Publish Advisories

GHSA-264f-3frq-cpxq
GHSA-2x9h-r46q-gf7w
GHSA-58qr-v987-vh6w
GHSA-6m8q-32w5-c768
GHSA-8hrp-4v5x-m9q3
GHSA-9f9p-gp89-cxxh
GHSA-w43v-pfh7-6jqq
GHSA-x6h5-48q8-5528

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-264f-3frq-cpxq/GHSA-264f-3frq-cpxq.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-264f-3frq-cpxq",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2026-4830"
+  ],
+  "details": "A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipulation leads to unrestricted upload. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4830"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353127"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353127"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775479"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulnplus-note.wetolink.com/share/7oB22Zhc6u5X"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T01:16:28Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2x9h-r46q-gf7w/GHSA-2x9h-r46q-gf7w.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2x9h-r46q-gf7w",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2026-4836"
+  ],
+  "details": "A vulnerability was detected in code-projects Accounting System 1.0. The affected element is an unknown function of the file /my_account/delete.php. Performing a manipulation of the argument cos_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4836"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Time-Based%20Blind%20SQL%20Injection%20Accounting%20System%20in%20PHP%20in%20cos_id%20Parameter.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353140"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353140"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775867"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T03:16:04Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-58qr-v987-vh6w/GHSA-58qr-v987-vh6w.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-58qr-v987-vh6w",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2014-125112"
+  ],
+  "details": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125112"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-565"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T03:16:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6m8q-32w5-c768/GHSA-6m8q-32w5-c768.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6m8q-32w5-c768",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2026-4484"
+  ],
+  "details": "The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4484"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.6/includes/RestApi/Controllers/Version1/InstructorsController.php#L305"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3490792/learning-management-system/trunk/includes/RestApi/Controllers/Version1/InstructorsController.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/265be0af-66a4-4636-ab81-f8e2c5a1282e?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T02:16:07Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8hrp-4v5x-m9q3/GHSA-8hrp-4v5x-m9q3.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8hrp-4v5x-m9q3",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2026-4831"
+  ],
+  "details": "A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected Share Handler. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4831"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353128"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353128"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775502"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulnplus-note.wetolink.com/share/xdk9igJ3sulk"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T02:16:08Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-9f9p-gp89-cxxh/GHSA-9f9p-gp89-cxxh.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9f9p-gp89-cxxh",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2026-4833"
+  ],
+  "details": "A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled recursion. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project maintainer confirms: \"[I]f you feed it an infinitely deep blockquote input it will crash. (...) [T]his is a duplicate of an old bug that I've been working on.\"",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4833"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Orc/discount/issues/305"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Orc/discount/issues/305#issuecomment-4027546673"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Orc/discount"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/25847391/crash00.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353138"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353138"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775841"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T02:16:08Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-w43v-pfh7-6jqq/GHSA-w43v-pfh7-6jqq.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w43v-pfh7-6jqq",
+  "modified": "2026-03-26T03:30:28Z",
+  "published": "2026-03-26T03:30:28Z",
+  "aliases": [
+    "CVE-2026-4835"
+  ],
+  "details": "A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /my_account/add_costumer.php of the component Web Application Interface. Such manipulation of the argument costumer_name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4835"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Accounting%20System%20in%20PHP%201.0%20-%20Stored%20Cross-Site%20Scripting%20(XSS)%20in%20costumer_name%20Parameter.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353139"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353139"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775859"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T03:16:04Z"
+  }
+}