Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-2gpj-j2rf-2376/GHSA-2gpj-j2rf-2376.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2gpj-j2rf-2376",
+  "modified": "2026-01-20T06:30:27Z",
+  "published": "2026-01-20T06:30:27Z",
+  "aliases": [
+    "CVE-2026-1218"
+  ],
+  "details": "A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1218"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341908"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341908"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.735201"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-610"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T06:16:00Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-39vc-r5gw-mf5w/GHSA-39vc-r5gw-mf5w.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-39vc-r5gw-mf5w",
+  "modified": "2026-01-20T06:30:26Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-0906"
+  ],
+  "details": "Incorrect security UI  in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0906"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/467448811"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:16Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4hcf-mq88-ff2w/GHSA-4hcf-mq88-ff2w.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4hcf-mq88-ff2w",
+  "modified": "2026-01-20T06:30:27Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-1042"
+  ],
+  "details": "The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1042"
+    },
+    {
+      "type": "WEB",
+      "url": "https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/wp-hello-bar"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T06:16:00Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4hf5-r2xh-wq7q/GHSA-4hf5-r2xh-wq7q.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4hf5-r2xh-wq7q",
+  "modified": "2026-01-20T06:30:26Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-0908"
+  ],
+  "details": "Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0908"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/452209503"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:16Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-5hmm-9q32-cjhm/GHSA-5hmm-9q32-cjhm.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5hmm-9q32-cjhm",
+  "modified": "2026-01-20T06:30:26Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-23911"
+  ],
+  "details": "Rejected reason: Not used",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23911"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:16Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-6h3q-wcw2-gjg9/GHSA-6h3q-wcw2-gjg9.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6h3q-wcw2-gjg9",
+  "modified": "2026-01-20T06:30:26Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-23915"
+  ],
+  "details": "Rejected reason: Not used",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23915"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:16Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-743w-qrv8-633j/GHSA-743w-qrv8-633j.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-743w-qrv8-633j",
+  "modified": "2026-01-20T06:30:26Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-0903"
+  ],
+  "details": "Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0903"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/444803530"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:15Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-7m49-7hpq-vmxj/GHSA-7m49-7hpq-vmxj.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7m49-7hpq-vmxj",
+  "modified": "2026-01-20T06:30:26Z",
+  "published": "2026-01-20T06:30:26Z",
+  "aliases": [
+    "CVE-2026-0902"
+  ],
+  "details": "Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0902"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/469143679"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:15Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-9fx4-284h-m253/GHSA-9fx4-284h-m253.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9fx4-284h-m253",
+  "modified": "2026-01-20T06:30:25Z",
+  "published": "2026-01-20T06:30:25Z",
+  "aliases": [
+    "CVE-2025-14977"
+  ],
+  "details": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14977"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T05:16:08Z"
+  }
+}