Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-82cg-rxq8-hc7m/GHSA-82cg-rxq8-hc7m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-82cg-rxq8-hc7m",
-  "modified": "2026-01-29T09:31:49Z",
+  "modified": "2026-02-11T21:30:29Z",
   "published": "2026-01-29T09:31:49Z",
   "aliases": [
     "CVE-2026-23563"

advisories/unreviewed/2026/02/GHSA-238q-xh37-pmhj/GHSA-238q-xh37-pmhj.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-238q-xh37-pmhj",
+  "modified": "2026-02-11T21:30:40Z",
+  "published": "2026-02-11T21:30:40Z",
+  "aliases": [
+    "CVE-2024-26477"
+  ],
+  "details": "An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazon_sns, export endpoints.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26477"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Ev3rR3d/Statping_Poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Ev3rR3d/Statping_Poc/tree/main/CVE-2024-26477"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/statping-ng/statping-ng"
+    },
+    {
+      "type": "WEB",
+      "url": "https://statping-ng.github.io"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T20:16:05Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-28wx-v484-3qch/GHSA-28wx-v484-3qch.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-28wx-v484-3qch",
-  "modified": "2026-02-08T15:30:58Z",
+  "modified": "2026-02-11T21:30:35Z",
   "published": "2026-02-08T15:30:58Z",
   "aliases": [
     "CVE-2026-2152"
@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-77"
+      "CWE-77",
+      "CWE-78"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/02/GHSA-2ffm-9xhq-mwc8/GHSA-2ffm-9xhq-mwc8.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2ffm-9xhq-mwc8",
+  "modified": "2026-02-11T21:30:42Z",
+  "published": "2026-02-11T21:30:42Z",
+  "aliases": [
+    "CVE-2020-37210"
+  ],
+  "details": "SpotIE 2.9.5 contains a denial of service vulnerability in the registration key input that allows attackers to crash the application. Attackers can generate a 1000-character buffer payload and paste it into the 'Key' field to trigger an application crash.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37210"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47855"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/spotie-key-denial-of-service"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.nsauditor.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T21:16:16Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g4f-4pwh-qvx6",
+  "modified": "2026-02-11T21:30:39Z",
+  "published": "2026-02-11T21:30:39Z",
+  "aliases": [
+    "CVE-2025-69873"
+  ],
+  "details": "ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T19:15:50Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2prw-jcj2-h5xf/GHSA-2prw-jcj2-h5xf.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2prw-jcj2-h5xf",
+  "modified": "2026-02-11T21:30:40Z",
+  "published": "2026-02-11T21:30:39Z",
+  "aliases": [
+    "CVE-2026-2318"
+  ],
+  "details": "Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2318"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/363930141"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T19:15:51Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-32vw-wgfh-pxr5/GHSA-32vw-wgfh-pxr5.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-32vw-wgfh-pxr5",
-  "modified": "2026-02-03T21:31:51Z",
+  "modified": "2026-02-11T21:30:33Z",
   "published": "2026-02-03T21:31:51Z",
   "aliases": [
     "CVE-2025-62501"
   ],
   "details": "SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/02/GHSA-349p-7f27-qvx8/GHSA-349p-7f27-qvx8.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-349p-7f27-qvx8",
+  "modified": "2026-02-11T21:30:40Z",
+  "published": "2026-02-11T21:30:40Z",
+  "aliases": [
+    "CVE-2020-37173"
+  ],
+  "details": "AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37173"
+    },
+    {
+      "type": "WEB",
+      "url": "https://avideo.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47997"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/avideo-platform-information-disclosure-user-enumeration"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-359"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T21:16:10Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-34wv-c7h9-3524/GHSA-34wv-c7h9-3524.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-34wv-c7h9-3524",
+  "modified": "2026-02-11T21:30:42Z",
+  "published": "2026-02-11T21:30:42Z",
+  "aliases": [
+    "CVE-2020-37212"
+  ],
+  "details": "SpotMSN 2.4.6 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can generate a 1000-character payload and paste it into the 'Name' field to trigger an application crash.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37212"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47869"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/spotmsn-name-denial-of-service"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.nsauditor.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T21:16:16Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-35f2-992w-gmjg/GHSA-35f2-992w-gmjg.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-35f2-992w-gmjg",
+  "modified": "2026-02-11T21:30:42Z",
+  "published": "2026-02-11T21:30:42Z",
+  "aliases": [
+    "CVE-2020-37208"
+  ],
+  "details": "SpotFTP 3.0.0.0 contains a buffer overflow vulnerability in the registration key input field that allows attackers to crash the application. Attackers can generate a 1000-character payload and paste it into the 'Key' field to trigger an application crash and denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37208"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/47849"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/spotftp-ftp-password-recovery-key-denial-of-service"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.nsauditor.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-11T21:16:16Z"
+  }
+}