Publish Advisories

GHSA-hrx4-rccm-xj6c
GHSA-35x7-r658-wx7f
GHSA-3fqx-3cg9-chg9
GHSA-4r52-fgmg-vqxc
GHSA-4v7c-97mg-h3wh
GHSA-5w3f-m935-fxvq
GHSA-6hjh-5rvg-rp2f
GHSA-7693-hmcm-7whx
GHSA-77v4-gvxh-3ccf
GHSA-827f-mrm2-f6xh
GHSA-8fr6-83vj-w7xh
GHSA-9284-m2hp-cfp4
GHSA-jxpv-ww5c-x2c3
GHSA-wc4c-6r77-mp37

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-hrx4-rccm-xj6c/GHSA-hrx4-rccm-xj6c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hrx4-rccm-xj6c",
-  "modified": "2026-02-17T12:31:07Z",
+  "modified": "2026-02-26T09:30:27Z",
   "published": "2025-12-05T18:31:11Z",
   "aliases": [
     "CVE-2025-14104"
@@ -47,6 +47,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:2800"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:3406"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-14104"

advisories/unreviewed/2026/02/GHSA-35x7-r658-wx7f/GHSA-35x7-r658-wx7f.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-35x7-r658-wx7f",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1698"
+  ],
+  "details": "A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior.\n\nThis vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout\nof the WebClient and WebScheduler web apps.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1698"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-644"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3fqx-3cg9-chg9/GHSA-3fqx-3cg9-chg9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3fqx-3cg9-chg9",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1692"
+  ],
+  "details": "A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.\n\nThis vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1692"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1385"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:18Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4r52-fgmg-vqxc/GHSA-4r52-fgmg-vqxc.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4r52-fgmg-vqxc",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1696"
+  ],
+  "details": "Some HTTP security headers are not properly set by the web server when sending responses to the client application.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1696"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-4v7c-97mg-h3wh/GHSA-4v7c-97mg-h3wh.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4v7c-97mg-h3wh",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1697"
+  ],
+  "details": "The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1697"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-614"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-5w3f-m935-fxvq/GHSA-5w3f-m935-fxvq.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5w3f-m935-fxvq",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1693"
+  ],
+  "details": "The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1693"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-477"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:18Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-6hjh-5rvg-rp2f/GHSA-6hjh-5rvg-rp2f.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6hjh-5rvg-rp2f",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1694"
+  ],
+  "details": "HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It unnecessarily exposes sensitive information about the server configuration.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1694"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-201"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:18Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7693-hmcm-7whx/GHSA-7693-hmcm-7whx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7693-hmcm-7whx",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1695"
+  ],
+  "details": "An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id).\n\nThis vulnerability only affects the error page of the OAuth server.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1695"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.pcvue.com/security/#SB2026-2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T08:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-77v4-gvxh-3ccf/GHSA-77v4-gvxh-3ccf.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-77v4-gvxh-3ccf",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-28132"
+  ],
+  "details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.4.4.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28132"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-photo-reviews/vulnerability/wordpress-woocommerce-photo-reviews-plugin-1-4-4-content-injection-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-80"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T09:16:15Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-827f-mrm2-f6xh/GHSA-827f-mrm2-f6xh.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-827f-mrm2-f6xh",
+  "modified": "2026-02-26T09:30:27Z",
+  "published": "2026-02-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-28131"
+  ],
+  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28131"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-14-4-sensitive-data-exposure-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-201"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-26T09:16:15Z"
+  }
+}