Publish Advisories

GHSA-2fhv-6v4j-h4qx
GHSA-2g7v-hghf-grg4
GHSA-2hfm-wh8p-mfqm
GHSA-7ggh-xq48-m73m
GHSA-97mf-v96f-5jp7
GHSA-9cgv-px49-jxx3
GHSA-g3xg-9c9v-6qx5
GHSA-jrmw-6fvh-x39j
GHSA-mc5p-73vc-m6ph
GHSA-p69q-x7rq-85qp
GHSA-q4jc-jqf3-rhwm
GHSA-wxr4-4cp2-2mqr
GHSA-xvv7-73jx-5wcg

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-2fhv-6v4j-h4qx/GHSA-2fhv-6v4j-h4qx.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2fhv-6v4j-h4qx",
+  "modified": "2026-02-08T03:30:27Z",
+  "published": "2026-02-08T03:30:27Z",
+  "aliases": [
+    "CVE-2026-2131"
+  ],
+  "details": "A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2131"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344766"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344766"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747209"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T03:15:49Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2g7v-hghf-grg4/GHSA-2g7v-hghf-grg4.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g7v-hghf-grg4",
+  "modified": "2026-02-08T03:30:27Z",
+  "published": "2026-02-08T03:30:27Z",
+  "aliases": [
+    "CVE-2026-2130"
+  ],
+  "details": "A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2130"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BurtTheCoder/mcp-maigret/issues/9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BurtTheCoder/mcp-maigret/pull/10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BurtTheCoder/mcp-maigret/commit/b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BurtTheCoder/mcp-maigret"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BurtTheCoder/mcp-maigret/releases/tag/v1.0.13"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344765"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344765"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747171"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T03:15:46Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2hfm-wh8p-mfqm/GHSA-2hfm-wh8p-mfqm.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hfm-wh8p-mfqm",
+  "modified": "2026-02-08T03:30:27Z",
+  "published": "2026-02-08T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2209"
+  ],
+  "details": "A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2209"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/releases/tag/v8.19"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.752269"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T02:15:57Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7ggh-xq48-m73m/GHSA-7ggh-xq48-m73m.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7ggh-xq48-m73m",
+  "modified": "2026-02-08T03:30:26Z",
+  "published": "2026-02-08T03:30:26Z",
+  "aliases": [
+    "CVE-2025-15100"
+  ],
+  "details": "The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15100"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.6.01/includes/user-panel/jay-login-register-ajax-handler-user-panel.php#L624"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb900810-23a2-4920-a5e8-4388c4474de0?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T02:15:56Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-97mf-v96f-5jp7/GHSA-97mf-v96f-5jp7.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-97mf-v96f-5jp7",
+  "modified": "2026-02-08T03:30:27Z",
+  "published": "2026-02-08T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2206"
+  ],
+  "details": "A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2206"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/releases/tag/v8.21"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344920"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344920"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.752162"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T02:15:57Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-9cgv-px49-jxx3/GHSA-9cgv-px49-jxx3.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9cgv-px49-jxx3",
+  "modified": "2026-02-08T03:30:26Z",
+  "published": "2026-02-08T03:30:26Z",
+  "aliases": [
+    "CVE-2026-2129"
+  ],
+  "details": "A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2129"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/23"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344764"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344764"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.746935"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T02:15:56Z"
+  }
+}