Publish Advisories

GHSA-2665-m8rg-c7xp
GHSA-2hp3-cccc-h69r
GHSA-7948-p5vf-r2m4
GHSA-83cp-rj94-v2g2
GHSA-8pgv-26pm-rgm8
GHSA-gcxp-xg77-798j
GHSA-jcjg-5j5x-r2hc
GHSA-jgr4-277v-42mv
GHSA-rfh7-7v27-6p9r

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-2665-m8rg-c7xp/GHSA-2665-m8rg-c7xp.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2665-m8rg-c7xp",
+  "modified": "2026-02-22T03:30:26Z",
+  "published": "2026-02-22T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2908"
+  ],
+  "details": "A security vulnerability has been detected in Tenda HG9 300001138. Affected by this issue is some unknown functionality of the file /boaform/formLoopBack of the component Loopback Detection Configuration Endpoint. Such manipulation of the argument Ethtype leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2908"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QIU-DIE/cve-nneeww/issues/10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347217"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347217"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755202"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T02:16:57Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2hp3-cccc-h69r/GHSA-2hp3-cccc-h69r.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hp3-cccc-h69r",
+  "modified": "2026-02-22T03:30:27Z",
+  "published": "2026-02-22T03:30:27Z",
+  "aliases": [
+    "CVE-2026-2906"
+  ],
+  "details": "A security flaw has been discovered in Tenda HG9 300001138. Affected is an unknown function of the file /boaform/formSamba of the component Samba Configuration Endpoint. The manipulation of the argument sambaCap results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2906"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QIU-DIE/cve-nneeww/issues/8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755193"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T02:16:57Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7948-p5vf-r2m4/GHSA-7948-p5vf-r2m4.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7948-p5vf-r2m4",
+  "modified": "2026-02-22T03:30:26Z",
+  "published": "2026-02-22T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2903"
+  ],
+  "details": "A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2903"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/skvadrik/re2c/issues/571"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/skvadrik/re2c/issues/571#issuecomment-3837675101"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/skvadrik/re2c/commit/febeb977936f9519a25d9fbd10ff8256358cdb97"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/oneafter/0202/blob/main/re/repro"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/skvadrik/re2c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347210"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347210"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755030"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T01:16:00Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-83cp-rj94-v2g2/GHSA-83cp-rj94-v2g2.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-83cp-rj94-v2g2",
+  "modified": "2026-02-22T03:30:26Z",
+  "published": "2026-02-22T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2905"
+  ],
+  "details": "A vulnerability was identified in Tenda HG9 300001138. This impacts an unknown function of the file /boaform/formWlanSetup of the component Wireless Configuration Endpoint. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2905"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QIU-DIE/cve-nneeww/issues/7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347214"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347214"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755167"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T02:16:56Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-8pgv-26pm-rgm8/GHSA-8pgv-26pm-rgm8.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8pgv-26pm-rgm8",
+  "modified": "2026-02-22T03:30:26Z",
+  "published": "2026-02-22T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2909"
+  ],
+  "details": "A vulnerability was detected in Tenda HG9 300001138. This affects an unknown part of the file /boaform/formPing of the component Diagnostic Ping Endpoint. Performing a manipulation of the argument pingAddr results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2909"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/QIU-DIE/cve-nneeww/issues/11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347218"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347218"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755211"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T02:16:58Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-gcxp-xg77-798j/GHSA-gcxp-xg77-798j.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gcxp-xg77-798j",
+  "modified": "2026-02-22T03:30:26Z",
+  "published": "2026-02-22T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2898"
+  ],
+  "details": "A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2898"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/I4m6da/CVE/issues/5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/I4m6da/CVE/issues/5#issue-3890444166"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347209"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347209"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.753976"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T01:16:00Z"
+  }
+}