Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-j3cp-7wh4-9f6c/GHSA-j3cp-7wh4-9f6c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j3cp-7wh4-9f6c",
-  "modified": "2025-10-15T15:30:28Z",
+  "modified": "2026-03-27T18:31:21Z",
   "published": "2025-10-15T15:30:28Z",
   "aliases": [
     "CVE-2025-53521"

advisories/unreviewed/2026/03/GHSA-2467-8w6f-pv35/GHSA-2467-8w6f-pv35.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2467-8w6f-pv35",
+  "modified": "2026-03-27T18:31:27Z",
+  "published": "2026-03-27T18:31:27Z",
+  "aliases": [
+    "CVE-2026-30569"
+  ],
+  "details": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30569"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewStockAvailability-limit.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T17:16:28Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2fgq-8wh7-jwc9/GHSA-2fgq-8wh7-jwc9.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2fgq-8wh7-jwc9",
+  "modified": "2026-03-27T18:31:27Z",
+  "published": "2026-03-27T18:31:27Z",
+  "aliases": [
+    "CVE-2026-30570"
+  ],
+  "details": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_sales.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30570"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/XSS-ViewSales-limit.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T17:16:28Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2pvg-9372-g3rh/GHSA-2pvg-9372-g3rh.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2pvg-9372-g3rh",
+  "modified": "2026-03-27T18:31:28Z",
+  "published": "2026-03-27T18:31:28Z",
+  "aliases": [
+    "CVE-2026-4968"
+  ],
+  "details": "A vulnerability was determined in SourceCodester Diary App 1.0. The affected element is an unknown function of the file diary.php. Executing a manipulation can lead to cross-site request forgery. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. If you want to get the best quality for vulnerability data then you always have to consider VulDB.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4968"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/Mohdanass/50a525ba0a72e10fda85f0db11eeed92"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353855"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353855"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.777729"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T18:16:07Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-36m7-49vh-x3qh/GHSA-36m7-49vh-x3qh.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-36m7-49vh-x3qh",
-  "modified": "2026-03-27T15:30:26Z",
+  "modified": "2026-03-27T18:31:25Z",
   "published": "2026-03-27T15:30:25Z",
   "aliases": [
     "CVE-2026-32859"
   ],
   "details": "ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-36r3-mw6j-7ffc/GHSA-36r3-mw6j-7ffc.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-36r3-mw6j-7ffc",
+  "modified": "2026-03-27T18:31:27Z",
+  "published": "2026-03-27T18:31:27Z",
+  "aliases": [
+    "CVE-2025-15615"
+  ],
+  "details": "Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of service by sending excessive renegotiation requests. Attackers can exploit the lack of renegotiation limits to consume CPU resources and render the authd service unavailable.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-rr83-v9v7-jjhp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15615"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/ssl-tls-renegotiation-dos-in-wazuh-manager-authd-service"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-276"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T17:16:26Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-3gv6-g396-9v4r/GHSA-3gv6-g396-9v4r.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3gv6-g396-9v4r",
+  "modified": "2026-03-27T18:31:27Z",
+  "published": "2026-03-27T18:31:27Z",
+  "aliases": [
+    "CVE-2026-28367"
+  ],
+  "details": "A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\\r\\r\\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28367"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-28367"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443260"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-444"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T17:16:27Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-3wqr-83x4-348r/GHSA-3wqr-83x4-348r.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3wqr-83x4-348r",
+  "modified": "2026-03-27T18:31:27Z",
+  "published": "2026-03-27T18:31:27Z",
+  "aliases": [
+    "CVE-2026-30574"
+  ],
+  "details": "A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30574"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-Overselling.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T17:16:28Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-43p7-xw3r-w4gp/GHSA-43p7-xw3r-w4gp.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-43p7-xw3r-w4gp",
+  "modified": "2026-03-27T18:31:26Z",
+  "published": "2026-03-27T18:31:26Z",
+  "aliases": [
+    "CVE-2026-30527"
+  ],
+  "details": "A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the \"Category Name\" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30527"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/Stored-XSS-Category-Name.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T16:16:23Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-44cv-6xv4-6x7h/GHSA-44cv-6xv4-6x7h.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-44cv-6xv4-6x7h",
-  "modified": "2026-03-25T18:31:50Z",
+  "modified": "2026-03-27T18:31:24Z",
   "published": "2026-03-25T18:31:50Z",
   "aliases": [
     "CVE-2026-24970"
   ],
   "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-22"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-25T17:16:38Z"