Publish Advisories

GHSA-pm8w-jq9r-x5rp
GHSA-2c4c-5wf5-f8m7
GHSA-3p66-r746-8vwf
GHSA-qpw4-8jph-882q
GHSA-37g5-xxx3-2p4q
GHSA-3wcx-px3j-79f4
GHSA-86pc-m9xh-3jg9
GHSA-9296-v3fr-j92j
GHSA-9w5f-xhp2-5782
GHSA-h2h4-5m64-m273
GHSA-jp4w-vjf8-5c76
GHSA-m38f-j4wj-5268
GHSA-mhqr-7m5g-wj8v
GHSA-q26f-fvh3-5p4h
GHSA-rxpj-7qvf-xv32
GHSA-vqf2-5h8g-fv6r

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-pm8w-jq9r-x5rp/GHSA-pm8w-jq9r-x5rp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pm8w-jq9r-x5rp",
-  "modified": "2026-04-06T12:32:09Z",
+  "modified": "2026-04-07T09:31:22Z",
   "published": "2026-02-09T15:30:31Z",
   "aliases": [
     "CVE-2025-14831"
@@ -51,6 +51,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:6630"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:6737"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-14831"

advisories/unreviewed/2026/03/GHSA-2c4c-5wf5-f8m7/GHSA-2c4c-5wf5-f8m7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2c4c-5wf5-f8m7",
-  "modified": "2026-03-06T21:30:34Z",
+  "modified": "2026-04-07T09:31:22Z",
   "published": "2026-03-05T06:30:25Z",
   "aliases": [
     "CVE-2026-27352"

advisories/unreviewed/2026/03/GHSA-3p66-r746-8vwf/GHSA-3p66-r746-8vwf.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3p66-r746-8vwf",
-  "modified": "2026-03-09T21:31:34Z",
+  "modified": "2026-04-07T09:31:22Z",
   "published": "2026-03-05T06:30:25Z",
   "aliases": [
     "CVE-2026-27358"

advisories/unreviewed/2026/03/GHSA-qpw4-8jph-882q/GHSA-qpw4-8jph-882q.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qpw4-8jph-882q",
-  "modified": "2026-03-06T21:30:35Z",
+  "modified": "2026-04-07T09:31:22Z",
   "published": "2026-03-05T06:30:26Z",
   "aliases": [
     "CVE-2026-27367"

advisories/unreviewed/2026/04/GHSA-37g5-xxx3-2p4q/GHSA-37g5-xxx3-2p4q.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-37g5-xxx3-2p4q",
+  "modified": "2026-04-07T09:31:22Z",
+  "published": "2026-04-07T09:31:22Z",
+  "aliases": [
+    "CVE-2026-34899"
+  ],
+  "details": "Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34899"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-broken-access-control-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T09:16:21Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-3wcx-px3j-79f4/GHSA-3wcx-px3j-79f4.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3wcx-px3j-79f4",
+  "modified": "2026-04-07T09:31:22Z",
+  "published": "2026-04-07T09:31:22Z",
+  "aliases": [
+    "CVE-2026-5465"
+  ],
+  "details": "The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5465"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T07:16:24Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-86pc-m9xh-3jg9/GHSA-86pc-m9xh-3jg9.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-86pc-m9xh-3jg9",
+  "modified": "2026-04-07T09:31:22Z",
+  "published": "2026-04-07T09:31:22Z",
+  "aliases": [
+    "CVE-2025-15611"
+  ],
+  "details": "The Popup Box  WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15611"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T07:16:23Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-9296-v3fr-j92j/GHSA-9296-v3fr-j92j.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9296-v3fr-j92j",
+  "modified": "2026-04-07T09:31:22Z",
+  "published": "2026-04-07T09:31:22Z",
+  "aliases": [
+    "CVE-2026-1114"
+  ],
+  "details": "In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1114"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T07:16:23Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-9w5f-xhp2-5782/GHSA-9w5f-xhp2-5782.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9w5f-xhp2-5782",
+  "modified": "2026-04-07T09:31:22Z",
+  "published": "2026-04-07T09:31:22Z",
+  "aliases": [
+    "CVE-2026-1900"
+  ],
+  "details": "The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1900"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T07:16:23Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-h2h4-5m64-m273/GHSA-h2h4-5m64-m273.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h2h4-5m64-m273",
+  "modified": "2026-04-07T09:31:22Z",
+  "published": "2026-04-07T09:31:22Z",
+  "aliases": [
+    "CVE-2026-33227"
+  ],
+  "details": "Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All.\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33227"
+    },
+    {
+      "type": "WEB",
+      "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/06/4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T09:16:20Z"
+  }
+}