Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2022/05/GHSA-qw7j-w352-g8m7/GHSA-qw7j-w352-g8m7.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qw7j-w352-g8m7",
-  "modified": "2022-05-02T03:13:43Z",
+  "modified": "2026-04-14T18:30:24Z",
   "published": "2022-05-02T03:13:43Z",
   "aliases": [
     "CVE-2009-0238"
   ],
   "details": "Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -26,6 +31,10 @@
       "type": "WEB",
       "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5968"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-0238"
+    },
     {
       "type": "WEB",
       "url": "http://blogs.zdnet.com/security/?p=2658"

advisories/unreviewed/2025/07/GHSA-cq9g-6hw9-rmv4/GHSA-cq9g-6hw9-rmv4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cq9g-6hw9-rmv4",
-  "modified": "2025-07-09T00:30:33Z",
+  "modified": "2026-04-14T18:30:24Z",
   "published": "2025-07-09T00:30:33Z",
   "aliases": [
     "CVE-2025-49534"

advisories/unreviewed/2025/07/GHSA-jv4h-v294-5xfv/GHSA-jv4h-v294-5xfv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jv4h-v294-5xfv",
-  "modified": "2025-07-09T00:30:33Z",
+  "modified": "2026-04-14T18:30:24Z",
   "published": "2025-07-09T00:30:33Z",
   "aliases": [
     "CVE-2025-49547"

advisories/unreviewed/2025/12/GHSA-8cv9-4g7x-5c7f/GHSA-8cv9-4g7x-5c7f.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8cv9-4g7x-5c7f",
-  "modified": "2025-12-09T18:30:34Z",
+  "modified": "2026-04-14T18:30:25Z",
   "published": "2025-12-09T18:30:34Z",
   "aliases": [
     "CVE-2025-10655"
   ],
   "details": "SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-2vwv-vqpv-v8vc/GHSA-2vwv-vqpv-v8vc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2vwv-vqpv-v8vc",
-  "modified": "2026-03-31T15:31:55Z",
+  "modified": "2026-04-14T18:30:26Z",
   "published": "2026-03-30T09:31:29Z",
   "aliases": [
     "CVE-2026-5121"
@@ -26,6 +26,14 @@
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-5121"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452945"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-2vwv-vqpv-v8vc"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/04/GHSA-249v-qr3v-pf7r/GHSA-249v-qr3v-pf7r.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-249v-qr3v-pf7r",
+  "modified": "2026-04-14T18:30:42Z",
+  "published": "2026-04-14T18:30:42Z",
+  "aliases": [
+    "CVE-2026-32222"
+  ],
+  "details": "Untrusted pointer dereference in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32222"
+    },
+    {
+      "type": "WEB",
+      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32222"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-822"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-14T18:17:30Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-25qr-g262-c7jp/GHSA-25qr-g262-c7jp.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-25qr-g262-c7jp",
+  "modified": "2026-04-14T18:30:34Z",
+  "published": "2026-04-14T18:30:34Z",
+  "aliases": [
+    "CVE-2025-63939"
+  ],
+  "details": "Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63939"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-14T16:16:33Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-27pw-mrx7-45mq/GHSA-27pw-mrx7-45mq.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-27pw-mrx7-45mq",
+  "modified": "2026-04-14T18:30:34Z",
+  "published": "2026-04-14T18:30:34Z",
+  "aliases": [
+    "CVE-2025-65135"
+  ],
+  "details": "In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65135"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65135/poc.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-65135"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-14T16:16:34Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-28h6-3mx2-8gjg/GHSA-28h6-3mx2-8gjg.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-28h6-3mx2-8gjg",
-  "modified": "2026-04-08T21:33:32Z",
+  "modified": "2026-04-14T18:30:29Z",
   "published": "2026-04-08T21:33:32Z",
   "aliases": [
     "CVE-2026-30818"
   ],
   "details": "An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity.\n\nThis issue affects AX53 v1.0: before 1.7.1 Build 20260213.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/04/GHSA-2969-3f7h-gmhq/GHSA-2969-3f7h-gmhq.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2969-3f7h-gmhq",
-  "modified": "2026-04-13T15:31:43Z",
+  "modified": "2026-04-14T18:30:33Z",
   "published": "2026-04-13T15:31:43Z",
   "aliases": [
     "CVE-2026-31282"
   ],
   "details": "Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-13T15:17:33Z"