Publish Advisories

GHSA-65cr-c32f-9764
GHSA-84m6-p53c-x4wp
GHSA-6qx4-cmrg-x79q
GHSA-7549-ggpq-22w8
GHSA-f2hp-qw27-8wfq
GHSA-jf89-3q6q-vcgr
GHSA-jw3m-5wwm-qcph
GHSA-jx24-j485-cqwm
GHSA-rp7w-624x-95qv

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-65cr-c32f-9764/GHSA-65cr-c32f-9764.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-65cr-c32f-9764",
-  "modified": "2026-04-01T18:36:31Z",
+  "modified": "2026-04-13T12:31:15Z",
   "published": "2026-01-08T18:30:50Z",
   "aliases": [
     "CVE-2026-22486"

advisories/unreviewed/2026/03/GHSA-84m6-p53c-x4wp/GHSA-84m6-p53c-x4wp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-84m6-p53c-x4wp",
-  "modified": "2026-03-25T15:31:29Z",
+  "modified": "2026-04-13T12:31:15Z",
   "published": "2026-03-25T15:31:29Z",
   "aliases": [
     "CVE-2026-1519"
@@ -34,6 +34,10 @@
     {
       "type": "WEB",
       "url": "https://kb.isc.org/docs/cve-2026-1519"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/04/GHSA-6qx4-cmrg-x79q/GHSA-6qx4-cmrg-x79q.json

@@ -30,7 +30,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-120"
+      "CWE-120",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/04/GHSA-7549-ggpq-22w8/GHSA-7549-ggpq-22w8.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7549-ggpq-22w8",
+  "modified": "2026-04-13T12:31:15Z",
+  "published": "2026-04-13T12:31:15Z",
+  "aliases": [
+    "CVE-2026-6204"
+  ],
+  "details": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204"
+    },
+    {
+      "type": "WEB",
+      "url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T11:16:06Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-f2hp-qw27-8wfq/GHSA-f2hp-qw27-8wfq.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f2hp-qw27-8wfq",
+  "modified": "2026-04-13T12:31:15Z",
+  "published": "2026-04-13T12:31:15Z",
+  "aliases": [
+    "CVE-2026-35565"
+  ],
+  "details": "Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting. \n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.\n\n\nMitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35565"
+    },
+    {
+      "type": "WEB",
+      "url": "https://storm.apache.org/2026/04/12/storm286-released.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/12/7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T10:16:11Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-jf89-3q6q-vcgr/GHSA-jf89-3q6q-vcgr.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jf89-3q6q-vcgr",
+  "modified": "2026-04-13T12:31:15Z",
+  "published": "2026-04-13T12:31:15Z",
+  "aliases": [
+    "CVE-2026-35337"
+  ],
+  "details": "Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35337"
+    },
+    {
+      "type": "WEB",
+      "url": "https://storm.apache.org/2026/04/12/storm286-released.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/12/6"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T10:16:11Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-jw3m-5wwm-qcph/GHSA-jw3m-5wwm-qcph.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jw3m-5wwm-qcph",
-  "modified": "2026-04-08T15:31:44Z",
+  "modified": "2026-04-13T12:31:15Z",
   "published": "2026-04-08T15:31:43Z",
   "aliases": [
     "CVE-2026-27102"

advisories/unreviewed/2026/04/GHSA-jx24-j485-cqwm/GHSA-jx24-j485-cqwm.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jx24-j485-cqwm",
+  "modified": "2026-04-13T12:31:15Z",
+  "published": "2026-04-13T12:31:15Z",
+  "aliases": [
+    "CVE-2025-15632"
+  ],
+  "details": "A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15632"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB/pull/4578"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782265"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356967"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356967/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T10:16:10Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-rp7w-624x-95qv/GHSA-rp7w-624x-95qv.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rp7w-624x-95qv",
+  "modified": "2026-04-13T12:31:15Z",
+  "published": "2026-04-13T12:31:15Z",
+  "aliases": [
+    "CVE-2026-2728"
+  ],
+  "details": "LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2728"
+    },
+    {
+      "type": "WEB",
+      "url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#xss-on-showconfig-page-2630"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T11:16:05Z"
+  }
+}