Publish Advisories

GHSA-4833-xmjg-923x
GHSA-6xw9-2p64-7622
GHSA-7364-56q4-9jv8
GHSA-7r5x-3969-58xr
GHSA-86c5-9jxx-m8g7
GHSA-9394-fqhw-qhr3
GHSA-cr6h-978m-qj75
GHSA-gw5f-7fqh-pvm6

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-4833-xmjg-923x/GHSA-4833-xmjg-923x.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4833-xmjg-923x",
+  "modified": "2026-02-16T06:31:29Z",
+  "published": "2026-02-16T06:31:29Z",
+  "aliases": [
+    "CVE-2026-2533"
+  ],
+  "details": "A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2533"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346121"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346121"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.748771"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.yuque.com/yuqueyonghuexlgkz/zepczx/depg9z4c5b1t4mgd"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T04:15:52Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-6xw9-2p64-7622/GHSA-6xw9-2p64-7622.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xw9-2p64-7622",
+  "modified": "2026-02-16T06:31:29Z",
+  "published": "2026-02-16T06:31:29Z",
+  "aliases": [
+    "CVE-2026-2531"
+  ],
+  "details": "A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2531"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mindsdb/mindsdb/issues/12163"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mindsdb/mindsdb/pull/12213"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/themavik/mindsdb/commit/74d6f0fd4b630218519a700fbee1c05c7fd4b1ed"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mindsdb/mindsdb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346119"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346119"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.748219"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T04:15:51Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7364-56q4-9jv8/GHSA-7364-56q4-9jv8.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7364-56q4-9jv8",
+  "modified": "2026-02-16T06:31:29Z",
+  "published": "2026-02-16T06:31:29Z",
+  "aliases": [
+    "CVE-2026-2535"
+  ],
+  "details": "A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET&section=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2535"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jinhao118/cve/blob/main/ComFast%20Router_2.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346123"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346123"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.748784"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T05:16:07Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7r5x-3969-58xr/GHSA-7r5x-3969-58xr.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7r5x-3969-58xr",
+  "modified": "2026-02-16T06:31:29Z",
+  "published": "2026-02-16T06:31:29Z",
+  "aliases": [
+    "CVE-2026-2532"
+  ],
+  "details": "A vulnerability was detected in lintsinghua DeepAudit up to 3.0.3. This issue affects some unknown processing of the file backend/app/api/v1/endpoints/embedding_config.py of the component IP Address Handler. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.0.4 and 3.1.0 is capable of addressing this issue. The patch is named da853fdd8cbe9d42053b45d83f25708ba29b8b27. It is suggested to upgrade the affected component.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2532"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lintsinghua/DeepAudit/issues/144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lintsinghua/DeepAudit/pull/145"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lintsinghua/DeepAudit/commit/da853fdd8cbe9d42053b45d83f25708ba29b8b27"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lintsinghua/DeepAudit"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lintsinghua/DeepAudit/releases/tag/v3.0.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346120"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346120"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.748220"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T04:15:52Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-86c5-9jxx-m8g7/GHSA-86c5-9jxx-m8g7.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-86c5-9jxx-m8g7",
+  "modified": "2026-02-16T06:31:29Z",
+  "published": "2026-02-16T06:31:29Z",
+  "aliases": [
+    "CVE-2026-2530"
+  ],
+  "details": "A weakness has been identified in Wavlink WL-WN579A3 up to 20210219. This affects the function AddMac of the file /cgi-bin/wireless.cgi. This manipulation of the argument macAddr causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2530"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/AddMac.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346118"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346118"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.748077"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T04:15:51Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-9394-fqhw-qhr3/GHSA-9394-fqhw-qhr3.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9394-fqhw-qhr3",
+  "modified": "2026-02-16T06:31:29Z",
+  "published": "2026-02-16T06:31:29Z",
+  "aliases": [
+    "CVE-2026-2537"
+  ],
+  "details": "A vulnerability was identified in Comfast CF-E4 2.6.0.1. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component HTTP POST Request Handler. Such manipulation of the argument timestr leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2537"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cha0yang1/COMFAST/blob/main/RCE.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.346125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.346125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.749196"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T06:16:22Z"
+  }
+}