Publish Advisories

GHSA-2g4m-9v5x-mfwr
GHSA-3385-wm72-hh52
GHSA-438q-mm87-r2p9
GHSA-593x-hf83-hmrv
GHSA-65q8-p76v-6qj6
GHSA-8pjm-jgvr-53w9
GHSA-9pr2-m366-8728
GHSA-ccf6-mw22-wphc
GHSA-f28w-75x8-62f8
GHSA-hvcr-3gq9-w43p
GHSA-mxf6-4cfw-jjw8
GHSA-rc44-pmvh-crfp
GHSA-v5c3-292h-hqp3
GHSA-wjmf-99rj-jgch
GHSA-wv84-v8gw-jhh5

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-2g4m-9v5x-mfwr/GHSA-2g4m-9v5x-mfwr.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g4m-9v5x-mfwr",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2025-10553"
+  ],
+  "details": "A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10553"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10553"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:21Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-3385-wm72-hh52/GHSA-3385-wm72-hh52.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3385-wm72-hh52",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2025-41357"
+  ],
+  "details": "Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.\nIt affects 'host' parameter in '/diagdns.php' endpoint.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41357"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:22Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-438q-mm87-r2p9/GHSA-438q-mm87-r2p9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-438q-mm87-r2p9",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2025-10551"
+  ],
+  "details": "A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10551"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10551"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:21Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-593x-hf83-hmrv/GHSA-593x-hf83-hmrv.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-593x-hf83-hmrv",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2026-5186"
+  ],
+  "details": "A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5186"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780395"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354254"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354254/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T08:15:54Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-65q8-p76v-6qj6/GHSA-65q8-p76v-6qj6.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-65q8-p76v-6qj6",
+  "modified": "2026-03-31T09:31:42Z",
+  "published": "2026-03-31T09:31:42Z",
+  "aliases": [
+    "CVE-2026-3107"
+  ],
+  "details": "Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3107"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:22Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8pjm-jgvr-53w9/GHSA-8pjm-jgvr-53w9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8pjm-jgvr-53w9",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2025-10559"
+  ],
+  "details": "A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10559"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10559"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:21Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-9pr2-m366-8728/GHSA-9pr2-m366-8728.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9pr2-m366-8728",
+  "modified": "2026-03-31T09:31:42Z",
+  "published": "2026-03-31T09:31:42Z",
+  "aliases": [
+    "CVE-2026-5201"
+  ],
+  "details": "A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5201"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-5201"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453291"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-122"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:23Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-ccf6-mw22-wphc/GHSA-ccf6-mw22-wphc.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ccf6-mw22-wphc",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2026-5185"
+  ],
+  "details": "A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5185"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/780390"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354253"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/354253/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T07:16:12Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-f28w-75x8-62f8/GHSA-f28w-75x8-62f8.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f28w-75x8-62f8",
+  "modified": "2026-03-31T09:31:41Z",
+  "published": "2026-03-31T09:31:41Z",
+  "aliases": [
+    "CVE-2025-41356"
+  ],
+  "details": "Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects \n'host' parameter in '/diagconnect.php'\n\n endpoint.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-31T09:16:22Z"
+  }
+}