Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2021/06/GHSA-5gjg-jgh4-gppm/GHSA-5gjg-jgh4-gppm.json

@@ -1,12 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5gjg-jgh4-gppm",
-  "modified": "2021-10-05T16:37:09Z",
+  "modified": "2026-01-23T22:35:54Z",
   "published": "2021-06-23T17:26:30Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2021-4236"
+  ],
   "summary": "Websocket requests did not call AuthenticateMethod",
   "details": "### Impact\n\nDepending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the `github.com/ecnepsnai/web` package with Web Sockets that have an AuthenticateMethod.\n\nThe `AuthenticateMethod` is not called, and `UserData` will be nil in request methods. Attempts to read the `UserData` may result in a panic.\n\nThis issue only affects web sockets where an `AuthenticateMethod` is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.\n\n#### Example\n\nIn the example below, one would expect that the `AuthenticateMethod` function would be called for each request to `/example`\n\n```go\nhandleOptions := web.HandleOptions{\n\tAuthenticateMethod: func(request *http.Request) interface{} {\n\t\t// Assume there is logic here to check for an active sessions, look at cookies or headers, etc...\n\t\tvar session Session{} // Example\n\n\t\treturn session\n\t},\n}\n\nserver.Socket(\"/example\", handle, handleOptions)\n```\n\nHowever, the method is not called, and therefor the `UserData` parameter of the request object in the handle will be nil, when it would have been expected to be the `session` object we returned.\n\n### Patches\n\nRelease v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.\n\nAll users of the web package should update to v1.5.2 or later.\n\n### Workarounds\n\nYou may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -33,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/ecnepsnai/web/security/advisories/GHSA-5gjg-jgh4-gppm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4236"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"
@@ -48,9 +59,11 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-304"
+      "CWE-304",
+      "CWE-400",
+      "CWE-476"
     ],
-    "severity": "MODERATE",
+    "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2021-05-21T17:41:20Z",
     "nvd_published_at": null

advisories/github-reviewed/2022/12/GHSA-jpgg-cp2x-qrw3/GHSA-jpgg-cp2x-qrw3.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jpgg-cp2x-qrw3",
-  "modified": "2023-08-29T18:58:37Z",
+  "modified": "2026-01-23T22:35:48Z",
   "published": "2022-12-28T00:30:23Z",
-  "aliases": [
-    "CVE-2021-4236"
-  ],
-  "summary": "ecnepsnai/web vulnerable to Uncontrolled Resource Consumption",
-  "details": "Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.",
+  "withdrawn": "2026-01-23T22:35:48Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: ecnepsnai/web vulnerable to Uncontrolled Resource Consumption",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-5gjg-jgh4-gppm. This link is maintained to preserve external references.\n\n## Original Description\nWeb Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2024/02/GHSA-w277-wpqf-rcfv/GHSA-w277-wpqf-rcfv.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w277-wpqf-rcfv",
-  "modified": "2024-02-06T20:30:14Z",
+  "modified": "2026-01-23T22:35:18Z",
   "published": "2024-02-06T20:30:14Z",
+  "withdrawn": "2026-01-23T22:35:18Z",
   "aliases": [],
-  "summary": "Svix vulnerable to improper comparison of different-length signatures",
-  "details": "The `Webhook::verify` function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in `v1,` as the signature, which would always pass verification.\n",
+  "summary": "Duplicate Advisory: Svix vulnerable to improper comparison of different-length signatures",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-747x-5m58-mq97. This link is maintained to preserve external references.\n\n## Original Description\nThe `Webhook::verify` function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in `v1,` as the signature, which would always pass verification.",
   "severity": [],
   "affected": [
     {

advisories/unreviewed/2026/01/GHSA-43fm-9f2q-hw2w/GHSA-43fm-9f2q-hw2w.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-43fm-9f2q-hw2w",
-  "modified": "2026-01-22T18:30:38Z",
+  "modified": "2026-01-23T22:35:51Z",
   "published": "2026-01-22T18:30:38Z",
   "aliases": [
     "CVE-2025-69098"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-22T17:16:22Z"

advisories/unreviewed/2026/01/GHSA-53j3-cfjv-xfqj/GHSA-53j3-cfjv-xfqj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-53j3-cfjv-xfqj",
-  "modified": "2026-01-23T15:31:36Z",
+  "modified": "2026-01-23T22:35:51Z",
   "published": "2026-01-23T15:31:36Z",
   "aliases": [
     "CVE-2026-24558"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS.This issue affects ABG Rich Pins: from n/a through <= 1.1.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-23T15:16:13Z"

advisories/unreviewed/2026/01/GHSA-5vv6-8wrr-wj6p/GHSA-5vv6-8wrr-wj6p.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5vv6-8wrr-wj6p",
-  "modified": "2026-01-23T15:31:34Z",
+  "modified": "2026-01-23T22:35:51Z",
   "published": "2026-01-23T15:31:34Z",
   "aliases": [
     "CVE-2025-69907"
   ],
   "details": "An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-23T15:16:05Z"

advisories/unreviewed/2026/01/GHSA-63vr-ppcf-2wwm/GHSA-63vr-ppcf-2wwm.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-63vr-ppcf-2wwm",
-  "modified": "2026-01-23T15:31:38Z",
+  "modified": "2026-01-23T22:35:51Z",
   "published": "2026-01-23T15:31:38Z",
   "aliases": [
     "CVE-2026-24614"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS.This issue affects Flex QR Code Generator: from n/a through <= 1.2.8.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-23T15:16:20Z"

advisories/unreviewed/2026/01/GHSA-762j-cc79-q852/GHSA-762j-cc79-q852.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-762j-cc79-q852",
-  "modified": "2026-01-23T15:31:38Z",
+  "modified": "2026-01-23T22:35:52Z",
   "published": "2026-01-23T15:31:38Z",
   "aliases": [
     "CVE-2026-24626"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt Logo Slider logo-slider-wp allows Stored XSS.This issue affects Logo Slider: from n/a through <= 4.9.0.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-23T15:16:21Z"

advisories/unreviewed/2026/01/GHSA-7q2p-45vm-px3w/GHSA-7q2p-45vm-px3w.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7q2p-45vm-px3w",
-  "modified": "2026-01-23T15:31:38Z",
+  "modified": "2026-01-23T22:35:53Z",
   "published": "2026-01-23T15:31:38Z",
   "aliases": [
     "CVE-2026-24632"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS.This issue affects Delay Redirects: from n/a through <= 1.0.0.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-23T15:16:22Z"

advisories/unreviewed/2026/01/GHSA-7x7r-hcqj-v9hx/GHSA-7x7r-hcqj-v9hx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7x7r-hcqj-v9hx",
-  "modified": "2026-01-23T15:31:38Z",
+  "modified": "2026-01-23T22:35:52Z",
   "published": "2026-01-23T15:31:38Z",
   "aliases": [
     "CVE-2026-24629"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS.This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-23T15:16:22Z"