Publish Advisories

GHSA-5h6h-2wjp-jc72
GHSA-69w3-r845-3855
GHSA-6pq9-8556-qr3w
GHSA-86mw-26q3-c8pr
GHSA-h2gf-w3wm-8xqj
GHSA-qr22-6jgj-x8qh
GHSA-v8wq-rjpf-669f
GHSA-xv4p-823r-9vr8

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-5h6h-2wjp-jc72/GHSA-5h6h-2wjp-jc72.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5h6h-2wjp-jc72",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2026-20433"
+  ],
+  "details": "In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20433"
+    },
+    {
+      "type": "WEB",
+      "url": "https://corp.mediatek.com/product-security-bulletin/April-2026"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T04:17:12Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-69w3-r845-3855/GHSA-69w3-r845-3855.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-69w3-r845-3855",
+  "modified": "2026-04-07T06:30:28Z",
+  "published": "2026-04-07T06:30:28Z",
+  "aliases": [
+    "CVE-2026-1839"
+  ],
+  "details": "A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1839"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T06:16:41Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-6pq9-8556-qr3w/GHSA-6pq9-8556-qr3w.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6pq9-8556-qr3w",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2026-20431"
+  ],
+  "details": "In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20431"
+    },
+    {
+      "type": "WEB",
+      "url": "https://corp.mediatek.com/product-security-bulletin/April-2026"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T04:16:59Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-86mw-26q3-c8pr/GHSA-86mw-26q3-c8pr.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-86mw-26q3-c8pr",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2026-20432"
+  ],
+  "details": "In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20432"
+    },
+    {
+      "type": "WEB",
+      "url": "https://corp.mediatek.com/product-security-bulletin/April-2026"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T04:17:12Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-h2gf-w3wm-8xqj/GHSA-h2gf-w3wm-8xqj.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h2gf-w3wm-8xqj",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2025-65115"
+  ],
+  "details": "Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65115"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-73"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T06:16:40Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-qr22-6jgj-x8qh/GHSA-qr22-6jgj-x8qh.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qr22-6jgj-x8qh",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2025-65116"
+  ],
+  "details": "Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65116"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-763"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T06:16:41Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-v8wq-rjpf-669f/GHSA-v8wq-rjpf-669f.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v8wq-rjpf-669f",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2026-0740"
+  ],
+  "details": "The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0740"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ninjaforms.com/extensions/file-uploads"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T05:16:06Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-xv4p-823r-9vr8/GHSA-xv4p-823r-9vr8.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xv4p-823r-9vr8",
+  "modified": "2026-04-07T06:30:27Z",
+  "published": "2026-04-07T06:30:27Z",
+  "aliases": [
+    "CVE-2026-20446"
+  ],
+  "details": "In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20446"
+    },
+    {
+      "type": "WEB",
+      "url": "https://corp.mediatek.com/product-security-bulletin/April-2026"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T04:17:13Z"
+  }
+}