Skip to content

Commit b4b199f

Browse files
Advisory Database Sync
1 parent 2c893da commit b4b199f

27 files changed

Lines changed: 991 additions & 13 deletions

File tree

advisories/unreviewed/2026/05/GHSA-xj25-753j-wgp9/GHSA-xj25-753j-wgp9.json renamed to advisories/github-reviewed/2026/05/GHSA-xj25-753j-wgp9/GHSA-xj25-753j-wgp9.json

Lines changed: 31 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-xj25-753j-wgp9",
4-
"modified": "2026-05-26T21:31:37Z",
4+
"modified": "2026-06-24T21:31:45Z",
55
"published": "2026-05-22T00:31:17Z",
66
"aliases": [
77
"CVE-2026-8415"
88
],
9-
"details": "Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.",
9+
"summary": "Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder",
10+
"details": "Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder.",
1011
"severity": [
11-
{
12-
"type": "CVSS_V3",
13-
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
14-
},
1512
{
1613
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "concrete5/concrete5"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "9.0.0RC1"
29+
},
30+
{
31+
"fixed": "9.5.1"
32+
}
33+
]
34+
}
35+
]
1836
}
1937
],
20-
"affected": [],
2138
"references": [
2239
{
2340
"type": "ADVISORY",
@@ -26,15 +43,19 @@
2643
{
2744
"type": "WEB",
2845
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/concretecms/concretecms"
2950
}
3051
],
3152
"database_specific": {
3253
"cwe_ids": [
3354
"CWE-352"
3455
],
3556
"severity": "LOW",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-24T21:31:45Z",
3859
"nvd_published_at": "2026-05-21T22:16:51Z"
3960
}
4061
}

advisories/unreviewed/2026/03/GHSA-8hcj-8666-8jwh/GHSA-8hcj-8666-8jwh.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,17 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-8hcj-8666-8jwh",
4-
"modified": "2026-03-10T18:31:18Z",
4+
"modified": "2026-06-24T21:30:40Z",
55
"published": "2026-03-10T18:31:18Z",
66
"aliases": [
77
"CVE-2025-11739"
88
],
99
"details": "CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.",
1010
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
},
1115
{
1216
"type": "CVSS_V4",
1317
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-25hh-rw6j-95ch",
4+
"modified": "2026-06-24T21:30:43Z",
5+
"published": "2026-06-24T21:30:43Z",
6+
"aliases": [
7+
"CVE-2026-12760"
8+
],
9+
"details": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12760"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://www.tp-link.com/us/support/faq/5143"
33+
}
34+
],
35+
"database_specific": {
36+
"cwe_ids": [
37+
"CWE-770"
38+
],
39+
"severity": "HIGH",
40+
"github_reviewed": false,
41+
"github_reviewed_at": null,
42+
"nvd_published_at": "2026-06-24T19:17:08Z"
43+
}
44+
}
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-32q7-rqp9-688w",
4+
"modified": "2026-06-24T21:30:43Z",
5+
"published": "2026-06-24T21:30:43Z",
6+
"aliases": [
7+
"CVE-2026-13024"
8+
],
9+
"details": "Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13024"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://issues.chromium.org/issues/517148260"
29+
}
30+
],
31+
"database_specific": {
32+
"cwe_ids": [
33+
"CWE-20"
34+
],
35+
"severity": "MODERATE",
36+
"github_reviewed": false,
37+
"github_reviewed_at": null,
38+
"nvd_published_at": "2026-06-24T19:17:08Z"
39+
}
40+
}
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-37jm-qcw2-gcqg",
4+
"modified": "2026-06-24T21:30:44Z",
5+
"published": "2026-06-24T21:30:44Z",
6+
"aliases": [
7+
"CVE-2026-13032"
8+
],
9+
"details": "Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13032"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://issues.chromium.org/issues/523591974"
29+
}
30+
],
31+
"database_specific": {
32+
"cwe_ids": [
33+
"CWE-416"
34+
],
35+
"severity": "CRITICAL",
36+
"github_reviewed": false,
37+
"github_reviewed_at": null,
38+
"nvd_published_at": "2026-06-24T19:17:09Z"
39+
}
40+
}
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3mjj-7mcj-gxwq",
4+
"modified": "2026-06-24T21:30:43Z",
5+
"published": "2026-06-24T21:30:43Z",
6+
"aliases": [
7+
"CVE-2026-13022"
8+
],
9+
"details": "Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13022"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
20+
},
21+
{
22+
"type": "WEB",
23+
"url": "https://issues.chromium.org/issues/516734537"
24+
}
25+
],
26+
"database_specific": {
27+
"cwe_ids": [],
28+
"severity": null,
29+
"github_reviewed": false,
30+
"github_reviewed_at": null,
31+
"nvd_published_at": "2026-06-24T19:17:08Z"
32+
}
33+
}
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3pfj-fj4c-9hh9",
4+
"modified": "2026-06-24T21:30:44Z",
5+
"published": "2026-06-24T21:30:44Z",
6+
"aliases": [
7+
"CVE-2026-13034"
8+
],
9+
"details": "Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13034"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://issues.chromium.org/issues/523699355"
29+
}
30+
],
31+
"database_specific": {
32+
"cwe_ids": [
33+
"CWE-346"
34+
],
35+
"severity": "MODERATE",
36+
"github_reviewed": false,
37+
"github_reviewed_at": null,
38+
"nvd_published_at": "2026-06-24T19:17:09Z"
39+
}
40+
}
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4mp6-2r26-5pw4",
4+
"modified": "2026-06-24T21:30:43Z",
5+
"published": "2026-06-24T21:30:43Z",
6+
"aliases": [
7+
"CVE-2026-13027"
8+
],
9+
"details": "Use after free in FileSystem in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13027"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://issues.chromium.org/issues/520543781"
29+
}
30+
],
31+
"database_specific": {
32+
"cwe_ids": [
33+
"CWE-416"
34+
],
35+
"severity": "HIGH",
36+
"github_reviewed": false,
37+
"github_reviewed_at": null,
38+
"nvd_published_at": "2026-06-24T19:17:08Z"
39+
}
40+
}

advisories/unreviewed/2026/06/GHSA-4rh3-rmh3-hv6h/GHSA-4rh3-rmh3-hv6h.json

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-4rh3-rmh3-hv6h",
4-
"modified": "2026-06-20T15:32:25Z",
4+
"modified": "2026-06-24T21:30:41Z",
55
"published": "2026-06-20T15:32:25Z",
66
"aliases": [
77
"CVE-2026-48939"
@@ -19,9 +19,21 @@
1919
"type": "ADVISORY",
2020
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48939"
2121
},
22+
{
23+
"type": "WEB",
24+
"url": "https://mysites.guru/blog/icagenda-zero-day-file-upload-rce"
25+
},
2226
{
2327
"type": "WEB",
2428
"url": "https://www.icagenda.com"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://www.icagenda.com/docs/changelog/icagenda-3-9-15"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://www.icagenda.com/docs/changelog/icagenda-4-0-8"
2537
}
2638
],
2739
"database_specific": {

0 commit comments

Comments
 (0)