Publish Advisories

GHSA-2fmw-p7gw-97jj
GHSA-38jp-gj76-pm7x
GHSA-47ph-5j6m-fmgx
GHSA-57jm-2xq8-jwj3
GHSA-7w2h-4285-9pwr
GHSA-934v-v4wh-rf2c
GHSA-cqj6-j4f4-mcpp
GHSA-f256-j3x2-h7wh
GHSA-fj46-cfm8-7pc4
GHSA-m8fj-fqgq-fj22
GHSA-mg73-f2jm-wph7
GHSA-qhmq-843h-9vq8
GHSA-r8mv-7fwh-cfvr
GHSA-v2vh-hr2h-f29r
GHSA-vq86-4hgw-x482
GHSA-vv96-h3xf-q33j
GHSA-w3pf-j6xr-fj68
GHSA-x6c4-87pg-m84f
GHSA-xqg5-5x64-93r9

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-2fmw-p7gw-97jj/GHSA-2fmw-p7gw-97jj.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2fmw-p7gw-97jj",
+  "modified": "2026-02-24T03:30:19Z",
+  "published": "2026-02-24T03:30:19Z",
+  "aliases": [
+    "CVE-2025-11845"
+  ],
+  "details": "A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11845"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T02:15:59Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-38jp-gj76-pm7x/GHSA-38jp-gj76-pm7x.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38jp-gj76-pm7x",
+  "modified": "2026-02-24T03:30:20Z",
+  "published": "2026-02-24T03:30:20Z",
+  "aliases": [
+    "CVE-2026-3064"
+  ],
+  "details": "A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3064"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347415"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347415"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.757695"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T03:16:03Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-47ph-5j6m-fmgx/GHSA-47ph-5j6m-fmgx.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-47ph-5j6m-fmgx",
+  "modified": "2026-02-24T03:30:20Z",
+  "published": "2026-02-24T03:30:20Z",
+  "aliases": [
+    "CVE-2026-3054"
+  ],
+  "details": "A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3054"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347412"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347412"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.757609"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T03:16:02Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-57jm-2xq8-jwj3/GHSA-57jm-2xq8-jwj3.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-57jm-2xq8-jwj3",
+  "modified": "2026-02-24T03:30:19Z",
+  "published": "2026-02-24T03:30:19Z",
+  "aliases": [
+    "CVE-2026-3046"
+  ],
+  "details": "A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. This vulnerability affects unknown code of the file /check_profile_old.php. The manipulation of the argument profile_id leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3046"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ltranquility/cve_submit/issues/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347406"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347406"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.757247"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T01:16:15Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7w2h-4285-9pwr/GHSA-7w2h-4285-9pwr.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7w2h-4285-9pwr",
+  "modified": "2026-02-24T03:30:19Z",
+  "published": "2026-02-24T03:30:19Z",
+  "aliases": [
+    "CVE-2025-9120"
+  ],
+  "details": "Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Carbonite Safe Server Backup allows Code Injection. \n\nThe vulnerability could be exploited through an open port, potentially allowing unauthorized access.\n\nThis issue affects Carbonite Safe Server Backup: through 6.8.3.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9120"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.carbonite.com/articles/Security-Bulletin-for-Carbonite-Safe-Server-Backup-09-12-2025"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T01:16:12Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-934v-v4wh-rf2c/GHSA-934v-v4wh-rf2c.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-934v-v4wh-rf2c",
+  "modified": "2026-02-24T03:30:20Z",
+  "published": "2026-02-24T03:30:20Z",
+  "aliases": [
+    "CVE-2025-13942"
+  ],
+  "details": "A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13942"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T03:16:00Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-cqj6-j4f4-mcpp/GHSA-cqj6-j4f4-mcpp.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cqj6-j4f4-mcpp",
+  "modified": "2026-02-24T03:30:19Z",
+  "published": "2026-02-24T03:30:19Z",
+  "aliases": [
+    "CVE-2026-3049"
+  ],
+  "details": "A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.3 is capable of addressing this issue. The patch is identified as 730b5a44ff060916780c44a4bdbc8ced70a2cd27. The affected component should be upgraded.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3049"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/horilla-opensource/horilla-crm/commit/730b5a44ff060916780c44a4bdbc8ced70a2cd27"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Stolichnayer/Horilla-CRM-Open-Redirect"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347407"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347407"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.757296"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-601"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T01:16:16Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-f256-j3x2-h7wh/GHSA-f256-j3x2-h7wh.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f256-j3x2-h7wh",
+  "modified": "2026-02-24T03:30:19Z",
+  "published": "2026-02-24T03:30:19Z",
+  "aliases": [
+    "CVE-2026-3051"
+  ],
+  "details": "A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3051"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/5#issue-3935000629"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.347409"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.347409"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.757586"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-24T01:16:16Z"
+  }
+}