Publish Advisories

GHSA-c97m-vxhj-p7j6
GHSA-xxxg-x793-7fq3

Author: advisory-database[bot]

…-c97m-vxhj-p7j6/GHSA-c97m-vxhj-p7j6.json …-c97m-vxhj-p7j6/GHSA-c97m-vxhj-p7j6.jsonadvisories/unreviewed/2026/04/GHSA-c97m-vxhj-p7j6/GHSA-c97m-vxhj-p7j6.json renamed to advisories/github-reviewed/2026/04/GHSA-c97m-vxhj-p7j6/GHSA-c97m-vxhj-p7j6.json advisories/unreviewed/2026/04/GHSA-c97m-vxhj-p7j6/GHSA-c97m-vxhj-p7j6.json renamed to advisories/github-reviewed/2026/04/GHSA-c97m-vxhj-p7j6/GHSA-c97m-vxhj-p7j6.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c97m-vxhj-p7j6",
-  "modified": "2026-04-17T15:31:17Z",
+  "modified": "2026-04-18T01:02:42Z",
   "published": "2026-04-17T15:31:17Z",
   "aliases": [
     "CVE-2026-5160"
   ],
+  "summary": "goldmark vulnerable to Cross-site Scripting (XSS)",
   "details": "Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/yuin/goldmark/renderer/html"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.7.17"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -27,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/yuin/goldmark"
+    },
     {
       "type": "WEB",
       "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERERHTML-15838406"
@@ -37,8 +62,8 @@
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:02:42Z",
     "nvd_published_at": "2026-04-15T06:16:13Z"
   }
 }

…-xxxg-x793-7fq3/GHSA-xxxg-x793-7fq3.json …-xxxg-x793-7fq3/GHSA-xxxg-x793-7fq3.jsonadvisories/unreviewed/2026/04/GHSA-xxxg-x793-7fq3/GHSA-xxxg-x793-7fq3.json renamed to advisories/github-reviewed/2026/04/GHSA-xxxg-x793-7fq3/GHSA-xxxg-x793-7fq3.json advisories/unreviewed/2026/04/GHSA-xxxg-x793-7fq3/GHSA-xxxg-x793-7fq3.json renamed to advisories/github-reviewed/2026/04/GHSA-xxxg-x793-7fq3/GHSA-xxxg-x793-7fq3.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xxxg-x793-7fq3",
-  "modified": "2026-04-12T15:30:27Z",
+  "modified": "2026-04-18T01:01:26Z",
   "published": "2026-04-12T15:30:27Z",
   "aliases": [
     "CVE-2019-25710"
   ],
+  "summary": "Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php",
   "details": "Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.",
   "severity": [
     {
@@ -14,15 +15,39 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "dolibarr/dolibarr"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "8.0.4"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25710"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Dolibarr/dolibarr"
+    },
     {
       "type": "WEB",
       "url": "https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip"
@@ -45,8 +70,8 @@
       "CWE-89"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:01:26Z",
     "nvd_published_at": "2026-04-12T13:16:34Z"
   }
 }