Publish Advisories

GHSA-3f3c-wc35-5wjv
GHSA-6v7x-r5hj-8xc6
GHSA-g449-jq9r-wx9r
GHSA-pjpj-3w53-j35f

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-3f3c-wc35-5wjv/GHSA-3f3c-wc35-5wjv.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3f3c-wc35-5wjv",
+  "modified": "2026-03-07T15:30:17Z",
+  "published": "2026-03-07T15:30:17Z",
+  "aliases": [
+    "CVE-2026-3664"
+  ],
+  "details": "A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3664"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xlnt-community/xlnt/issues/141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xlnt-community/xlnt/pull/147"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/oneafter/0128/blob/main/xl5/repro"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xlnt-community/xlnt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.349553"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.349553"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.764646"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-07T15:15:56Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6v7x-r5hj-8xc6/GHSA-6v7x-r5hj-8xc6.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6v7x-r5hj-8xc6",
+  "modified": "2026-03-07T15:30:17Z",
+  "published": "2026-03-07T15:30:17Z",
+  "aliases": [
+    "CVE-2026-3663"
+  ],
+  "details": "A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3663"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xlnt-community/xlnt/issues/139"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xlnt-community/xlnt/pull/147"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/oneafter/0128/blob/main/xl3/repro"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xlnt-community/xlnt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.349552"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.349552"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.764644"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-07T15:15:56Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-g449-jq9r-wx9r/GHSA-g449-jq9r-wx9r.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g449-jq9r-wx9r",
+  "modified": "2026-03-07T15:30:17Z",
+  "published": "2026-03-07T15:30:16Z",
+  "aliases": [
+    "CVE-2026-3662"
+  ],
+  "details": "A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr_mode leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3662"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jinhao118/cve/blob/main/WAVLINK_2.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.349551"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.349551"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.758228"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-07T14:16:06Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-pjpj-3w53-j35f/GHSA-pjpj-3w53-j35f.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pjpj-3w53-j35f",
+  "modified": "2026-03-07T15:30:16Z",
+  "published": "2026-03-07T15:30:16Z",
+  "aliases": [
+    "CVE-2026-3661"
+  ],
+  "details": "A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the file /cgi-bin/adm.cgi. This manipulation of the argument model causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3661"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jinhao118/cve/blob/main/WAVLINK_1.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.349550"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.349550"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.758227"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-07T14:16:05Z"
+  }
+}