github
diff --git a/‎advisories/unreviewed/2026/03/GHSA-22rm-wp4x-v5cx/GHSA-22rm-wp4x-v5cx.json‎
Lines changed: 40 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-22rm-wp4x-v5cx/GHSA-22rm-wp4x-v5cx.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-374j-38xh-4wr2/GHSA-374j-38xh-4wr2.json‎
Lines changed: 31 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-374j-38xh-4wr2/GHSA-374j-38xh-4wr2.json‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-795h-9vq2-6x3x/GHSA-795h-9vq2-6x3x.json‎
Lines changed: 29 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-795h-9vq2-6x3x/GHSA-795h-9vq2-6x3x.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-c8rm-hg85-p336/GHSA-c8rm-hg85-p336.json‎
Lines changed: 44 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-c8rm-hg85-p336/GHSA-c8rm-hg85-p336.json‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-cph7-rc62-v42q/GHSA-cph7-rc62-v42q.json‎
Lines changed: 29 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-cph7-rc62-v42q/GHSA-cph7-rc62-v42q.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-f5jv-m3j9-f42p/GHSA-f5jv-m3j9-f42p.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-f5jv-m3j9-f42p/GHSA-f5jv-m3j9-f42p.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-f772-529f-894q/GHSA-f772-529f-894q.json‎
Lines changed: 56 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-f772-529f-894q/GHSA-f772-529f-894q.json‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-fwg5-qqw8-5x24/GHSA-fwg5-qqw8-5x24.json‎
Lines changed: 29 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-fwg5-qqw8-5x24/GHSA-fwg5-qqw8-5x24.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-h63x-7924-m7qf/GHSA-h63x-7924-m7qf.json‎
Lines changed: 31 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-h63x-7924-m7qf/GHSA-h63x-7924-m7qf.json‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-hhcc-g67f-vx4p/GHSA-hhcc-g67f-vx4p.json‎
Lines changed: 29 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-hhcc-g67f-vx4p/GHSA-hhcc-g67f-vx4p.json‎
Lines changed: 29 additions & 0 deletions
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-22rm-wp4x-v5cx",
+  "modified": "2026-03-26T09:30:28Z",
+  "published": "2026-03-26T09:30:28Z",
+  "aliases": [
+    "CVE-2026-4874"
+  ],
+  "details": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-4874"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T08:16:22Z"
+  }
+}
@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-374j-38xh-4wr2",
+  "modified": "2026-03-26T09:30:28Z",
+  "published": "2026-03-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-4247"
+  ],
+  "details": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in.  When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4247"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:20Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-795h-9vq2-6x3x",
+  "modified": "2026-03-26T09:30:27Z",
+  "published": "2026-03-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1890"
+  ],
+  "details": "The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1890"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:19Z"
+  }
+}
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c8rm-hg85-p336",
+  "modified": "2026-03-26T09:30:27Z",
+  "published": "2026-03-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-28760"
+  ],
+  "details": "The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs. If a user is directed to place a crafted DLL with the installer, an arbitrary code may be executed with the administrator privilege.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28760"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN08057419"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ratocsystems.com/topics/userinfo/raidmanager202508"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-427"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:20Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cph7-rc62-v42q",
+  "modified": "2026-03-26T09:30:27Z",
+  "published": "2026-03-26T09:30:27Z",
+  "aliases": [
+    "CVE-2025-15488"
+  ],
+  "details": "The Responsive Plus  WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15488"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/80ce0f88-3065-48c4-a491-b70e067ce4d7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:19Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f5jv-m3j9-f42p",
+  "modified": "2026-03-26T09:30:28Z",
+  "published": "2026-03-26T09:30:28Z",
+  "aliases": [
+    "CVE-2026-4861"
+  ],
+  "details": "A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4861"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Wlz1112/WAVLINK-NU516U1-V260227/blob/main/Content-Length.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353192"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353192"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.776217"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T09:16:06Z"
+  }
+}
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f772-529f-894q",
+  "modified": "2026-03-26T09:30:28Z",
+  "published": "2026-03-26T09:30:28Z",
+  "aliases": [
+    "CVE-2026-4850"
+  ],
+  "details": "A security flaw has been discovered in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checkregisitem.php of the component Parameter Handler. The manipulation of the argument Long-arm-shirtVol results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4850"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kbloow/CVE/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353155"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353155"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.776184"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T08:16:22Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fwg5-qqw8-5x24",
+  "modified": "2026-03-26T09:30:27Z",
+  "published": "2026-03-26T09:30:27Z",
+  "aliases": [
+    "CVE-2025-15433"
+  ],
+  "details": "The Shared Files  WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15433"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/893667a1-dc8f-476a-ac00-55752fface90"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:19Z"
+  }
+}
@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h63x-7924-m7qf",
+  "modified": "2026-03-26T09:30:28Z",
+  "published": "2026-03-26T09:30:28Z",
+  "aliases": [
+    "CVE-2026-4747"
+  ],
+  "details": "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet.  This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow.  Notably, this does not require the client to authenticate itself first.\n\nAs kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.\n\nIn userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets.  We are not aware of any such applications in the FreeBSD base system.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4747"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-121"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:20Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hhcc-g67f-vx4p",
+  "modified": "2026-03-26T09:30:27Z",
+  "published": "2026-03-26T09:30:27Z",
+  "aliases": [
+    "CVE-2026-1430"
+  ],
+  "details": "The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1430"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/e0536061-140d-47eb-9e8b-9785b52c62f7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-26T07:16:19Z"
+  }
+}