Publish Advisories

GHSA-mmpx-jh39-wrv6
GHSA-55jc-jj35-fw6c
GHSA-23v5-vgf6-5452
GHSA-2jfv-r29r-j6wr
GHSA-62w9-2w47-xvhj
GHSA-7cv5-2ch3-g323
GHSA-94jg-w625-jq92
GHSA-h9h9-phrr-4q27
GHSA-rprm-6mg6-r8fm
GHSA-w3xc-h2ch-2q3q
GHSA-wg4g-3863-r8m4
GHSA-x96p-55v7-jmrq

Author: advisory-database[bot]

advisories/github-reviewed/2026/05/GHSA-mmpx-jh39-wrv6/GHSA-mmpx-jh39-wrv6.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mmpx-jh39-wrv6",
+  "modified": "2026-05-07T03:29:43Z",
+  "published": "2026-05-07T03:29:43Z",
+  "aliases": [],
+  "summary": "FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)",
+  "details": "## Summary\n\nFileBrowser Quantum serves inline SVG files without a `Content-Security-Policy` header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.\n\nVerified on v1.3.0-stable.\n\n## Affected product\n\n- **Product:** FileBrowser Quantum (`gtsteffaniak/filebrowser`)\n- **Verified version:** v1.3.0-stable\n- **Docker image:** gtstef/filebrowser:latest\n- **Affected endpoint:** `GET /public/api/resources/download?hash=HASH&inline=true`\n- **CWE:** CWE-79 — Cross-site Scripting (Stored)\n\n## Impact\n\n- **Stored XSS** — Malicious SVG persists and executes for every visitor to the share link\n- **No authentication required to trigger** — Public share links are accessible to anyone\n- **Session hijacking** — If authenticated users click the link, their session can be stolen\n- **Phishing** — Attacker can redirect or overlay fake login forms\n\n## Reproduction\n\n1. Login as any user with upload permission\n2. Upload SVG file:\n   ```xml\n   <svg xmlns=\"http://www.w3.org/2000/svg\">\n     <script>alert(document.domain)</script>\n   </svg>\n   ```\n3. Create public share for the file\n4. Access the share link with `?inline=true`\n5. JavaScript executes in browser\n\n## Root cause\n\nThe inline download endpoint returns SVG files with:\n```\nContent-Type: image/svg+xml\nContent-Disposition: inline; filename=\"xss.svg\"\nX-Content-Type-Options: nosniff\n```\n\nBut no CSP header to block script execution. The upstream project (filebrowser/filebrowser) mitigates this with:\n```\nContent-Security-Policy: script-src 'none'\n```\n\n## Suggested fix\n\nAdd CSP header on inline file downloads:\n\n```go\nw.Header().Set(\"Content-Security-Policy\", \"script-src 'none'\")\n```\n\nThis matches the upstream filebrowser/filebrowser implementation.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gtsteffaniak/filebrowser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260501184955-6bfc3974192e"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-mmpx-jh39-wrv6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gtsteffaniak/filebrowser/commit/6bfc3974192e954f71cc5d1cd04baaaec3b76383"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gtsteffaniak/filebrowser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-07T03:29:43Z",
+    "nvd_published_at": null
+  }
+}

advisories/unreviewed/2026/04/GHSA-55jc-jj35-fw6c/GHSA-55jc-jj35-fw6c.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-55jc-jj35-fw6c",
-  "modified": "2026-04-27T15:30:52Z",
+  "modified": "2026-05-07T03:31:19Z",
   "published": "2026-04-27T15:30:52Z",
   "aliases": [
     "CVE-2026-6265"
   ],
   "details": "Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/05/GHSA-23v5-vgf6-5452/GHSA-23v5-vgf6-5452.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-23v5-vgf6-5452",
-  "modified": "2026-05-01T15:30:35Z",
+  "modified": "2026-05-07T03:31:20Z",
   "published": "2026-05-01T15:30:35Z",
   "aliases": [
     "CVE-2026-31776"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix missing SPDIFI1 index handling\n\nSPDIF1 DAIO type isn't properly handled in daio_device_index() for\nhw20k2, and it returned -EINVAL, which ended up with the out-of-bounds\narray access.  Follow the hw20k1 pattern and return the proper index\nfor this type, too.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -48,8 +53,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-01T15:16:40Z"

