01-27T12:31:17Z",
+  "published": "2026-01-27T12:31:17Z",
+  "aliases": [
+    "CVE-2026-1467"
+  ],
+  "details": "A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1467"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-1467"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433174"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-93"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T10:15:48Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-9x3w-xc3m-rx49/GHSA-9x3w-xc3m-rx49.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9x3w-xc3m-rx49",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:18Z",
+  "aliases": [
+    "CVE-2026-24826"
+  ],
+  "details": "Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24826"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cadaver/turso3d/pull/11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T10:15:49Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-cq4v-33m4-7gj5/GHSA-cq4v-33m4-7gj5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cq4v-33m4-7gj5",
+  "modified": "2026-01-27T12:31:18Z",
+  "published": "2026-01-27T12:31:17Z",
+  "aliases": [
+    "CVE-2026-24346"
+  ],
+  "details": "Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24346"
+    },
+    {
+      "type": "WEB",
+      "url": "https://hub.ntc.swiss/ntcf-2025-13993"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-798"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-27T10:15:49Z"
+  }
+}