Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-9w5h-px4f-8h8m/GHSA-9w5h-px4f-8h8m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9w5h-px4f-8h8m",
-  "modified": "2025-10-22T18:30:33Z",
+  "modified": "2026-04-01T03:31:40Z",
   "published": "2025-10-09T21:31:11Z",
   "aliases": [
     "CVE-2025-4615"

advisories/unreviewed/2026/04/GHSA-2ch2-j7qp-pqm3/GHSA-2ch2-j7qp-pqm3.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2ch2-j7qp-pqm3",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2026-35054"
+  ],
+  "details": "XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35054"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/xenforo-stored-cross-site-scripting-via-bb-code-rendering"
+    },
+    {
+      "type": "WEB",
+      "url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T01:16:41Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-499p-g3jm-62mp/GHSA-499p-g3jm-62mp.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-499p-g3jm-62mp",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2025-71278"
+  ],
+  "details": "XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71278"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request"
+    },
+    {
+      "type": "WEB",
+      "url": "https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T01:16:40Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-4q9h-crq4-9xjq/GHSA-4q9h-crq4-9xjq.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4q9h-crq4-9xjq",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2026-5248"
+  ],
+  "details": "A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\\app\\home\\controller\\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5248"
+    },
+    {
+      "type": "WEB",
+      "url": "https://thinhneee.github.io/posts/gougu-mass-assign"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780589"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354429"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354429/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-913"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T01:16:41Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-56gw-v5vp-rmjp/GHSA-56gw-v5vp-rmjp.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-56gw-v5vp-rmjp",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2026-5249"
+  ],
+  "details": "A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \\gougucms-master\\app\\admin\\view\\user\\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5249"
+    },
+    {
+      "type": "WEB",
+      "url": "https://thinhneee.github.io/posts/gougu-blind-xss"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780716"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354430"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354430/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T02:16:03Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-6xgc-8m9r-qvgm/GHSA-6xgc-8m9r-qvgm.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xgc-8m9r-qvgm",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2026-3777"
+  ],
+  "details": "The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers are still kept and later dereferenced, which under crafted JavaScript and document structures can lead to a use-after-free condition and potentially allow arbitrary code execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3777"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.foxit.com/support/security-bulletins.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T02:16:02Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-7285-3w46-g6m6/GHSA-7285-3w46-g6m6.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7285-3w46-g6m6",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2026-35055"
+  ],
+  "details": "XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35055"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/xenforo-cross-site-scripting-via-lightbox-in-posts"
+    },
+    {
+      "type": "WEB",
+      "url": "https://xenforo.com/community/threads/xenforo-2-3-9-inc-xfmg-2-2-18-released-security-fix.235659"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T01:16:41Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8fvj-rw6m-xrph/GHSA-8fvj-rw6m-xrph.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8fvj-rw6m-xrph",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2025-71282"
+  ],
+  "details": "XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71282"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/xenforo-path-disclosure-via-open-basedir-exceptions"
+    },
+    {
+      "type": "WEB",
+      "url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-209"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T01:16:40Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-f5w8-q66w-xp9m/GHSA-f5w8-q66w-xp9m.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f5w8-q66w-xp9m",
+  "modified": "2026-04-01T03:31:40Z",
+  "published": "2026-04-01T03:31:40Z",
+  "aliases": [
+    "CVE-2026-4374"
+  ],
+  "details": "Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat...",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4374"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.rti.com/vulnerabilities/#cve-2026-4374"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T02:16:03Z"
+  }
+}