Publish Advisories

GHSA-2xx8-j85v-j7wh
GHSA-3qcm-pj6q-w4c5
GHSA-5vjq-5jmg-39xq
GHSA-fpx9-9hq8-w2xc
GHSA-m32f-8vh9-2hh3

Author: advisory-database[bot]

…-2xx8-j85v-j7wh/GHSA-2xx8-j85v-j7wh.json …-2xx8-j85v-j7wh/GHSA-2xx8-j85v-j7wh.jsonadvisories/unreviewed/2026/04/GHSA-2xx8-j85v-j7wh/GHSA-2xx8-j85v-j7wh.json renamed to advisories/github-reviewed/2026/04/GHSA-2xx8-j85v-j7wh/GHSA-2xx8-j85v-j7wh.json advisories/unreviewed/2026/04/GHSA-2xx8-j85v-j7wh/GHSA-2xx8-j85v-j7wh.json renamed to advisories/github-reviewed/2026/04/GHSA-2xx8-j85v-j7wh/GHSA-2xx8-j85v-j7wh.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2xx8-j85v-j7wh",
-  "modified": "2026-04-14T18:30:35Z",
+  "modified": "2026-04-16T01:32:19Z",
   "published": "2026-04-14T18:30:35Z",
   "aliases": [
     "CVE-2026-38532"
   ],
+  "summary": "Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php",
   "details": "A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "krayin/laravel-crm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/krayin/laravel-crm"
     }
   ],
@@ -33,8 +54,8 @@
       "CWE-639"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:32:19Z",
     "nvd_published_at": "2026-04-14T16:16:43Z"
   }
 }

…-3qcm-pj6q-w4c5/GHSA-3qcm-pj6q-w4c5.json …-3qcm-pj6q-w4c5/GHSA-3qcm-pj6q-w4c5.jsonadvisories/unreviewed/2026/04/GHSA-3qcm-pj6q-w4c5/GHSA-3qcm-pj6q-w4c5.json renamed to advisories/github-reviewed/2026/04/GHSA-3qcm-pj6q-w4c5/GHSA-3qcm-pj6q-w4c5.json advisories/unreviewed/2026/04/GHSA-3qcm-pj6q-w4c5/GHSA-3qcm-pj6q-w4c5.json renamed to advisories/github-reviewed/2026/04/GHSA-3qcm-pj6q-w4c5/GHSA-3qcm-pj6q-w4c5.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3qcm-pj6q-w4c5",
-  "modified": "2026-04-04T21:30:27Z",
+  "modified": "2026-04-16T01:34:08Z",
   "published": "2026-04-04T21:30:27Z",
   "aliases": [
     "CVE-2016-20054"
   ],
+  "summary": "Nodcms contains a cross-site request forgery vulnerability",
   "details": "Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/user_manipulate and admin/settings/generall endpoints to create users or modify application settings without explicit consent.",
   "severity": [
     {
@@ -14,15 +15,39 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "khodakhah/nodcms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "3.4.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20054"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/khodakhah/nodcms"
+    },
     {
       "type": "WEB",
       "url": "https://www.exploit-db.com/exploits/40707"
@@ -34,8 +59,8 @@
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:34:08Z",
     "nvd_published_at": "2026-04-04T20:16:15Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-5vjq-5jmg-39xq/GHSA-5vjq-5jmg-39xq.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5vjq-5jmg-39xq",
+  "modified": "2026-04-16T01:34:40Z",
+  "published": "2026-04-16T01:34:39Z",
+  "aliases": [],
+  "summary": "Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance",
+  "details": "When using [`lockFileMaintenance`](https://docs.renovatebot.com/configuration-options/#lockfilemaintenance) using the [bazel-module](https://docs.renovatebot.com/modules/manager/bazel-module/) or [bazelisk](https://docs.renovatebot.com/modules/manager/bazelisk/) managers between Renovate [43.65.0](https://github.com/renovatebot/renovate/releases/tag/43.65.0) (2026-03-12) and [43.102.11](https://github.com/renovatebot/renovate/releases/tag/43.102.11) (2026-04-02), there was the opportunity for remote code execution from a malicious dependency, _if the Bazel module executes code that relies on a dependency_.\n\nAs this is an \"unsafe\" execution path, we have disabled this by default, and self-hosted administrators must add it to the [`allowedUnsafeExecutions`](https://docs.renovatebot.com/self-hosted-configuration/#allowedunsafeexecutions) allowlist.\n\nIt is recommended to review whether you have enabled this functionality for these managers, and if so, whether any dependency updates may have led to remote code execution.\n\n## Impact\n\nIf Renovate suggested an update to a malicious dependency, _and_ that dependency is referenced as part of the `bazel mod deps` call - for instance as part of a `ctx.execute` call - this would call attacker-controlled code.\n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack), executing code that is distributed as part of the package.\n \n## Patches\n\nThis is patched in [43.102.11](https://github.com/renovatebot/renovate/releases/tag/43.102.11).\n\nThis does not affect any versions of [Mend Renovate Self-Hosted](https://www.mend.io/renovate/).\n\n## Workarounds\n\n- Upgrade your Renovate version\n- Disable `lockFileMaintenance` for these managers\n\n## Why did this happen?\n\nThis was missed in code review (as part of https://github.com/renovatebot/renovate/pull/41507).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "renovate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "43.65.0"
+            },
+            {
+              "fixed": "43.102.11"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-5vjq-5jmg-39xq"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/renovatebot/renovate"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/releases/tag/43.102.11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:34:39Z",
+    "nvd_published_at": null
+  }
+}

