Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-3428-qfh5-9x74/GHSA-3428-qfh5-9x74.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3428-qfh5-9x74",
+  "modified": "2026-02-19T00:30:31Z",
+  "published": "2026-02-19T00:30:31Z",
+  "aliases": [
+    "CVE-2026-2684"
+  ],
+  "details": "A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2684"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/luoye197-prog/ziguang-fileupload"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/luoye197-prog/ziguang-fileupload/blob/main/introduce%26poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.753973"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-19T00:16:21Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-36ph-wmrq-6hrj/GHSA-36ph-wmrq-6hrj.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-36ph-wmrq-6hrj",
+  "modified": "2026-02-19T00:30:30Z",
+  "published": "2026-02-19T00:30:30Z",
+  "aliases": [
+    "CVE-2026-2670"
+  ],
+  "details": "A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipulation of the argument delete_file leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2670"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/37"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346467"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346467"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.753293"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.advantech.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T22:16:27Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3r32-v4qm-6hph/GHSA-3r32-v4qm-6hph.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3r32-v4qm-6hph",
+  "modified": "2026-02-19T00:30:28Z",
+  "published": "2026-02-19T00:30:28Z",
+  "aliases": [
+    "CVE-2019-25353"
+  ],
+  "details": "Foscam Video Management System 1.1.4.9 contains a denial of service vulnerability in the username input field that allows attackers to crash the application. Attackers can overwrite the username with a 520-byte buffer of repeated 'A' characters to trigger an application crash during device login.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25353"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47671"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.foscam.es"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/foscam-video-management-system-username-denial-of-service"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T22:16:20Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-43xr-qfv7-4j2q/GHSA-43xr-qfv7-4j2q.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-43xr-qfv7-4j2q",
+  "modified": "2026-02-19T00:30:29Z",
+  "published": "2026-02-19T00:30:29Z",
+  "aliases": [
+    "CVE-2019-25400"
+  ],
+  "details": "IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users' browsers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25400"
+    },
+    {
+      "type": "WEB",
+      "url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46344"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ipfire.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/ipfire-core-update-multiple-xss-via-fwhostscgi"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T22:16:23Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4g6v-jhwq-9xjj/GHSA-4g6v-jhwq-9xjj.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4g6v-jhwq-9xjj",
+  "modified": "2026-02-19T00:30:30Z",
+  "published": "2026-02-19T00:30:30Z",
+  "aliases": [
+    "CVE-2026-2648"
+  ],
+  "details": "Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. (Chromium security severity: High)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2648"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/477033835"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-122"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T22:16:26Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4vww-ch2x-c53p/GHSA-4vww-ch2x-c53p.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4vww-ch2x-c53p",
+  "modified": "2026-02-19T00:30:29Z",
+  "published": "2026-02-19T00:30:28Z",
+  "aliases": [
+    "CVE-2019-25358"
+  ],
+  "details": "FileOptimizer 14.00.2524 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the FileOptimizer32.ini configuration file. Attackers can overwrite the TempDirectory parameter with a 5000-character buffer to cause the application to crash when opening options.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25358"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sourceforge.net/projects/nikkhokkho"
+    },
+    {
+      "type": "WEB",
+      "url": "https://sourceforge.net/projects/nikkhokkho/files/FileOptimizer/14.00.2524/FileOptimizerSetup.exe/download"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47586"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/fileoptimizer-denial-of-service"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1282"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T22:16:21Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4wvv-g662-rjm9/GHSA-4wvv-g662-rjm9.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4wvv-g662-rjm9",
+  "modified": "2026-02-19T00:30:30Z",
+  "published": "2026-02-19T00:30:30Z",
+  "aliases": [
+    "CVE-2025-15581"
+  ],
+  "details": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15581"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326"
+    },
+    {
+      "type": "WEB",
+      "url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252"
+    },
+    {
+      "type": "WEB",
+      "url": "https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-18T23:16:18Z"
+  }
+}