Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 116eebc4a742 · 2026-03-06T09:33:29.000Z
GHSA-9rhw-f499-jxmh GHSA-cv64-6j2c-f8cg GHSA-cvvv-49vh-384q GHSA-q8x7-j9x6-2fpc GHSA-xmqp-rgcq-rmm2
diff --git a/advisories/unreviewed/2026/03/GHSA-9rhw-f499-jxmh/GHSA-9rhw-f499-jxmh.json b/advisories/unreviewed/2026/03/GHSA-9rhw-f499-jxmh/GHSA-9rhw-f499-jxmh.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9rhw-f499-jxmh",
+  "modified": "2026-03-06T09:31:33Z",
+  "published": "2026-03-06T09:31:33Z",
+  "aliases": [
+    "CVE-2026-2830"
+  ],
+  "details": "The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2830"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-all-import/trunk/controllers/admin/import.php#L185"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-all-import/trunk/libraries/XmlImportTemplate.php#L53"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-all-import/trunk/libraries/XmlImportTemplateCodeGenerator.php#L283"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3474757"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afc85535-962d-479d-8580-9d02f7412930?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T08:16:27Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-cv64-6j2c-f8cg/GHSA-cv64-6j2c-f8cg.json b/advisories/unreviewed/2026/03/GHSA-cv64-6j2c-f8cg/GHSA-cv64-6j2c-f8cg.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cv64-6j2c-f8cg",
+  "modified": "2026-03-06T09:31:33Z",
+  "published": "2026-03-06T09:31:33Z",
+  "aliases": [
+    "CVE-2026-23925"
+  ],
+  "details": "An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23925"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.zabbix.com/browse/ZBX-27567"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T09:15:56Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-cvvv-49vh-384q/GHSA-cvvv-49vh-384q.json b/advisories/unreviewed/2026/03/GHSA-cvvv-49vh-384q/GHSA-cvvv-49vh-384q.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cvvv-49vh-384q",
+  "modified": "2026-03-06T09:31:33Z",
+  "published": "2026-03-06T09:31:33Z",
+  "aliases": [
+    "CVE-2026-2331"
+  ],
+  "details": "An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2331"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.first.org/cvss/calculator/3.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.json"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/psirt"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-552"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T08:16:27Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-q8x7-j9x6-2fpc/GHSA-q8x7-j9x6-2fpc.json b/advisories/unreviewed/2026/03/GHSA-q8x7-j9x6-2fpc/GHSA-q8x7-j9x6-2fpc.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q8x7-j9x6-2fpc",
-  "modified": "2026-03-06T06:30:32Z",
+  "modified": "2026-03-06T09:31:32Z",
   "published": "2026-03-04T18:31:52Z",
   "aliases": [
     "CVE-2025-12801"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:3940"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3941"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-12801"
diff --git a/advisories/unreviewed/2026/03/GHSA-xmqp-rgcq-rmm2/GHSA-xmqp-rgcq-rmm2.json b/advisories/unreviewed/2026/03/GHSA-xmqp-rgcq-rmm2/GHSA-xmqp-rgcq-rmm2.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xmqp-rgcq-rmm2",
+  "modified": "2026-03-06T09:31:33Z",
+  "published": "2026-03-06T09:31:33Z",
+  "aliases": [
+    "CVE-2026-2330"
+  ],
+  "details": "An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directories intended for internal testing were not covered by the whitelist and are accessible without authentication. An unauthenticated attacker could place a manipulated parameter file that becomes active after a reboot, allowing modification of critical device settings, including network configuration and application parameters.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2330"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.first.org/cvss/calculator/3.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.json"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sick.com/psirt"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-552"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T08:16:27Z"
+  }
+}
