Publish Advisories

GHSA-3fw3-6c7h-733m
GHSA-49rw-2cx9-hjm3
GHSA-6932-6g42-m69h
GHSA-frh5-x99h-w9g9
GHSA-g599-67fp-qhgv
GHSA-jqqw-37x4-9rwj
GHSA-m686-8xw7-xqg8
GHSA-q7pg-xjgf-wr6f
GHSA-qc3j-w6xm-rcvh
GHSA-rf4q-qfjf-vw22
GHSA-wj59-xw95-68pp

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-3fw3-6c7h-733m/GHSA-3fw3-6c7h-733m.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3fw3-6c7h-733m",
+  "modified": "2026-04-12T06:30:27Z",
+  "published": "2026-04-12T06:30:27Z",
+  "aliases": [
+    "CVE-2026-6116"
+  ],
+  "details": "A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6116"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_181/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792249"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356976"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356976/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T05:16:01Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-49rw-2cx9-hjm3/GHSA-49rw-2cx9-hjm3.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-49rw-2cx9-hjm3",
+  "modified": "2026-04-12T06:30:27Z",
+  "published": "2026-04-12T06:30:27Z",
+  "aliases": [
+    "CVE-2026-6112"
+  ],
+  "details": "A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6112"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_177/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792245"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356972"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356972/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T04:16:47Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-6932-6g42-m69h/GHSA-6932-6g42-m69h.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6932-6g42-m69h",
+  "modified": "2026-04-12T06:30:27Z",
+  "published": "2026-04-12T06:30:27Z",
+  "aliases": [
+    "CVE-2026-6113"
+  ],
+  "details": "A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTtyServiceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument ttyEnable leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6113"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_178/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792246"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356973"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356973/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T04:16:49Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-frh5-x99h-w9g9/GHSA-frh5-x99h-w9g9.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-frh5-x99h-w9g9",
+  "modified": "2026-04-12T06:30:28Z",
+  "published": "2026-04-12T06:30:28Z",
+  "aliases": [
+    "CVE-2026-6120"
+  ],
+  "details": "A vulnerability was detected in Tenda F451 1.0.0.7. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6120"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Jimi-Lab/cve/issues/11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792864"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356983"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356983/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T06:16:22Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-g599-67fp-qhgv/GHSA-g599-67fp-qhgv.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g599-67fp-qhgv",
+  "modified": "2026-04-12T06:30:27Z",
+  "published": "2026-04-12T06:30:27Z",
+  "aliases": [
+    "CVE-2026-6118"
+  ],
+  "details": "A vulnerability was determined in AstrBotDevs AstrBot up to 4.22.1. Impacted is the function add_mcp_server of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6118"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AstrBotDevs/AstrBot/issues/7169"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AstrBotDevs/AstrBot"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792655"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356978"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356978/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T05:16:01Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-jqqw-37x4-9rwj/GHSA-jqqw-37x4-9rwj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jqqw-37x4-9rwj",
-  "modified": "2026-04-12T03:30:24Z",
+  "modified": "2026-04-12T06:30:27Z",
   "published": "2026-04-06T18:33:08Z",
   "aliases": [
     "CVE-2026-5704"
@@ -34,6 +34,10 @@
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2026/04/11/11"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/12/2"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/04/GHSA-m686-8xw7-xqg8/GHSA-m686-8xw7-xqg8.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m686-8xw7-xqg8",
+  "modified": "2026-04-12T06:30:27Z",
+  "published": "2026-04-12T06:30:27Z",
+  "aliases": [
+    "CVE-2026-6119"
+  ],
+  "details": "A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post_data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6119"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AstrBotDevs/AstrBot/issues/7171"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AstrBotDevs/AstrBot"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792661"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356979"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356979/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-12T06:16:21Z"
+  }
+}