Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit da53c7d52ca9 · 2026-03-18T03:33:44.000Z
GHSA-9wx2-2pgr-5hg8 GHSA-m6wh-wq6q-6x3j GHSA-wmxr-6j5f-838p GHSA-x4p7-7chp-64hq
diff --git a/advisories/unreviewed/2026/03/GHSA-9wx2-2pgr-5hg8/GHSA-9wx2-2pgr-5hg8.json b/advisories/unreviewed/2026/03/GHSA-9wx2-2pgr-5hg8/GHSA-9wx2-2pgr-5hg8.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9wx2-2pgr-5hg8",
+  "modified": "2026-03-18T03:32:09Z",
+  "published": "2026-03-18T03:32:09Z",
+  "aliases": [
+    "CVE-2026-4356"
+  ],
+  "details": "A flaw has been found in itsourcecode University Management System 1.0. Affected is an unknown function of the file /add_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sulvant/Security/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351395"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351395"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.772854"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-18T02:16:25Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-m6wh-wq6q-6x3j/GHSA-m6wh-wq6q-6x3j.json b/advisories/unreviewed/2026/03/GHSA-m6wh-wq6q-6x3j/GHSA-m6wh-wq6q-6x3j.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m6wh-wq6q-6x3j",
+  "modified": "2026-03-18T03:32:09Z",
+  "published": "2026-03-18T03:32:09Z",
+  "aliases": [
+    "CVE-2026-4268"
+  ],
+  "details": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza_custom_js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4268"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.04/includes/class.settings-page.php#L145"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5599101-a7bd-4aa7-91da-f11694bdc000?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-18T02:16:25Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-wmxr-6j5f-838p/GHSA-wmxr-6j5f-838p.json b/advisories/unreviewed/2026/03/GHSA-wmxr-6j5f-838p/GHSA-wmxr-6j5f-838p.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wmxr-6j5f-838p",
+  "modified": "2026-03-18T03:32:09Z",
+  "published": "2026-03-18T03:32:09Z",
+  "aliases": [
+    "CVE-2026-2092"
+  ],
+  "details": "A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3925"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3926"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3947"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-2092"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1287"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-18T02:16:24Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-x4p7-7chp-64hq/GHSA-x4p7-7chp-64hq.json b/advisories/unreviewed/2026/03/GHSA-x4p7-7chp-64hq/GHSA-x4p7-7chp-64hq.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x4p7-7chp-64hq",
+  "modified": "2026-03-18T03:32:09Z",
+  "published": "2026-03-18T03:32:09Z",
+  "aliases": [
+    "CVE-2026-2603"
+  ],
+  "details": "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3925"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3926"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3947"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-2603"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-18T02:16:24Z"
+  }
+}
