Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit bd1e3a722ccf · 2026-04-13T00:32:39.000Z
GHSA-2972-7g9m-9qv2 GHSA-4gxr-jwfr-c55p GHSA-5vgp-j4vv-gfwx GHSA-6469-mcff-f6m6 GHSA-f23m-grxv-hrqj GHSA-g7p4-8pj8-9c46 GHSA-h97j-2863-fhw4 GHSA-mfv2-j96x-vw56 GHSA-wf8p-3rw2-5hv3
diff --git a/advisories/unreviewed/2026/04/GHSA-2972-7g9m-9qv2/GHSA-2972-7g9m-9qv2.json b/advisories/unreviewed/2026/04/GHSA-2972-7g9m-9qv2/GHSA-2972-7g9m-9qv2.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2972-7g9m-9qv2",
+  "modified": "2026-04-13T00:30:28Z",
+  "published": "2026-04-13T00:30:28Z",
+  "aliases": [
+    "CVE-2026-6136"
+  ],
+  "details": "A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6136"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Jimi-Lab/cve/issues/21"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792880"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/357000"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/357000/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T00:16:21Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-4gxr-jwfr-c55p/GHSA-4gxr-jwfr-c55p.json b/advisories/unreviewed/2026/04/GHSA-4gxr-jwfr-c55p/GHSA-4gxr-jwfr-c55p.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4gxr-jwfr-c55p",
+  "modified": "2026-04-13T00:30:29Z",
+  "published": "2026-04-13T00:30:29Z",
+  "aliases": [
+    "CVE-2026-6138"
+  ],
+  "details": "A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6138"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_191/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792980"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/357002"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/357002/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T00:16:21Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-5vgp-j4vv-gfwx/GHSA-5vgp-j4vv-gfwx.json b/advisories/unreviewed/2026/04/GHSA-5vgp-j4vv-gfwx/GHSA-5vgp-j4vv-gfwx.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5vgp-j4vv-gfwx",
+  "modified": "2026-04-13T00:30:28Z",
+  "published": "2026-04-13T00:30:28Z",
+  "aliases": [
+    "CVE-2026-6133"
+  ],
+  "details": "A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. This affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6133"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Jimi-Lab/cve/issues/17"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792875"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356997"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356997/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T23:16:26Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-6469-mcff-f6m6/GHSA-6469-mcff-f6m6.json b/advisories/unreviewed/2026/04/GHSA-6469-mcff-f6m6/GHSA-6469-mcff-f6m6.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6469-mcff-f6m6",
+  "modified": "2026-04-13T00:30:28Z",
+  "published": "2026-04-13T00:30:28Z",
+  "aliases": [
+    "CVE-2026-6132"
+  ],
+  "details": "A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6132"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_183/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792252"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356996"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356996/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T23:16:25Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-f23m-grxv-hrqj/GHSA-f23m-grxv-hrqj.json b/advisories/unreviewed/2026/04/GHSA-f23m-grxv-hrqj/GHSA-f23m-grxv-hrqj.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f23m-grxv-hrqj",
+  "modified": "2026-04-13T00:30:29Z",
+  "published": "2026-04-13T00:30:28Z",
+  "aliases": [
+    "CVE-2026-6137"
+  ],
+  "details": "A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromAdvSetWan of the file /goform/AdvSetWan. The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6137"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Jimi-Lab/cve/issues/22"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792881"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/357001"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/357001/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T00:16:21Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-g7p4-8pj8-9c46/GHSA-g7p4-8pj8-9c46.json b/advisories/unreviewed/2026/04/GHSA-g7p4-8pj8-9c46/GHSA-g7p4-8pj8-9c46.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g7p4-8pj8-9c46",
+  "modified": "2026-04-13T00:30:28Z",
+  "published": "2026-04-13T00:30:28Z",
+  "aliases": [
+    "CVE-2026-6131"
+  ],
+  "details": "A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6131"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_182/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792251"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356995"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356995/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T23:16:25Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-h97j-2863-fhw4/GHSA-h97j-2863-fhw4.json b/advisories/unreviewed/2026/04/GHSA-h97j-2863-fhw4/GHSA-h97j-2863-fhw4.json
diff --git a/advisories/unreviewed/2026/04/GHSA-mfv2-j96x-vw56/GHSA-mfv2-j96x-vw56.json b/advisories/unreviewed/2026/04/GHSA-mfv2-j96x-vw56/GHSA-mfv2-j96x-vw56.json
diff --git a/advisories/unreviewed/2026/04/GHSA-wf8p-3rw2-5hv3/GHSA-wf8p-3rw2-5hv3.json b/advisories/unreviewed/2026/04/GHSA-wf8p-3rw2-5hv3/GHSA-wf8p-3rw2-5hv3.json
