Publish Advisories

GHSA-29qh-jw3j-7gwj
GHSA-q8x7-j9x6-2fpc
GHSA-24p2-2h4q-gmhf
GHSA-2rg7-jp97-9whm
GHSA-4fwv-vp29-wx8m
GHSA-cvwg-67gg-j4gg
GHSA-jm9p-6v87-5wr3
GHSA-m9qp-xh66-cmcx
GHSA-p32r-2rg5-6gc2
GHSA-prg7-cj54-c2q4
GHSA-q3hg-jp42-4pfq
GHSA-w5f8-qggr-8844
GHSA-xfqh-9ppr-q5mc

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-29qh-jw3j-7gwj/GHSA-29qh-jw3j-7gwj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-29qh-jw3j-7gwj",
-  "modified": "2026-03-05T21:30:43Z",
+  "modified": "2026-04-01T12:31:27Z",
   "published": "2026-03-05T06:30:28Z",
   "aliases": [
     "CVE-2026-28038"

advisories/unreviewed/2026/03/GHSA-q8x7-j9x6-2fpc/GHSA-q8x7-j9x6-2fpc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q8x7-j9x6-2fpc",
-  "modified": "2026-03-25T06:30:28Z",
+  "modified": "2026-04-01T12:31:27Z",
   "published": "2026-03-04T18:31:52Z",
   "aliases": [
     "CVE-2025-12801"
@@ -47,6 +47,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:5606"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5867"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:5877"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-12801"

advisories/unreviewed/2026/04/GHSA-24p2-2h4q-gmhf/GHSA-24p2-2h4q-gmhf.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-24p2-2h4q-gmhf",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-21631"
+  ],
+  "details": "Lack of output escaping leads to a XSS vector in the multilingual associations component.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21631"
+    },
+    {
+      "type": "WEB",
+      "url": "https://developer.joomla.org/security-centre/1029-20260303-core-xss-vector-in-com-associations-comparison-view.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T10:16:16Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2rg7-jp97-9whm/GHSA-2rg7-jp97-9whm.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2rg7-jp97-9whm",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-23899"
+  ],
+  "details": "An improper access check allows unauthorized access to webservice endpoints.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23899"
+    },
+    {
+      "type": "WEB",
+      "url": "https://developer.joomla.org/security-centre/1032-20260306-core-improper-access-check-in-webservice-endpoints.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T10:16:16Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-4fwv-vp29-wx8m/GHSA-4fwv-vp29-wx8m.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4fwv-vp29-wx8m",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-24096"
+  ],
+  "details": "Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24096"
+    },
+    {
+      "type": "WEB",
+      "url": "https://checkmk.com/werk/18989"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-280"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T11:15:58Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-cvwg-67gg-j4gg/GHSA-cvwg-67gg-j4gg.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cvwg-67gg-j4gg",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:27Z",
+  "aliases": [
+    "CVE-2026-21629"
+  ],
+  "details": "The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21629"
+    },
+    {
+      "type": "WEB",
+      "url": "https://developer.joomla.org/security-centre/1027-20260301-core-acl-hardening-in-com-ajax.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T10:16:15Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-jm9p-6v87-5wr3/GHSA-jm9p-6v87-5wr3.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jm9p-6v87-5wr3",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-0932"
+  ],
+  "details": "Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0932"
+    },
+    {
+      "type": "WEB",
+      "url": "https://empower.m-files.com/security-advisories/CVE-2026-0932"
+    },
+    {
+      "type": "WEB",
+      "url": "https://product.m-files.com/security-advisories/cve-2026-0932"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T11:15:58Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-m9qp-xh66-cmcx/GHSA-m9qp-xh66-cmcx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m9qp-xh66-cmcx",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-23898"
+  ],
+  "details": "Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23898"
+    },
+    {
+      "type": "WEB",
+      "url": "https://developer.joomla.org/security-centre/1031-20260305-core-arbitrary-file-deletion-in-com-joomlaupdate.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-73"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T10:16:16Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-p32r-2rg5-6gc2/GHSA-p32r-2rg5-6gc2.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p32r-2rg5-6gc2",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-25601"
+  ],
+  "details": "A vulnerability was identified in MEPIS RM, an industrial\nsoftware product developed by Metronik. The application contained a hardcoded\ncryptographic key within the Mx.Web.ComponentModel.dll component. When the\noption to store domain passwords was enabled, this key was used to encrypt user\npasswords before storing them in the application’s database. An attacker with\nsufficient privileges to access the database could extract the encrypted\npasswords, decrypt them using the embedded key, and gain unauthorized access to\nthe associated ICS/OT environment.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25601"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cert.si/en/cve-2026-25601"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-798"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T12:16:02Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-prg7-cj54-c2q4/GHSA-prg7-cj54-c2q4.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-prg7-cj54-c2q4",
+  "modified": "2026-04-01T12:31:28Z",
+  "published": "2026-04-01T12:31:28Z",
+  "aliases": [
+    "CVE-2026-21630"
+  ],
+  "details": "Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21630"
+    },
+    {
+      "type": "WEB",
+      "url": "https://developer.joomla.org/security-centre/1028-20260302-core-sql-injection-in-com-content-articles-webservice-endpoint.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-01T10:16:15Z"
+  }
+}