Publish Advisories

GHSA-7hmf-75fm-xr24
GHSA-8294-68fr-jrmh
GHSA-8mvv-fc8c-63jh
GHSA-cqgp-9jf3-3w3c
GHSA-mw98-2gv2-mp63
GHSA-r583-x83p-jgxx
GHSA-xfw6-4rhw-32pm

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-7hmf-75fm-xr24/GHSA-7hmf-75fm-xr24.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7hmf-75fm-xr24",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2026-4350"
+  ],
+  "details": "The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the `PMCS::action_handler()` method processing the `$_GET['delete']` parameter without any sanitization, authorization check, or nonce verification. The unsanitized filename is concatenated with the storage directory path and passed to `unlink()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server by using `../` path traversal sequences, including `wp-config.php` which would force WordPress into the installation wizard and allow full site takeover.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4350"
+    },
+    {
+      "type": "WEB",
+      "url": "https://perfmatters.io/docs/changelog"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58b9dab8-8539-4b53-b08d-f6ee3e1e744c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T08:16:17Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8294-68fr-jrmh/GHSA-8294-68fr-jrmh.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8294-68fr-jrmh",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2026-5462"
+  ],
+  "details": "A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\n . Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5462"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/781767"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355053"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355053/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-WahooFitne-3262de3f97fb8038808eed63af1a48b8?source=copy_link"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T08:16:17Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8mvv-fc8c-63jh/GHSA-8mvv-fc8c-63jh.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8mvv-fc8c-63jh",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2026-5455"
+  ],
+  "details": "A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENT_WRITE_KEY can lead to use of hard-coded cryptographic key\n . The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5455"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/781761"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355043"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355043/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-ca-diagram-dia-3262de3f97fb802fb5f0d2c9d179dcf6?source=copy_link"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T07:16:20Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-cqgp-9jf3-3w3c/GHSA-cqgp-9jf3-3w3c.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cqgp-9jf3-3w3c",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2026-5456"
+  ],
+  "details": "A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the component com.aligntech.myinvisalign.emea. The manipulation of the argument CDAACCESS_TOKEN leads to use of hard-coded cryptographic key\n . The attack must be carried out locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5456"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/781763"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355044"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355044/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.notion.so/Contentful-CDA-Tokens-Exposure-Leading-to-Unauthorized-Access-to-Master-and-Release-Environments-in--3262de3f97fb802ebd1af88e1264cb9f?source=copy_link"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T07:16:20Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-mw98-2gv2-mp63/GHSA-mw98-2gv2-mp63.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mw98-2gv2-mp63",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2025-7024"
+  ],
+  "details": "Incorrect Default Permissions vulnerability in AIRBUS PSS TETRA Connectivity Server on Windows Server OS allows Privilege Abuse.\n\n\nAn attacker may execute arbitrary code with SYSTEM privileges if a user is tricked or directed to place a crafted file into the vulnerable directory.\n\nThis issue affects TETRA connectivity Server: 7.0.\n\n\nVulnerability fix is available and delivered to impacted customers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7024"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cwe.mitre.org/data/definitions/276.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-276"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T08:16:17Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-r583-x83p-jgxx/GHSA-r583-x83p-jgxx.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r583-x83p-jgxx",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2026-5458"
+  ],
+  "details": "A weakness has been identified in Noelse Individuals & Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone.noelse. This manipulation of the argument SEGMENT_WRITE_KEY causes use of hard-coded cryptographic key\n . The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5458"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/781766"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355046"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355046/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-afone-noel-3262de3f97fb80549986ddd8a160ed32?source=copy_link"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T07:16:21Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-xfw6-4rhw-32pm/GHSA-xfw6-4rhw-32pm.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xfw6-4rhw-32pm",
+  "modified": "2026-04-03T09:30:16Z",
+  "published": "2026-04-03T09:30:16Z",
+  "aliases": [
+    "CVE-2026-5457"
+  ],
+  "details": "A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of the component com.allproperty.android.agentnet. The manipulation of the argument SEGMENT_ANDROID_WRITE_KEY/SEGMENT_TOS_WRITE_KEY results in use of hard-coded cryptographic key\n . The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5457"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/781764"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355045"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355045/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-allpropert-3262de3f97fb80b5aa5ae52475bf155e?source=copy_link"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T07:16:20Z"
+  }
+}