Publish Advisories

GHSA-673g-gvq6-jf92
GHSA-9mpm-5gw8-6p88
GHSA-9w82-gm38-254c
GHSA-c6cx-98fx-j4rp
GHSA-hqj6-7698-rxx4
GHSA-hrp9-p693-x2cg
GHSA-jxwq-p5r5-4484
GHSA-p4xg-6jp2-m2x3
GHSA-pmjm-5f5h-7776

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-673g-gvq6-jf92/GHSA-673g-gvq6-jf92.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-673g-gvq6-jf92",
+  "modified": "2026-01-26T09:30:18Z",
+  "published": "2026-01-26T09:30:18Z",
+  "aliases": [
+    "CVE-2026-1428"
+  ],
+  "details": "Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1428"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10655-59160-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T09:15:47Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-9mpm-5gw8-6p88/GHSA-9mpm-5gw8-6p88.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9mpm-5gw8-6p88",
+  "modified": "2026-01-26T09:30:17Z",
+  "published": "2026-01-26T09:30:17Z",
+  "aliases": [
+    "CVE-2025-14316"
+  ],
+  "details": "The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14316"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T07:16:06Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-9w82-gm38-254c/GHSA-9w82-gm38-254c.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9w82-gm38-254c",
+  "modified": "2026-01-26T09:30:18Z",
+  "published": "2026-01-26T09:30:18Z",
+  "aliases": [
+    "CVE-2026-1423"
+  ],
+  "details": "A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1423"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-3-remote-code-execution-via-unsafe-file-upload"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.342839"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.342839"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.736607"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T07:16:07Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-c6cx-98fx-j4rp/GHSA-c6cx-98fx-j4rp.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c6cx-98fx-j4rp",
+  "modified": "2026-01-26T09:30:18Z",
+  "published": "2026-01-26T09:30:18Z",
+  "aliases": [
+    "CVE-2026-1429"
+  ],
+  "details": "Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1429"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10655-59160-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T09:15:47Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-hqj6-7698-rxx4/GHSA-hqj6-7698-rxx4.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hqj6-7698-rxx4",
+  "modified": "2026-01-26T09:30:18Z",
+  "published": "2026-01-26T09:30:18Z",
+  "aliases": [
+    "CVE-2026-1425"
+  ],
+  "details": "A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1425"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.342841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.342841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.736827"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T08:16:00Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-hrp9-p693-x2cg/GHSA-hrp9-p693-x2cg.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hrp9-p693-x2cg",
+  "modified": "2026-01-26T09:30:17Z",
+  "published": "2026-01-26T09:30:17Z",
+  "aliases": [
+    "CVE-2025-14973"
+  ],
+  "details": "The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14973"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/76f7d5d4-ba45-4bfd-bda9-ab0769e81107"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T07:16:06Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-jxwq-p5r5-4484/GHSA-jxwq-p5r5-4484.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jxwq-p5r5-4484",
+  "modified": "2026-01-26T09:30:18Z",
+  "published": "2026-01-26T09:30:18Z",
+  "aliases": [
+    "CVE-2026-1424"
+  ],
+  "details": "A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1424"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://phpgurukul.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.342840"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.342840"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.736637"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T07:16:08Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-p4xg-6jp2-m2x3/GHSA-p4xg-6jp2-m2x3.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p4xg-6jp2-m2x3",
+  "modified": "2026-01-26T09:30:18Z",
+  "published": "2026-01-26T09:30:18Z",
+  "aliases": [
+    "CVE-2026-1427"
+  ],
+  "details": "Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1427"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10655-59160-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-26T08:16:00Z"
+  }
+}