github
diff --git a/‎advisories/unreviewed/2026/02/GHSA-2444-5vx9-4q2f/GHSA-2444-5vx9-4q2f.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-2444-5vx9-4q2f/GHSA-2444-5vx9-4q2f.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/02/GHSA-2wpq-gf9v-758w/GHSA-2wpq-gf9v-758w.json‎
Lines changed: 48 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-2wpq-gf9v-758w/GHSA-2wpq-gf9v-758w.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/02/GHSA-48j5-wgv3-9c7p/GHSA-48j5-wgv3-9c7p.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-48j5-wgv3-9c7p/GHSA-48j5-wgv3-9c7p.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/02/GHSA-58cm-5853-qxj5/GHSA-58cm-5853-qxj5.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-58cm-5853-qxj5/GHSA-58cm-5853-qxj5.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/02/GHSA-6333-cc9f-9589/GHSA-6333-cc9f-9589.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-6333-cc9f-9589/GHSA-6333-cc9f-9589.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/02/GHSA-6rfq-gmm4-49p9/GHSA-6rfq-gmm4-49p9.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-6rfq-gmm4-49p9/GHSA-6rfq-gmm4-49p9.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/02/GHSA-8v3q-9fpq-83mr/GHSA-8v3q-9fpq-83mr.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/02/GHSA-8v3q-9fpq-83mr/GHSA-8v3q-9fpq-83mr.json‎
Lines changed: 52 additions & 0 deletions
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2444-5vx9-4q2f",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25376"
+  ],
+  "details": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25376"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.opnsense.org/index.php?topic=11469.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://opnsense.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-proxy-endpoint"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:07Z"
+  }
+}
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2wpq-gf9v-758w",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25367"
+  ],
+  "details": "ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html to execute JavaScript in authenticated users' browsers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25367"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.arangodb.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46407"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/arangodb-community-edition-xss-via-aardvark-admin"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:05Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-48j5-wgv3-9c7p",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25368"
+  ],
+  "details": "OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25368"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.opnsense.org/index.php?topic=11469.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://opnsense.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagbackupphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:06Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-58cm-5853-qxj5",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25370"
+  ],
+  "details": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters to execute arbitrary JavaScript in users' browsers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25370"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.opnsense.org/index.php?topic=11469.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://opnsense.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-interfacesvlaneditphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:06Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6333-cc9f-9589",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25375"
+  ],
+  "details": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25375"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.opnsense.org/index.php?topic=11469.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://opnsense.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:07Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6rfq-gmm4-49p9",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25371"
+  ],
+  "details": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25371"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.opnsense.org/index.php?topic=11469.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://opnsense.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagpingphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:06Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8v3q-9fpq-83mr",
+  "modified": "2026-02-15T15:31:31Z",
+  "published": "2026-02-15T15:31:31Z",
+  "aliases": [
+    "CVE-2019-25372"
+  ],
+  "details": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25372"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.opnsense.org/index.php?topic=11469.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://opnsense.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46351"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagtraceroutephp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-15T14:16:06Z"
+  }
+}