Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/05/GHSA-2ch8-2mw7-grmm/GHSA-2ch8-2mw7-grmm.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2ch8-2mw7-grmm",
+  "modified": "2026-05-07T15:38:40Z",
+  "published": "2026-05-07T15:38:40Z",
+  "aliases": [
+    "CVE-2026-8092"
+  ],
+  "details": "Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8092"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1806249%2C2021977%2C2022576%2C2022722%2C2024439%2C2027883%2C2029463%2C2030323%2C2032042%2C2032043%2C2033270%2C2033637%2C2034422%2C2034496%2C2035879%2C2036516"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-40"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-41"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-42"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T13:16:14Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-2xx6-qf7x-grqh/GHSA-2xx6-qf7x-grqh.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2xx6-qf7x-grqh",
+  "modified": "2026-05-07T15:38:41Z",
+  "published": "2026-05-07T15:38:41Z",
+  "aliases": [
+    "CVE-2025-63706"
+  ],
+  "details": "NPM package next-npm-version1.0.1 is vulnerable to Command injection.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63706"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/afeiship/next-npm-version/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.npmjs.com/package/@jswork/next-npm-version"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T15:16:04Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-4345-ccpc-8955/GHSA-4345-ccpc-8955.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4345-ccpc-8955",
+  "modified": "2026-05-07T15:38:40Z",
+  "published": "2026-05-07T15:38:40Z",
+  "aliases": [
+    "CVE-2026-8090"
+  ],
+  "details": "Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8090"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2034352"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-40"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-41"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-42"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T13:16:13Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-568w-37qx-3qc6/GHSA-568w-37qx-3qc6.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-568w-37qx-3qc6",
+  "modified": "2026-05-07T15:38:42Z",
+  "published": "2026-05-07T15:38:42Z",
+  "aliases": [
+    "CVE-2026-42011"
+  ],
+  "details": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42011"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-42011"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467437"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T15:16:09Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-5ghx-9783-29rc/GHSA-5ghx-9783-29rc.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5ghx-9783-29rc",
+  "modified": "2026-05-07T15:38:40Z",
+  "published": "2026-05-07T15:38:40Z",
+  "aliases": [
+    "CVE-2026-8094"
+  ],
+  "details": "Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8094"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2035939"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mozilla.org/security/advisories/mfsa2026-41"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T13:16:14Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-7h2m-m8vj-598h/GHSA-7h2m-m8vj-598h.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7h2m-m8vj-598h",
-  "modified": "2026-05-05T18:33:24Z",
+  "modified": "2026-05-07T15:38:31Z",
   "published": "2026-05-05T18:33:24Z",
   "aliases": [
     "CVE-2026-35192"
   ],
   "details": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/05/GHSA-8f47-4rh3-x44m/GHSA-8f47-4rh3-x44m.json

@@ -42,7 +42,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-200"
+      "CWE-200",
+      "CWE-312"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2026/05/GHSA-8jh2-3mw6-6pfm/GHSA-8jh2-3mw6-6pfm.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8jh2-3mw6-6pfm",
+  "modified": "2026-05-07T15:38:41Z",
+  "published": "2026-05-07T15:38:41Z",
+  "aliases": [
+    "CVE-2025-63705"
+  ],
+  "details": "NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63705"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.npmjs.com/package/node-ts-ocr"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T15:16:04Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-9439-7mjc-q3p7/GHSA-9439-7mjc-q3p7.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9439-7mjc-q3p7",
+  "modified": "2026-05-07T15:38:40Z",
+  "published": "2026-05-07T15:38:40Z",
+  "aliases": [
+    "CVE-2025-14341"
+  ],
+  "details": "Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding.\n\nThis issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14341"
+    },
+    {
+      "type": "WEB",
+      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T14:16:00Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-c3xh-mwgm-9f7j/GHSA-c3xh-mwgm-9f7j.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c3xh-mwgm-9f7j",
+  "modified": "2026-05-07T15:38:42Z",
+  "published": "2026-05-07T15:38:42Z",
+  "aliases": [
+    "CVE-2026-36458"
+  ],
+  "details": "ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36458"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/errors11/CVE/blob/main/CVE-2026-36458.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liweiyi/ChestnutCMS.git"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T15:16:05Z"
+  }
+}