Publish Advisories

GHSA-28cf-2j8g-v8mv
GHSA-38xg-3ffm-68p7
GHSA-7chh-rv6q-8pp3
GHSA-7j93-6xm6-qf2c
GHSA-7vwv-5gmf-fwq5
GHSA-82p2-ccrf-wxw5
GHSA-964f-vc2f-ch6j
GHSA-9xqh-f8h9-23pv
GHSA-fc72-gwgq-7p26
GHSA-g989-fg9h-96pr
GHSA-h573-p6v2-3p2p
GHSA-mgx6-7qx4-g5f3
GHSA-qm6w-97m7-3844
GHSA-r3p8-h9vv-9cqc
GHSA-rvhp-mghq-8mvw

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-28cf-2j8g-v8mv/GHSA-28cf-2j8g-v8mv.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-28cf-2j8g-v8mv",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2026-1841"
+  ],
+  "details": "The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.5.2/includes/enrich/class_enrich_order.php#L252"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.5.2/includes/enrich/class_enrich_order.php#L255"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.5.2/includes/enrich/class_enrich_order.php#L265"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.5.2/includes/enrich/class_enrich_order.php#L266"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3454364/pixelyoursite"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c4f2d9d-d34c-45dd-aff8-ca9bbe808b5a?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:10Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-38xg-3ffm-68p7/GHSA-38xg-3ffm-68p7.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38xg-3ffm-68p7",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2025-70866"
+  ],
+  "details": "LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70866"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/gkjzjh146/6d541c80b0666a596581ccd85bd10058"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/LavaLite/cms/releases/tag/v10.1.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:09Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7chh-rv6q-8pp3/GHSA-7chh-rv6q-8pp3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7chh-rv6q-8pp3",
-  "modified": "2026-02-05T06:31:23Z",
+  "modified": "2026-02-14T00:32:41Z",
   "published": "2026-02-04T15:30:29Z",
   "aliases": [
     "CVE-2026-1642"
@@ -34,6 +34,7 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-345",
       "CWE-349"
     ],
     "severity": "HIGH",

advisories/unreviewed/2026/02/GHSA-7j93-6xm6-qf2c/GHSA-7j93-6xm6-qf2c.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7j93-6xm6-qf2c",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2026-1844"
+  ],
+  "details": "The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1844"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pixelyoursite.com/plugins/pixelyoursite-professional"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fa6a112-ee69-43eb-bded-daba2c2c4dc5?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:11Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7vwv-5gmf-fwq5/GHSA-7vwv-5gmf-fwq5.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7vwv-5gmf-fwq5",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2025-69633"
+  ],
+  "details": "A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69633"
+    },
+    {
+      "type": "WEB",
+      "url": "https://addons.prestashop.com/en/pop-up-gamification/23773-popup-on-entry-exit-popup-and-newsletter.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://labs.esokia.com/cve/cve-2025-69633"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:09Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-82p2-ccrf-wxw5/GHSA-82p2-ccrf-wxw5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-82p2-ccrf-wxw5",
-  "modified": "2026-02-12T00:31:04Z",
+  "modified": "2026-02-14T00:32:41Z",
   "published": "2026-02-12T00:31:04Z",
   "aliases": [
     "CVE-2026-20615"
   ],
   "details": "A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, visionOS 26.3. An app may be able to gain root privileges.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-11T23:16:05Z"

advisories/unreviewed/2026/02/GHSA-964f-vc2f-ch6j/GHSA-964f-vc2f-ch6j.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-964f-vc2f-ch6j",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2025-70955"
+  ],
+  "details": "A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process's stack space, causing the validator node to crash. This results in a Denial of Service (DoS) for the TON blockchain network.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70955"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ton-blockchain/ton/commit/b5734d2e30b9c93cfdacb4ea37c9ebdf11ca5d49#diff-17eca9db515992a081522236bf9bad767fac171044f7c00c20bf740f4206b3de"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/Lucian-code233/25b0a13be569db9160340d9ecd2fdf0d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ton-blockchain/ton/releases/tag/v2024.10#:~:text=krigga%20%28emulator%29%2C-%2CArayz%2C-%40%20TonBit%20%28LS%20security"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mp.weixin.qq.com/s/wy2ea6udkNZzIsp1K2LEOQ"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:10Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-9xqh-f8h9-23pv/GHSA-9xqh-f8h9-23pv.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9xqh-f8h9-23pv",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2025-70956"
+  ],
+  "details": "A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70956"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:10Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-fc72-gwgq-7p26/GHSA-fc72-gwgq-7p26.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fc72-gwgq-7p26",
-  "modified": "2026-02-04T15:30:31Z",
+  "modified": "2026-02-14T00:32:41Z",
   "published": "2026-02-04T15:30:31Z",
   "aliases": [
     "CVE-2026-20732"

advisories/unreviewed/2026/02/GHSA-g989-fg9h-96pr/GHSA-g989-fg9h-96pr.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g989-fg9h-96pr",
+  "modified": "2026-02-14T00:32:42Z",
+  "published": "2026-02-14T00:32:42Z",
+  "aliases": [
+    "CVE-2025-70954"
+  ],
+  "details": "A Null Pointer Dereference vulnerability exists in the TON Virtual Machine (TVM) within the TON Blockchain before v2025.06. The issue is located in the execution logic of the INMSGPARAM instruction, where the program fails to validate if a specific pointer is null before accessing it. By sending a malicious transaction or smart contract, an attacker can trigger this null pointer dereference, causing the validator node process to crash (segmentation fault). This results in a Denial of Service (DoS) affecting the availability of the entire blockchain network.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70954"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ton-blockchain/ton/commit/9e5109d56bc4f2345a00b2271c3711103841b799"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/Lucian-code233/04940a264cab50732cc07fd991749226"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ton-blockchain/ton/releases/tag/v2025.06#:~:text=AArayz%2C%20wy666444%2C%20Robinlzw%2C%20Lucian-code233"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mp.weixin.qq.com/s/IbRKrCKdMyIi-azkuqOOvg"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-13T22:16:10Z"
+  }
+}