Publish Advisories

GHSA-2hfg-6q5v-4492
GHSA-3h52-r54r-fvgf
GHSA-4h56-xmq8-7hc9
GHSA-4r58-h5cf-8qgj
GHSA-5q4r-452w-ggwq
GHSA-62j7-j842-x6r6
GHSA-7c8j-xhpq-ww8c
GHSA-8x3j-82w6-4qx2
GHSA-9w3f-qqh3-w7fc
GHSA-gcqp-cwqm-9v38
GHSA-gmrw-vh4q-4fvv
GHSA-gp3c-fxmq-6r3c
GHSA-m35g-p77j-hqrh
GHSA-mxjf-259r-3r76
GHSA-x727-jpvm-9cpv
GHSA-x9cj-242h-gr3m
GHSA-xc4h-36v7-xrrw

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-2hfg-6q5v-4492/GHSA-2hfg-6q5v-4492.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hfg-6q5v-4492",
+  "modified": "2026-02-08T00:30:59Z",
+  "published": "2026-02-08T00:30:59Z",
+  "aliases": [
+    "CVE-2026-2116"
+  ],
+  "details": "A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2116"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zpf7029/oblong/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344691"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344691"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.746798"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-08T00:16:02Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3h52-r54r-fvgf/GHSA-3h52-r54r-fvgf.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3h52-r54r-fvgf",
+  "modified": "2026-02-08T00:30:59Z",
+  "published": "2026-02-08T00:30:59Z",
+  "aliases": [
+    "CVE-2026-25858"
+  ],
+  "details": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25858"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/macrozheng/mall/issues/946"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.macrozheng.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-640"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-07T22:16:02Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4h56-xmq8-7hc9/GHSA-4h56-xmq8-7hc9.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4h56-xmq8-7hc9",
+  "modified": "2026-02-08T00:30:58Z",
+  "published": "2026-02-08T00:30:58Z",
+  "aliases": [
+    "CVE-2026-25562"
+  ],
+  "details": "WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25562"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wekan.fi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-203"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-07T22:16:01Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4r58-h5cf-8qgj/GHSA-4r58-h5cf-8qgj.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4r58-h5cf-8qgj",
+  "modified": "2026-02-08T00:30:57Z",
+  "published": "2026-02-08T00:30:57Z",
+  "aliases": [
+    "CVE-2025-15564"
+  ],
+  "details": "A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15564"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mapnik/mapnik/issues/4545"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mapnik/mapnik"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/oneafter/1219/blob/main/repro"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.344502"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.344502"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.743386"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-369"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-07T22:16:01Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-5q4r-452w-ggwq/GHSA-5q4r-452w-ggwq.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5q4r-452w-ggwq",
+  "modified": "2026-02-08T00:30:58Z",
+  "published": "2026-02-08T00:30:58Z",
+  "aliases": [
+    "CVE-2026-25561"
+  ],
+  "details": "WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25561"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wekan.fi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-07T22:16:01Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-62j7-j842-x6r6/GHSA-62j7-j842-x6r6.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-62j7-j842-x6r6",
+  "modified": "2026-02-08T00:30:59Z",
+  "published": "2026-02-08T00:30:59Z",
+  "aliases": [
+    "CVE-2026-25566"
+  ],
+  "details": "WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25566"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wekan.fi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-07T22:16:02Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7c8j-xhpq-ww8c/GHSA-7c8j-xhpq-ww8c.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7c8j-xhpq-ww8c",
+  "modified": "2026-02-08T00:30:58Z",
+  "published": "2026-02-08T00:30:58Z",
+  "aliases": [
+    "CVE-2026-25565"
+  ],
+  "details": "WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25565"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wekan.fi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-07T22:16:02Z"
+  }
+}