Publish Advisories

GHSA-q4hc-vp2m-fr47
GHSA-3px2-4mjj-vhr8
GHSA-64m7-gp9f-m55p
GHSA-66p2-p764-g32j
GHSA-8448-54h6-46wj
GHSA-gvmc-87qh-q5mc
GHSA-h6h8-cqg5-m2m9
GHSA-h9w9-2ggg-hqfx
GHSA-hh4g-hc5w-484w
GHSA-mc26-q38v-83gv
GHSA-q5mx-w9gm-5h8v
GHSA-rqfv-fqvg-7p3j
GHSA-w3qx-79f2-f95x

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q4hc-vp2m-fr47",
-  "modified": "2026-03-24T12:30:24Z",
+  "modified": "2026-03-31T06:31:43Z",
   "published": "2026-02-23T18:32:02Z",
   "aliases": [
     "CVE-2025-14905"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-14905"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:6220"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:5598"

advisories/unreviewed/2026/03/GHSA-3px2-4mjj-vhr8/GHSA-3px2-4mjj-vhr8.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3px2-4mjj-vhr8",
+  "modified": "2026-03-31T06:31:44Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-5179"
+  ],
+  "details": "A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5179"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dyh1213-wq/cve/issues/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780353"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354247"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354247/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T05:16:11Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-64m7-gp9f-m55p/GHSA-64m7-gp9f-m55p.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-64m7-gp9f-m55p",
+  "modified": "2026-03-31T06:31:44Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-5182"
+  ],
+  "details": "A vulnerability was found in SourceCodester Teacher Record System 1.0. Impacted is an unknown function of the file Teacher Record System of the component Parameter Handler. Performing a manipulation of the argument searchteacher results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5182"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dyh1213-wq/cve/issues/6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780379"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354250"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354250/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T06:16:01Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-66p2-p764-g32j/GHSA-66p2-p764-g32j.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-66p2-p764-g32j",
+  "modified": "2026-03-31T06:31:44Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-1834"
+  ],
+  "details": "The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1834"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ibtana-visual-editor/tags/1.2.5.6/ive-countdown.php#L402"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ibtana-visual-editor/tags/1.2.5.6/ive-countdown.php#L637"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ibtana-visual-editor/tags/1.2.5.6/ive-countdown.php#L777"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3485257/ibtana-visual-editor"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6a54d91-da79-43a3-affd-e8026e342d95?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-80"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T06:16:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8448-54h6-46wj/GHSA-8448-54h6-46wj.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8448-54h6-46wj",
+  "modified": "2026-03-31T06:31:44Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-4146"
+  ],
+  "details": "The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4146"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/src/mvc/View.php#L259"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.2/tpl/admin/config/version.php#L17"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6c744-7586-47ee-b2ce-af972ee8b4f7?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T05:16:11Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-gvmc-87qh-q5mc/GHSA-gvmc-87qh-q5mc.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gvmc-87qh-q5mc",
+  "modified": "2026-03-31T06:31:44Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-1710"
+  ],
+  "details": "The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1710"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-payments/tags/10.4.0/includes/class-wc-payment-gateway-wcpay.php#L4125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3480315/woocommerce-payments/trunk/includes/class-wc-payment-gateway-wcpay.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cec13225-baa3-4f26-b2d2-af6106888c74?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T05:16:10Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-h6h8-cqg5-m2m9/GHSA-h6h8-cqg5-m2m9.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h6h8-cqg5-m2m9",
+  "modified": "2026-03-31T06:31:44Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-5180"
+  ],
+  "details": "A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=login2. This manipulation of the argument email causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5180"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780354"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354248"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354248/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com"
+    },
+    {
+      "type": "WEB",
+      "url": "http://github.com/dyh1213-wq/cve/issues/4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T05:16:12Z"
+  }
+}