Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-2qxw-7fmx-gqfm/GHSA-2qxw-7fmx-gqfm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2qxw-7fmx-gqfm",
-  "modified": "2026-02-04T17:46:55Z",
+  "modified": "2026-03-26T21:31:19Z",
   "published": "2026-02-02T06:30:53Z",
   "aliases": [
     "CVE-2026-1531"
@@ -44,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/theforeman/foreman_kubevirt/commit/6c9973ee59c6fbec65f165eb9ea9dd4ebb6eeef1"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5970"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5971"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-1531"

advisories/github-reviewed/2026/02/GHSA-hfcp-477w-3wjw/GHSA-hfcp-477w-3wjw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hfcp-477w-3wjw",
-  "modified": "2026-03-02T16:11:53Z",
+  "modified": "2026-03-26T21:31:19Z",
   "published": "2026-02-27T09:30:29Z",
   "aliases": [
     "CVE-2026-0980"
@@ -44,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/logicminds/rubyipmi/commit/252503a7b4dca68388165883b0322024e344a215"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5970"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5971"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-0980"

advisories/github-reviewed/2026/02/GHSA-m3hq-3qj8-c5fm/GHSA-m3hq-3qj8-c5fm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m3hq-3qj8-c5fm",
-  "modified": "2026-02-04T17:47:38Z",
+  "modified": "2026-03-26T21:31:19Z",
   "published": "2026-02-02T06:30:53Z",
   "aliases": [
     "CVE-2026-1530"
@@ -52,6 +52,14 @@
       "type": "WEB",
       "url": "https://github.com/fog/fog-kubevirt/commit/9603d79a239a0f68bedfc679cd1b65fbf6ec4753"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5970"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5971"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-1530"

advisories/github-reviewed/2026/03/GHSA-pw7h-9g6p-c378/GHSA-pw7h-9g6p-c378.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pw7h-9g6p-c378",
+  "modified": "2026-03-26T21:30:54Z",
+  "published": "2026-03-26T21:30:54Z",
+  "aliases": [],
+  "summary": "OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation",
+  "details": "## Summary\nTlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `3cbf932413e41d1836cb91aed1541a28a3122f93`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/tlon/src/monitor/index.ts now honors explicit empty allowlists as authoritative deny-all configuration.\n- extensions/tlon/src/monitor/settings-helpers.test.ts ships regression coverage for explicit empty settings allowlists.\n\nThanks @zpbrent for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.22"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285",
+      "CWE-863"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T21:30:54Z",
+    "nvd_published_at": null
+  }
+}

advisories/unreviewed/2024/01/GHSA-cx8g-4cf5-cjv3/GHSA-cx8g-4cf5-cjv3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cx8g-4cf5-cjv3",
-  "modified": "2026-02-27T18:31:00Z",
+  "modified": "2026-03-26T21:31:19Z",
   "published": "2024-01-25T21:32:14Z",
   "aliases": [
     "CVE-2023-52356"
@@ -75,6 +75,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2023-52356"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5958"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:3462"

advisories/unreviewed/2025/11/GHSA-5q8c-r7p8-3p9v/GHSA-5q8c-r7p8-3p9v.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5q8c-r7p8-3p9v",
-  "modified": "2025-12-05T15:30:25Z",
+  "modified": "2026-03-26T21:31:19Z",
   "published": "2025-11-26T03:30:21Z",
   "aliases": [
     "CVE-2025-12848"
@@ -23,9 +23,21 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12848"
     },
+    {
+      "type": "WEB",
+      "url": "https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001"
+    },
     {
       "type": "WEB",
       "url": "https://www.drupal.org/node/3105204"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-12848"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/03/GHSA-234f-f38v-vqmg/GHSA-234f-f38v-vqmg.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-234f-f38v-vqmg",
-  "modified": "2026-03-25T18:31:49Z",
+  "modified": "2026-03-26T21:31:24Z",
   "published": "2026-03-25T18:31:49Z",
   "aliases": [
     "CVE-2026-22512"
   ],
   "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-98"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-25T17:16:33Z"

advisories/unreviewed/2026/03/GHSA-28r9-jxmr-8hgr/GHSA-28r9-jxmr-8hgr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-28r9-jxmr-8hgr",
-  "modified": "2026-03-25T18:31:52Z",
+  "modified": "2026-03-26T21:31:25Z",
   "published": "2026-03-25T18:31:52Z",
   "aliases": [
     "CVE-2026-25457"
   ],
   "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through <= 2.1.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-98"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-25T17:16:51Z"

advisories/unreviewed/2026/03/GHSA-2g37-4q7v-m5xx/GHSA-2g37-4q7v-m5xx.json

@@ -26,7 +26,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-798"
+      "CWE-798",
+      "CWE-89"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-2mq5-fr5w-rr29/GHSA-2mq5-fr5w-rr29.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2mq5-fr5w-rr29",
+  "modified": "2026-03-26T21:31:28Z",
+  "published": "2026-03-26T21:31:28Z",
+  "aliases": [
+    "CVE-2026-3530"
+  ],
+  "details": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3530"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-025"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T21:17:09Z"
+  }
+}