Publish Advisories

GHSA-2g8j-hf3c-6cc2
GHSA-42v3-8vjx-xjp9
GHSA-55fx-hxx2-342g
GHSA-6jvr-846q-v6m3
GHSA-6p5q-jjvw-vg9p
GHSA-6rfh-4m76-4764
GHSA-ccfc-w7hx-qcqw
GHSA-gmhr-3cxv-5pw9
GHSA-gr63-2w3v-w2gp
GHSA-j34r-x4fp-8j3c
GHSA-p6qv-grc7-2v6h
GHSA-pf42-2vwp-g7x9
GHSA-w77x-v6v5-9x28
GHSA-xhhj-c5c5-55qx
GHSA-xj4j-qqwc-95gc

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-2g8j-hf3c-6cc2/GHSA-2g8j-hf3c-6cc2.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g8j-hf3c-6cc2",
+  "modified": "2026-03-12T06:31:37Z",
+  "published": "2026-03-12T06:31:37Z",
+  "aliases": [
+    "CVE-2026-3982"
+  ],
+  "details": "A vulnerability was determined in itsourcecode University Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3982"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PIPIzzz1/aaa/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.350417"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.350417"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.769668"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T05:16:14Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-42v3-8vjx-xjp9/GHSA-42v3-8vjx-xjp9.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-42v3-8vjx-xjp9",
+  "modified": "2026-03-12T06:31:37Z",
+  "published": "2026-03-12T06:31:37Z",
+  "aliases": [
+    "CVE-2026-3993"
+  ],
+  "details": "A security vulnerability has been detected in itsourcecode Payroll Management System 1.0. This vulnerability affects unknown code of the file /manage_employee_deductions.php. Such manipulation of the argument ID leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3993"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ltranquility/cve_submit/issues/11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.350475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.350475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.769749"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T06:16:31Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-55fx-hxx2-342g/GHSA-55fx-hxx2-342g.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-55fx-hxx2-342g",
+  "modified": "2026-03-12T06:31:37Z",
+  "published": "2026-03-12T06:31:37Z",
+  "aliases": [
+    "CVE-2025-15473"
+  ],
+  "details": "The Timetics  WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the \"timetics-booking\" custom post type.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15473"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/f355e4ac-7aa6-4c5b-b1e5-b37937156583"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T06:16:30Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6jvr-846q-v6m3/GHSA-6jvr-846q-v6m3.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6jvr-846q-v6m3",
+  "modified": "2026-03-12T06:31:37Z",
+  "published": "2026-03-12T06:31:37Z",
+  "aliases": [
+    "CVE-2026-2687"
+  ],
+  "details": "The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2687"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T06:16:30Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6p5q-jjvw-vg9p/GHSA-6p5q-jjvw-vg9p.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6p5q-jjvw-vg9p",
+  "modified": "2026-03-12T06:31:36Z",
+  "published": "2026-03-12T06:31:36Z",
+  "aliases": [
+    "CVE-2026-3977"
+  ],
+  "details": "A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3977"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend/issues/1525"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend/issues/1525#issuecomment-3957109914"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend/commit/35dfd6f08f7d517709c77ee73e57367141107e6b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.350412"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.350412"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T04:16:39Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6rfh-4m76-4764/GHSA-6rfh-4m76-4764.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6rfh-4m76-4764",
-  "modified": "2026-03-12T03:31:06Z",
+  "modified": "2026-03-12T06:31:36Z",
   "published": "2026-03-12T03:31:06Z",
   "aliases": [
     "CVE-2025-15038"

advisories/unreviewed/2026/03/GHSA-ccfc-w7hx-qcqw/GHSA-ccfc-w7hx-qcqw.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ccfc-w7hx-qcqw",
+  "modified": "2026-03-12T06:31:36Z",
+  "published": "2026-03-12T06:31:36Z",
+  "aliases": [
+    "CVE-2026-3978"
+  ],
+  "details": "A vulnerability was detected in D-Link DIR-513 1.10. The impacted element is an unknown function of the file /goform/formEasySetupWizard3. The manipulation of the argument wan_connected results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3978"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vul_db/blob/main/Dir513/vul_21/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.350413"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.350413"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.769586"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T04:16:40Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-gmhr-3cxv-5pw9/GHSA-gmhr-3cxv-5pw9.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gmhr-3cxv-5pw9",
+  "modified": "2026-03-12T06:31:37Z",
+  "published": "2026-03-12T06:31:37Z",
+  "aliases": [
+    "CVE-2026-3983"
+  ],
+  "details": "A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. The manipulation of the argument game_name results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3983"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/LaneyYu/cve/issues/10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.350419"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.350419"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.769720"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.campcodes.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-12T06:16:30Z"
+  }
+}