Publish Advisories

GHSA-w3fc-f758-c6x7
GHSA-x8cm-r99c-gv26

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-w3fc-f758-c6x7/GHSA-w3fc-f758-c6x7.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w3fc-f758-c6x7",
+  "modified": "2026-04-19T06:31:22Z",
+  "published": "2026-04-19T06:31:22Z",
+  "aliases": [
+    "CVE-2026-0868"
+  ],
+  "details": "The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0868"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3466576/embed-calendly-scheduling"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-19T04:16:10Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-x8cm-r99c-gv26/GHSA-x8cm-r99c-gv26.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x8cm-r99c-gv26",
+  "modified": "2026-04-19T06:31:22Z",
+  "published": "2026-04-19T06:31:22Z",
+  "aliases": [
+    "CVE-2026-6559"
+  ],
+  "details": "A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the function sub_401F80 of the file /cgi-bin/login.cgi. This manipulation of the argument Hostname causes cross site scripting. Remote exploitation of the attack is possible. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6559"
+    },
+    {
+      "type": "WEB",
+      "url": "https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_16/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785303"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358196"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358196/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-19T06:16:10Z"
+  }
+}