Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-24h2-5vgh-pf37/GHSA-24h2-5vgh-pf37.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-24h2-5vgh-pf37",
+  "modified": "2026-04-09T00:32:01Z",
+  "published": "2026-04-09T00:32:01Z",
+  "aliases": [
+    "CVE-2026-5824"
+  ],
+  "details": "A security vulnerability has been detected in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /userchecklogin.php. Such manipulation of the argument userid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5824"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lonelyuan/vunls/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/788302"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356271"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356271/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-09T00:16:21Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-24v7-w2x9-2cxh/GHSA-24v7-w2x9-2cxh.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-24v7-w2x9-2cxh",
+  "modified": "2026-04-09T00:32:00Z",
+  "published": "2026-04-09T00:32:00Z",
+  "aliases": [
+    "CVE-2026-5887"
+  ],
+  "details": "Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5887"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/486079015"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:28Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-26fq-x95v-v55j/GHSA-26fq-x95v-v55j.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-26fq-x95v-v55j",
+  "modified": "2026-04-09T00:32:01Z",
+  "published": "2026-04-09T00:32:00Z",
+  "aliases": [
+    "CVE-2026-5918"
+  ],
+  "details": "Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5918"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/490139441"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:31Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-26q6-hm4f-j23h/GHSA-26q6-hm4f-j23h.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-26q6-hm4f-j23h",
+  "modified": "2026-04-09T00:32:01Z",
+  "published": "2026-04-09T00:32:01Z",
+  "aliases": [
+    "CVE-2026-4332"
+  ],
+  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4332"
+    },
+    {
+      "type": "WEB",
+      "url": "https://hackerone.com/reports/3600345"
+    },
+    {
+      "type": "WEB",
+      "url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/593853"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T23:16:59Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2fw9-cxch-qx5h/GHSA-2fw9-cxch-qx5h.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2fw9-cxch-qx5h",
+  "modified": "2026-04-09T00:32:00Z",
+  "published": "2026-04-09T00:32:00Z",
+  "aliases": [
+    "CVE-2026-5890"
+  ],
+  "details": "Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5890"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/487259772"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:28Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2h64-4pg7-rq8p/GHSA-2h64-4pg7-rq8p.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2h64-4pg7-rq8p",
+  "modified": "2026-04-09T00:32:00Z",
+  "published": "2026-04-09T00:32:00Z",
+  "aliases": [
+    "CVE-2026-5904"
+  ],
+  "details": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5904"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/483851888"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:30Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2m8h-6748-cf32/GHSA-2m8h-6748-cf32.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2m8h-6748-cf32",
+  "modified": "2026-04-09T00:31:59Z",
+  "published": "2026-04-09T00:31:59Z",
+  "aliases": [
+    "CVE-2026-40029"
+  ],
+  "details": "parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40029"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/khyrenz/parseusbs/pull/10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mobasi.ai/sentinel"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:23Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2x9w-3q66-8rrm/GHSA-2x9w-3q66-8rrm.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2x9w-3q66-8rrm",
+  "modified": "2026-04-09T00:32:00Z",
+  "published": "2026-04-09T00:32:00Z",
+  "aliases": [
+    "CVE-2026-5897"
+  ],
+  "details": "Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5897"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/419921726"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:29Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-32x4-hg4x-w43c/GHSA-32x4-hg4x-w43c.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-32x4-hg4x-w43c",
+  "modified": "2026-04-09T00:31:59Z",
+  "published": "2026-04-09T00:31:59Z",
+  "aliases": [
+    "CVE-2026-5875"
+  ],
+  "details": "Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5875"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/430198264"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T22:16:27Z"
+  }
+}