Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 4b5af1471f85 · 2026-04-12T03:32:34.000Z
GHSA-96q3-fpgp-35xf GHSA-jqqw-37x4-9rwj GHSA-r5v8-c28h-f8r8 GHSA-w287-wwhf-95vv GHSA-w5c9-9mc5-jw55 GHSA-w676-j9x4-3hq2 GHSA-xr7v-m9px-q4qj
diff --git a/advisories/unreviewed/2026/04/GHSA-96q3-fpgp-35xf/GHSA-96q3-fpgp-35xf.json b/advisories/unreviewed/2026/04/GHSA-96q3-fpgp-35xf/GHSA-96q3-fpgp-35xf.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-96q3-fpgp-35xf",
+  "modified": "2026-04-12T03:30:24Z",
+  "published": "2026-04-12T03:30:24Z",
+  "aliases": [
+    "CVE-2026-6107"
+  ],
+  "details": "A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6107"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/24"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB/pull/4919"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782263"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356966"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356966/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T01:16:16Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-jqqw-37x4-9rwj/GHSA-jqqw-37x4-9rwj.json b/advisories/unreviewed/2026/04/GHSA-jqqw-37x4-9rwj/GHSA-jqqw-37x4-9rwj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jqqw-37x4-9rwj",
-  "modified": "2026-04-11T21:30:19Z",
+  "modified": "2026-04-12T03:30:24Z",
   "published": "2026-04-06T18:33:08Z",
   "aliases": [
     "CVE-2026-5704"
@@ -30,6 +30,10 @@
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2026/04/11/10"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/11/11"
     }
   ],
   "database_specific": {
diff --git a/advisories/unreviewed/2026/04/GHSA-r5v8-c28h-f8r8/GHSA-r5v8-c28h-f8r8.json b/advisories/unreviewed/2026/04/GHSA-r5v8-c28h-f8r8/GHSA-r5v8-c28h-f8r8.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r5v8-c28h-f8r8",
+  "modified": "2026-04-12T03:30:26Z",
+  "published": "2026-04-12T03:30:26Z",
+  "aliases": [
+    "CVE-2026-6111"
+  ],
+  "details": "A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.1. This impacts the function decode_image of the file metagpt/utils/common.py. The manipulation of the argument img_url_or_b64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6111"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT/issues/1934"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT/pull/1941"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791762"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356971"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356971/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T03:16:08Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-w287-wwhf-95vv/GHSA-w287-wwhf-95vv.json b/advisories/unreviewed/2026/04/GHSA-w287-wwhf-95vv/GHSA-w287-wwhf-95vv.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w287-wwhf-95vv",
+  "modified": "2026-04-12T03:30:25Z",
+  "published": "2026-04-12T03:30:25Z",
+  "aliases": [
+    "CVE-2026-6109"
+  ],
+  "details": "A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6109"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT/issues/1932"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791759"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356969"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356969/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T02:16:00Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-w5c9-9mc5-jw55/GHSA-w5c9-9mc5-jw55.json b/advisories/unreviewed/2026/04/GHSA-w5c9-9mc5-jw55/GHSA-w5c9-9mc5-jw55.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w5c9-9mc5-jw55",
+  "modified": "2026-04-12T03:30:25Z",
+  "published": "2026-04-12T03:30:25Z",
+  "aliases": [
+    "CVE-2026-6108"
+  ],
+  "details": "A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/30"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782279"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356968"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356968/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T01:16:16Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-w676-j9x4-3hq2/GHSA-w676-j9x4-3hq2.json b/advisories/unreviewed/2026/04/GHSA-w676-j9x4-3hq2/GHSA-w676-j9x4-3hq2.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w676-j9x4-3hq2",
+  "modified": "2026-04-12T03:30:25Z",
+  "published": "2026-04-12T03:30:25Z",
+  "aliases": [
+    "CVE-2026-1116"
+  ],
+  "details": "A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1116"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T03:16:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-xr7v-m9px-q4qj/GHSA-xr7v-m9px-q4qj.json b/advisories/unreviewed/2026/04/GHSA-xr7v-m9px-q4qj/GHSA-xr7v-m9px-q4qj.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xr7v-m9px-q4qj",
+  "modified": "2026-04-12T03:30:25Z",
+  "published": "2026-04-12T03:30:25Z",
+  "aliases": [
+    "CVE-2026-6110"
+  ],
+  "details": "A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.1. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6110"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT/issues/1933"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT/pull/1946"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FoundationAgents/MetaGPT"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/791761"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356970"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356970/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T03:16:08Z"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-jqqw-37x4-9rwj",`
`4`		`- "modified": "2026-04-11T21:30:19Z",`
	`4`	`+ "modified": "2026-04-12T03:30:24Z",`
`5`	`5`	`"published": "2026-04-06T18:33:08Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2026-5704"`
`@@ -30,6 +30,10 @@`
`30`	`30`	`{`
`31`	`31`	`"type": "WEB",`
`32`	`32`	`"url": "http://www.openwall.com/lists/oss-security/2026/04/11/10"`
	`33`	`+ },`
	`34`	`+ {`
	`35`	`+ "type": "WEB",`
	`36`	`+ "url": "http://www.openwall.com/lists/oss-security/2026/04/11/11"`
`33`	`37`	`}`
`34`	`38`	`],`
`35`	`39`	`"database_specific": {`