Publish Advisories

GHSA-22mj-mcf8-h63q
GHSA-2r55-mr9c-c89p
GHSA-2r9c-63hg-4rg2
GHSA-3f9r-87f6-jmr2
GHSA-46jj-7w5w-vccv
GHSA-5fc6-42f5-w7cm
GHSA-5qxq-p7xm-75w5
GHSA-5v2q-744p-wj8v
GHSA-85vj-mhr5-mmvc
GHSA-87vp-v5jj-xmcq
GHSA-8v8j-49p6-4ccp
GHSA-96mq-76jj-h8p9
GHSA-982r-pxpw-xv2x
GHSA-9fcj-8w2v-j38f
GHSA-9pg8-c68j-285r
GHSA-ff6v-wx52-q8j8
GHSA-fw7r-mghm-mcfw
GHSA-fwf8-cx3q-ch9g
GHSA-jcj5-xf7h-rwx7
GHSA-jfw2-q9rx-mg64
GHSA-q2p9-fpj7-9fjp
GHSA-qx92-pw43-vf25
GHSA-w7wm-w9qw-pc72
GHSA-wf2x-4p8v-p7m6

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-22mj-mcf8-h63q/GHSA-22mj-mcf8-h63q.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-22mj-mcf8-h63q",
+  "modified": "2026-02-22T15:30:15Z",
+  "published": "2026-02-22T15:30:15Z",
+  "aliases": [
+    "CVE-2019-25455"
+  ],
+  "details": "Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database information.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25455"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47139"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/web-ofisi-e-ticaret-sql-injection-via-arahtml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T15:16:14Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2r55-mr9c-c89p/GHSA-2r55-mr9c-c89p.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2r55-mr9c-c89p",
+  "modified": "2026-02-22T15:30:14Z",
+  "published": "2026-02-22T15:30:14Z",
+  "aliases": [
+    "CVE-2019-25439"
+  ],
+  "details": "NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25439"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47152"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/novismart-cms-sql-injection-via-referer-http-header"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T14:16:00Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2r9c-63hg-4rg2/GHSA-2r9c-63hg-4rg2.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2r9c-63hg-4rg2",
+  "modified": "2026-02-22T15:30:14Z",
+  "published": "2026-02-22T15:30:14Z",
+  "aliases": [
+    "CVE-2019-25446"
+  ],
+  "details": "DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25446"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47401"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/digit-centris-erp-every-version-sql-injection-via-datum-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T14:16:01Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3f9r-87f6-jmr2/GHSA-3f9r-87f6-jmr2.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3f9r-87f6-jmr2",
+  "modified": "2026-02-22T15:30:13Z",
+  "published": "2026-02-22T15:30:13Z",
+  "aliases": [
+    "CVE-2019-25391"
+  ],
+  "details": "Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions to extract sensitive database information.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25391"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46681"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/ashop-shopping-cart-software-lastest-latest-sql-injection-via-bannedcustomersphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T14:16:00Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-46jj-7w5w-vccv/GHSA-46jj-7w5w-vccv.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-46jj-7w5w-vccv",
+  "modified": "2026-02-22T15:30:15Z",
+  "published": "2026-02-22T15:30:15Z",
+  "aliases": [
+    "CVE-2019-25462"
+  ],
+  "details": "Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. Attackers can send GET requests to with malicious 'klima' values to extract sensitive database information or cause denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25462"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/web-ofisi-rent-a-car-sql-injection-via-klima-parameter"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.web-ofisi.com/detay/rent-a-car-v3.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T15:16:16Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-5fc6-42f5-w7cm/GHSA-5fc6-42f5-w7cm.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5fc6-42f5-w7cm",
+  "modified": "2026-02-22T15:30:14Z",
+  "published": "2026-02-22T15:30:14Z",
+  "aliases": [
+    "CVE-2019-25450"
+  ],
+  "details": "Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25450"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47370"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T14:16:01Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-5qxq-p7xm-75w5/GHSA-5qxq-p7xm-75w5.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5qxq-p7xm-75w5",
+  "modified": "2026-02-22T15:30:15Z",
+  "published": "2026-02-22T15:30:15Z",
+  "aliases": [
+    "CVE-2026-2953"
+  ],
+  "details": "A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2953"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347319"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347319"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.yuque.com/la12138/pa2fpb/lxngf3d07uyd0nwp?singleDoc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T14:16:02Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-5v2q-744p-wj8v/GHSA-5v2q-744p-wj8v.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5v2q-744p-wj8v",
+  "modified": "2026-02-22T15:30:13Z",
+  "published": "2026-02-22T15:30:13Z",
+  "aliases": [
+    "CVE-2026-2946"
+  ],
+  "details": "A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2946"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fx4tqqfvdw4.feishu.cn/docx/CvYzdxDNDoXWdKxvaehcvb1rnQK?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347316"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347316"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.755037"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-22T13:16:13Z"
+  }
+}