advisories/unreviewed/2026/05/GHSA-2jfv-r29r-j6wr/GHSA-2jfv-r29r-j6wr.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2jfv-r29r-j6wr",
+  "modified": "2026-05-07T03:31:21Z",
+  "published": "2026-05-07T03:31:21Z",
+  "aliases": [
+    "CVE-2026-40003"
+  ],
+  "details": "ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40003"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T02:16:03Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-62w9-2w47-xvhj/GHSA-62w9-2w47-xvhj.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-62w9-2w47-xvhj",
+  "modified": "2026-05-07T03:31:21Z",
+  "published": "2026-05-07T03:31:21Z",
+  "aliases": [
+    "CVE-2026-6222"
+  ],
+  "details": "The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6222"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L1008"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L951"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-data.php#L141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.52/admin/abstracts/class-admin-module-edit-page.php#L988"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L1008"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L951"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-data.php#L141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e860aa70-b8ef-4b2a-a035-b01efce30a79?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T02:16:37Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-7cv5-2ch3-g323/GHSA-7cv5-2ch3-g323.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7cv5-2ch3-g323",
+  "modified": "2026-05-07T03:31:21Z",
+  "published": "2026-05-07T03:31:21Z",
+  "aliases": [
+    "CVE-2026-44600"
+  ],
+  "details": "Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44600"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a198185ed863677d60eec120126730628dac35bb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41251"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-696"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T03:16:08Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-94jg-w625-jq92/GHSA-94jg-w625-jq92.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-94jg-w625-jq92",
+  "modified": "2026-05-07T03:31:21Z",
+  "published": "2026-05-07T03:31:21Z",
+  "aliases": [
+    "CVE-2026-44597"
+  ],
+  "details": "Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44597"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/8f98054b1982d00a14639864d03e9afd90b87481"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41254"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-684"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T01:16:01Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-h9h9-phrr-4q27/GHSA-h9h9-phrr-4q27.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h9h9-phrr-4q27",
-  "modified": "2026-05-01T15:30:35Z",
+  "modified": "2026-05-07T03:31:20Z",
   "published": "2026-05-01T15:30:35Z",
   "aliases": [
     "CVE-2026-31775"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Don't enumerate SPDIF1 at DAIO initialization\n\nThe recent refactoring of xfi driver changed the assignment of\natc->daios[] at atc_get_resources(); now it loops over all enum\nDAIOTYP entries while it looped formerly only a part of them.\nThe problem is that the last entry, SPDIF1, is a special type that\nis used only for hw20k1 CTSB073X model (as a replacement of SPDIFIO),\nand there is no corresponding definition for hw20k2.  Due to the lack\nof the info, it caused a kernel crash on hw20k2, which was already\nworked around by the commit b045ab3dff97 (\"ALSA: ctxfi: Fix missing\nSPDIFI1 index handling\").\n\nThis patch addresses the root cause of the regression above properly,\nsimply by skipping the incorrect SPDIF1 type in the parser loop.\n\nFor making the change clearer, the code is slightly arranged, too.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-01T15:16:40Z"

advisories/unreviewed/2026/05/GHSA-rprm-6mg6-r8fm/GHSA-rprm-6mg6-r8fm.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rprm-6mg6-r8fm",
+  "modified": "2026-05-07T03:31:21Z",
+  "published": "2026-05-07T03:31:21Z",
+  "aliases": [
+    "CVE-2026-44599"
+  ],
+  "details": "Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44599"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/50f90ba849088247734786922855c22661c6fa03"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41243"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-669"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-07T03:16:07Z"
+  }
+}