Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d92007d51f4e · 2026-04-20T03:36:56.000Z
GHSA-2vwv-vqpv-v8vc GHSA-c75f-55f6-f63q GHSA-3jc6-6r48-v6qf GHSA-5jjf-wcvf-923w GHSA-643x-95vv-2wf6 GHSA-8rf8-8h6f-fh89 GHSA-c9gf-mh8q-hp8p GHSA-chp8-j7m4-jf28 GHSA-f4m3-5vcv-cfg7 GHSA-f674-pjwp-7q42 GHSA-qf9c-j447-wpvf GHSA-vvfc-fp59-m92g
diff --git a/advisories/unreviewed/2026/03/GHSA-2vwv-vqpv-v8vc/GHSA-2vwv-vqpv-v8vc.json b/advisories/unreviewed/2026/03/GHSA-2vwv-vqpv-v8vc/GHSA-2vwv-vqpv-v8vc.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2vwv-vqpv-v8vc",
-  "modified": "2026-04-16T21:31:09Z",
+  "modified": "2026-04-20T03:34:40Z",
   "published": "2026-03-30T09:31:29Z",
   "aliases": [
     "CVE-2026-5121"
@@ -39,6 +39,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:8534"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:8867"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-5121"
diff --git a/advisories/unreviewed/2026/03/GHSA-c75f-55f6-f63q/GHSA-c75f-55f6-f63q.json b/advisories/unreviewed/2026/03/GHSA-c75f-55f6-f63q/GHSA-c75f-55f6-f63q.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c75f-55f6-f63q",
-  "modified": "2026-04-16T21:31:09Z",
+  "modified": "2026-04-20T03:34:40Z",
   "published": "2026-03-19T15:31:21Z",
   "aliases": [
     "CVE-2026-4424"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:8534"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:8867"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-4424"
diff --git a/advisories/unreviewed/2026/04/GHSA-3jc6-6r48-v6qf/GHSA-3jc6-6r48-v6qf.json b/advisories/unreviewed/2026/04/GHSA-3jc6-6r48-v6qf/GHSA-3jc6-6r48-v6qf.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3jc6-6r48-v6qf",
+  "modified": "2026-04-20T03:34:41Z",
+  "published": "2026-04-20T03:34:41Z",
+  "aliases": [
+    "CVE-2026-6594"
+  ],
+  "details": "A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6594"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791805"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358229"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358229/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T02:16:15Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-5jjf-wcvf-923w/GHSA-5jjf-wcvf-923w.json b/advisories/unreviewed/2026/04/GHSA-5jjf-wcvf-923w/GHSA-5jjf-wcvf-923w.json
@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5jjf-wcvf-923w",
+  "modified": "2026-04-20T03:34:42Z",
+  "published": "2026-04-20T03:34:42Z",
+  "aliases": [
+    "CVE-2026-6597"
+  ],
+  "details": "A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6597"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791920"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358232"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358232/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T03:16:17Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-643x-95vv-2wf6/GHSA-643x-95vv-2wf6.json b/advisories/unreviewed/2026/04/GHSA-643x-95vv-2wf6/GHSA-643x-95vv-2wf6.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-643x-95vv-2wf6",
+  "modified": "2026-04-20T03:34:42Z",
+  "published": "2026-04-20T03:34:41Z",
+  "aliases": [
+    "CVE-2026-6593"
+  ],
+  "details": "A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6593"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/1d91fabb465284d7a974746f7e6cc5cc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791114"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358228"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358228/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T02:16:15Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-8rf8-8h6f-fh89/GHSA-8rf8-8h6f-fh89.json b/advisories/unreviewed/2026/04/GHSA-8rf8-8h6f-fh89/GHSA-8rf8-8h6f-fh89.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8rf8-8h6f-fh89",
+  "modified": "2026-04-20T03:34:41Z",
+  "published": "2026-04-20T03:34:41Z",
+  "aliases": [
+    "CVE-2026-6589"
+  ],
+  "details": "A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6589"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/d314f8120e47601dfa3ac8b899f12d1f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358224"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358224/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T01:16:31Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-c9gf-mh8q-hp8p/GHSA-c9gf-mh8q-hp8p.json b/advisories/unreviewed/2026/04/GHSA-c9gf-mh8q-hp8p/GHSA-c9gf-mh8q-hp8p.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c9gf-mh8q-hp8p",
+  "modified": "2026-04-20T03:34:41Z",
+  "published": "2026-04-20T03:34:41Z",
+  "aliases": [
+    "CVE-2026-6591"
+  ],
+  "details": "A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6591"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/1e6db39703626dc5c1a2505426754333"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791112"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358226"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358226/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T01:16:31Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-chp8-j7m4-jf28/GHSA-chp8-j7m4-jf28.json b/advisories/unreviewed/2026/04/GHSA-chp8-j7m4-jf28/GHSA-chp8-j7m4-jf28.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-chp8-j7m4-jf28",
+  "modified": "2026-04-20T03:34:40Z",
+  "published": "2026-04-20T03:34:40Z",
+  "aliases": [
+    "CVE-2026-6588"
+  ],
+  "details": "A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6588"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/5fbc93a21f9928e91a72ab0d72fb1e88"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791089"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358223"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358223/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T01:16:30Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-f4m3-5vcv-cfg7/GHSA-f4m3-5vcv-cfg7.json b/advisories/unreviewed/2026/04/GHSA-f4m3-5vcv-cfg7/GHSA-f4m3-5vcv-cfg7.json
diff --git a/advisories/unreviewed/2026/04/GHSA-f674-pjwp-7q42/GHSA-f674-pjwp-7q42.json b/advisories/unreviewed/2026/04/GHSA-f674-pjwp-7q42/GHSA-f674-pjwp-7q42.json
diff --git a/advisories/unreviewed/2026/04/GHSA-qf9c-j447-wpvf/GHSA-qf9c-j447-wpvf.json b/advisories/unreviewed/2026/04/GHSA-qf9c-j447-wpvf/GHSA-qf9c-j447-wpvf.json
diff --git a/advisories/unreviewed/2026/04/GHSA-vvfc-fp59-m92g/GHSA-vvfc-fp59-m92g.json b/advisories/unreviewed/2026/04/GHSA-vvfc-fp59-m92g/GHSA-vvfc-fp59-m92g.json
