Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 393d2312b93b · 2026-02-27T12:33:07.000Z
GHSA-2f5g-m75x-xphf GHSA-4vr2-gvv5-x55w GHSA-6h78-g5gr-4mp3 GHSA-74gw-c73g-6fq2 GHSA-7qxc-43wm-v793 GHSA-jvmm-jqv7-98vp GHSA-jwfw-xx6c-8gwv GHSA-pq7v-9vmm-7jw6 GHSA-rm76-fcj7-6cxh GHSA-rv67-6qhq-rp2p GHSA-xw84-4gx9-vm4h
diff --git a/advisories/unreviewed/2026/02/GHSA-2f5g-m75x-xphf/GHSA-2f5g-m75x-xphf.json b/advisories/unreviewed/2026/02/GHSA-2f5g-m75x-xphf/GHSA-2f5g-m75x-xphf.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2f5g-m75x-xphf",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2026-21660"
+  ],
+  "details": "Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise\nThis issue affects Frick Controls Quantum HD version 10.22 and prior.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21660"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-256"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T10:16:22Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-4vr2-gvv5-x55w/GHSA-4vr2-gvv5-x55w.json b/advisories/unreviewed/2026/02/GHSA-4vr2-gvv5-x55w/GHSA-4vr2-gvv5-x55w.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4vr2-gvv5-x55w",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2024-10938"
+  ],
+  "details": "The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10938"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/.htaccess"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/assets/.htaccess"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b45674c-8446-44eb-a45a-15dab02c89cf?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-506"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T10:16:18Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-6h78-g5gr-4mp3/GHSA-6h78-g5gr-4mp3.json b/advisories/unreviewed/2026/02/GHSA-6h78-g5gr-4mp3/GHSA-6h78-g5gr-4mp3.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6h78-g5gr-4mp3",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2025-14142"
+  ],
+  "details": "The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14142"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/electric-enquiries/tags/1.1/electric-enquiries.php#L76"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/electric-enquiries/trunk/electric-enquiries.php#L76"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f99da73-1db9-43ee-ac74-b772882baf15?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T10:16:21Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-74gw-c73g-6fq2/GHSA-74gw-c73g-6fq2.json b/advisories/unreviewed/2026/02/GHSA-74gw-c73g-6fq2/GHSA-74gw-c73g-6fq2.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-74gw-c73g-6fq2",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2026-1434"
+  ],
+  "details": "Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker can craft a malicious URL that, when opened, causes arbitrary JavaScript to execute in the victim’s browser.\n\nThis issue was fixed in 4.6.7.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1434"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/posts/2026/02/CVE-2026-1434"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.omegapsir.io"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T11:16:04Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-7qxc-43wm-v793/GHSA-7qxc-43wm-v793.json b/advisories/unreviewed/2026/02/GHSA-7qxc-43wm-v793/GHSA-7qxc-43wm-v793.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7qxc-43wm-v793",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2026-21659"
+  ],
+  "details": "Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to\nexecute arbitrary code on the affected device, leading to full system compromise. \nThis issue affects Frick Controls Quantum HD: Frick Controls Quantum HD version 10.22 and prior.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21659"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T10:16:22Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-jvmm-jqv7-98vp/GHSA-jvmm-jqv7-98vp.json b/advisories/unreviewed/2026/02/GHSA-jvmm-jqv7-98vp/GHSA-jvmm-jqv7-98vp.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jvmm-jqv7-98vp",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2025-11251"
+  ],
+  "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection.This issue affects E-Commerce Platform: through 27022026.\n\nNOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11251"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.usom.gov.tr/bildirim/tr-26-0084"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T12:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-jwfw-xx6c-8gwv/GHSA-jwfw-xx6c-8gwv.json b/advisories/unreviewed/2026/02/GHSA-jwfw-xx6c-8gwv/GHSA-jwfw-xx6c-8gwv.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jwfw-xx6c-8gwv",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2026-24351"
+  ],
+  "details": "PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/posts/2026/03/CVE-2026-24350"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pluxml.org"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T12:16:03Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-pq7v-9vmm-7jw6/GHSA-pq7v-9vmm-7jw6.json b/advisories/unreviewed/2026/02/GHSA-pq7v-9vmm-7jw6/GHSA-pq7v-9vmm-7jw6.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pq7v-9vmm-7jw6",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2026-24352"
+  ],
+  "details": "PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24352"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/posts/2026/03/CVE-2026-24350"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pluxml.org"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-384"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T12:16:03Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-rm76-fcj7-6cxh/GHSA-rm76-fcj7-6cxh.json b/advisories/unreviewed/2026/02/GHSA-rm76-fcj7-6cxh/GHSA-rm76-fcj7-6cxh.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rm76-fcj7-6cxh",
+  "modified": "2026-02-27T12:31:25Z",
+  "published": "2026-02-27T12:31:25Z",
+  "aliases": [
+    "CVE-2026-1305"
+  ],
+  "details": "The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as \"Processing\" or \"Completed\" without actual payment via a crafted POST request to the Paidy webhook endpoint.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1305"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.8.2/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php#L63"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3464868/woocommerce-for-japan/trunk/includes/gateways/paidy/class-wc-paidy-endpoint.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cef4b2b-ae8d-4e18-b763-6960a0b944f7?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-27T10:16:21Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-rv67-6qhq-rp2p/GHSA-rv67-6qhq-rp2p.json b/advisories/unreviewed/2026/02/GHSA-rv67-6qhq-rp2p/GHSA-rv67-6qhq-rp2p.json
diff --git a/advisories/unreviewed/2026/02/GHSA-xw84-4gx9-vm4h/GHSA-xw84-4gx9-vm4h.json b/advisories/unreviewed/2026/02/GHSA-xw84-4gx9-vm4h/GHSA-xw84-4gx9-vm4h.json
