Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5ba565228c4c · 2026-02-08T12:32:31.000Z
GHSA-347j-pfc2-rvr3 GHSA-9qmm-fmp8-wcfp GHSA-9xgc-j99m-jvr5 GHSA-jp5v-2v6v-3w4h GHSA-phqp-j38f-cm7h GHSA-qg34-2w8p-vh8q
diff --git a/advisories/unreviewed/2026/02/GHSA-347j-pfc2-rvr3/GHSA-347j-pfc2-rvr3.json b/advisories/unreviewed/2026/02/GHSA-347j-pfc2-rvr3/GHSA-347j-pfc2-rvr3.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-347j-pfc2-rvr3",
+  "modified": "2026-02-08T12:30:26Z",
+  "published": "2026-02-08T12:30:26Z",
+  "aliases": [
+    "CVE-2026-2150"
+  ],
+  "details": "A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2150"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-checkin-php-XSS.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344852"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344852"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747921"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T12:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-9qmm-fmp8-wcfp/GHSA-9qmm-fmp8-wcfp.json b/advisories/unreviewed/2026/02/GHSA-9qmm-fmp8-wcfp/GHSA-9qmm-fmp8-wcfp.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9qmm-fmp8-wcfp",
+  "modified": "2026-02-08T12:30:26Z",
+  "published": "2026-02-08T12:30:26Z",
+  "aliases": [
+    "CVE-2026-2151"
+  ],
+  "details": "A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr  leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pentagonal-time-3a7.notion.site/DIR-615-OS-Command-Injection-2f6e5dd4c5a58053b2b4f166c2a503ba"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344853"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344853"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.748031"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T12:15:52Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-9xgc-j99m-jvr5/GHSA-9xgc-j99m-jvr5.json b/advisories/unreviewed/2026/02/GHSA-9xgc-j99m-jvr5/GHSA-9xgc-j99m-jvr5.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9xgc-j99m-jvr5",
+  "modified": "2026-02-08T12:30:26Z",
+  "published": "2026-02-08T12:30:26Z",
+  "aliases": [
+    "CVE-2026-2146"
+  ],
+  "details": "A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2146"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/guchengwuyue/yshopmall/issues/40"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/guchengwuyue/yshopmall"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344848"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344848"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747409"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T10:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-jp5v-2v6v-3w4h/GHSA-jp5v-2v6v-3w4h.json b/advisories/unreviewed/2026/02/GHSA-jp5v-2v6v-3w4h/GHSA-jp5v-2v6v-3w4h.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jp5v-2v6v-3w4h",
+  "modified": "2026-02-08T12:30:26Z",
+  "published": "2026-02-08T12:30:26Z",
+  "aliases": [
+    "CVE-2026-2148"
+  ],
+  "details": "A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2148"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/27"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344850"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344850"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747557"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T11:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-phqp-j38f-cm7h/GHSA-phqp-j38f-cm7h.json b/advisories/unreviewed/2026/02/GHSA-phqp-j38f-cm7h/GHSA-phqp-j38f-cm7h.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-phqp-j38f-cm7h",
+  "modified": "2026-02-08T12:30:26Z",
+  "published": "2026-02-08T12:30:26Z",
+  "aliases": [
+    "CVE-2026-2149"
+  ],
+  "details": "A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2149"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-appointments-XSS.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344851"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344851"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747920"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T11:15:53Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-qg34-2w8p-vh8q/GHSA-qg34-2w8p-vh8q.json b/advisories/unreviewed/2026/02/GHSA-qg34-2w8p-vh8q/GHSA-qg34-2w8p-vh8q.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qg34-2w8p-vh8q",
+  "modified": "2026-02-08T12:30:26Z",
+  "published": "2026-02-08T12:30:26Z",
+  "aliases": [
+    "CVE-2026-2147"
+  ],
+  "details": "A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2147"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/master-abc/cve/issues/30"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344849"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344849"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.747429"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T10:15:50Z"
+  }
+}
