Skip to content

Commit 01ae88e

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-2h66-4jhv-36vf GHSA-6vq3-2fhj-j6wx GHSA-fc6j-rjwv-62c9 GHSA-fpff-pjfw-gfg7 GHSA-frp6-hv3g-9wcp GHSA-g7w2-v9m9-34xp GHSA-gxfh-rxpm-86pc GHSA-jqvm-5g74-g525 GHSA-phcm-xmm8-7jpc GHSA-qchm-r69c-gh59 GHSA-r8h7-vx32-9qj2 GHSA-wvc4-2vwc-mwh2 GHSA-x663-j3pw-658j GHSA-xwcw-3qx7-8hxm
1 parent 106c975 commit 01ae88e

File tree

14 files changed

+752
-0
lines changed

14 files changed

+752
-0
lines changed

advisories/unreviewed/2026/04/GHSA-2h66-4jhv-36vf/GHSA-2h66-4jhv-36vf.json

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2h66-4jhv-36vf",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5705"
8+
],
9+
"details": "A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such manipulation of the argument roomname leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5705"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://code-projects.org"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Reflected%20Cross-Site%20Scripting%20(XSS)%20in%20Online%20Hotel%20Booking%20System%20roomname%20Parameter.md"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/submit/786325"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/355521"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://vuldb.com/vuln/355521/cti"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-79"
50+
],
51+
"severity": "MODERATE",
52+
"github_reviewed": false,
53+
"github_reviewed_at": null,
54+
"nvd_published_at": "2026-04-07T00:16:21Z"
55+
}
56+
}

advisories/unreviewed/2026/04/GHSA-6vq3-2fhj-j6wx/GHSA-6vq3-2fhj-j6wx.json

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6vq3-2fhj-j6wx",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5709"
8+
],
9+
"details": "Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5709"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/aws/res/issues/150"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/aws/res/releases/tag/2026.03"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-78"
42+
],
43+
"severity": "HIGH",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2026-04-06T22:16:25Z"
47+
}
48+
}

advisories/unreviewed/2026/04/GHSA-fc6j-rjwv-62c9/GHSA-fc6j-rjwv-62c9.json

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fc6j-rjwv-62c9",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5686"
8+
],
9+
"details": "A security flaw has been discovered in Tenda CX12L 16.03.53.12. This vulnerability affects the function fromRouteStatic of the file /goform/RouteStatic. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5686"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/cve-a/lvdan/issues/4"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/792783"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/355513"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/355513/cti"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://www.tenda.com.cn"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-119"
50+
],
51+
"severity": "HIGH",
52+
"github_reviewed": false,
53+
"github_reviewed_at": null,
54+
"nvd_published_at": "2026-04-06T22:16:24Z"
55+
}
56+
}

advisories/unreviewed/2026/04/GHSA-fpff-pjfw-gfg7/GHSA-fpff-pjfw-gfg7.json

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fpff-pjfw-gfg7",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5708"
8+
],
9+
"details": "Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5708"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/aws/res/issues/149"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/aws/res/releases/tag/2026.03"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-915"
42+
],
43+
"severity": "HIGH",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2026-04-06T22:16:25Z"
47+
}
48+
}

advisories/unreviewed/2026/04/GHSA-frp6-hv3g-9wcp/GHSA-frp6-hv3g-9wcp.json

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-frp6-hv3g-9wcp",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5685"
8+
],
9+
"details": "A vulnerability was identified in Tenda CX12L 16.03.53.12. This affects the function fromAddressNat of the file /goform/addressNat. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5685"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/cve-a/lvdan/issues/3"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/792782"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/355512"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/355512/cti"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://www.tenda.com.cn"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-119"
50+
],
51+
"severity": "HIGH",
52+
"github_reviewed": false,
53+
"github_reviewed_at": null,
54+
"nvd_published_at": "2026-04-06T22:16:24Z"
55+
}
56+
}

advisories/unreviewed/2026/04/GHSA-g7w2-v9m9-34xp/GHSA-g7w2-v9m9-34xp.json

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-g7w2-v9m9-34xp",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5691"
8+
],
9+
"details": "A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setFirewallType of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5691"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_189/README.md"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/792962"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/355518"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/355518/cti"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://www.totolink.net"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-77"
50+
],
51+
"severity": "MODERATE",
52+
"github_reviewed": false,
53+
"github_reviewed_at": null,
54+
"nvd_published_at": "2026-04-06T23:16:32Z"
55+
}
56+
}

advisories/unreviewed/2026/04/GHSA-gxfh-rxpm-86pc/GHSA-gxfh-rxpm-86pc.json

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-gxfh-rxpm-86pc",
4+
"modified": "2026-04-07T00:30:22Z",
5+
"published": "2026-04-07T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-5707"
8+
],
9+
"details": "Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5707"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/aws/res/issues/151"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/aws/res/releases/tag/2026.03"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-78"
42+
],
43+
"severity": "HIGH",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2026-04-06T22:16:25Z"
47+
}
48+
}

0 commit comments

Comments
 (0)