…-fpx9-9hq8-w2xc/GHSA-fpx9-9hq8-w2xc.json …-fpx9-9hq8-w2xc/GHSA-fpx9-9hq8-w2xc.jsonadvisories/unreviewed/2026/04/GHSA-fpx9-9hq8-w2xc/GHSA-fpx9-9hq8-w2xc.json renamed to advisories/github-reviewed/2026/04/GHSA-fpx9-9hq8-w2xc/GHSA-fpx9-9hq8-w2xc.json advisories/unreviewed/2026/04/GHSA-fpx9-9hq8-w2xc/GHSA-fpx9-9hq8-w2xc.json renamed to advisories/github-reviewed/2026/04/GHSA-fpx9-9hq8-w2xc/GHSA-fpx9-9hq8-w2xc.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fpx9-9hq8-w2xc",
-  "modified": "2026-04-14T18:30:35Z",
+  "modified": "2026-04-16T01:32:29Z",
   "published": "2026-04-14T18:30:35Z",
   "aliases": [
     "CVE-2026-38527"
   ],
+  "summary": "Webkul Krayin CRM has Server-Side Request Forgery (SSRF)",
   "details": "A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "krayin/laravel-crm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/krayin/laravel-crm"
     }
   ],
@@ -33,8 +54,8 @@
       "CWE-918"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:32:29Z",
     "nvd_published_at": "2026-04-14T16:16:43Z"
   }
 }

…-m32f-8vh9-2hh3/GHSA-m32f-8vh9-2hh3.json …-m32f-8vh9-2hh3/GHSA-m32f-8vh9-2hh3.jsonadvisories/unreviewed/2026/04/GHSA-m32f-8vh9-2hh3/GHSA-m32f-8vh9-2hh3.json renamed to advisories/github-reviewed/2026/04/GHSA-m32f-8vh9-2hh3/GHSA-m32f-8vh9-2hh3.json advisories/unreviewed/2026/04/GHSA-m32f-8vh9-2hh3/GHSA-m32f-8vh9-2hh3.json renamed to advisories/github-reviewed/2026/04/GHSA-m32f-8vh9-2hh3/GHSA-m32f-8vh9-2hh3.json

@@ -1,40 +1,69 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m32f-8vh9-2hh3",
-  "modified": "2026-04-14T15:30:35Z",
+  "modified": "2026-04-16T01:34:56Z",
   "published": "2026-04-14T15:30:35Z",
   "aliases": [
     "CVE-2026-37980"
   ],
+  "summary": "Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page",
   "details": "A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.5.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37980"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/48049"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-37980"
     },
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455325"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:34:56Z",
     "nvd_published_at": "2026-04-14T15:16:34Z"
   }
 }