github
diff --git a/‎advisories/github-reviewed/2025/11/GHSA-4vcx-3pj3-44m7/GHSA-4vcx-3pj3-44m7.json‎
Lines changed: 61 additions & 0 deletions b/‎advisories/github-reviewed/2025/11/GHSA-4vcx-3pj3-44m7/GHSA-4vcx-3pj3-44m7.json‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/10/GHSA-3324-w6mq-62mc/GHSA-3324-w6mq-62mc.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-3324-w6mq-62mc/GHSA-3324-w6mq-62mc.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-4hx2-58xv-6gx8/GHSA-4hx2-58xv-6gx8.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-4hx2-58xv-6gx8/GHSA-4hx2-58xv-6gx8.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-62rf-c379-23r7/GHSA-62rf-c379-23r7.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-62rf-c379-23r7/GHSA-62rf-c379-23r7.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-69mp-wcfm-5322/GHSA-69mp-wcfm-5322.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-69mp-wcfm-5322/GHSA-69mp-wcfm-5322.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-6fjm-ffgr-g6gp/GHSA-6fjm-ffgr-g6gp.json‎
Lines changed: 5 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-6fjm-ffgr-g6gp/GHSA-6fjm-ffgr-g6gp.json‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-6pqm-mccv-6977/GHSA-6pqm-mccv-6977.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-6pqm-mccv-6977/GHSA-6pqm-mccv-6977.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-9p8c-493c-qp6m/GHSA-9p8c-493c-qp6m.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-9p8c-493c-qp6m/GHSA-9p8c-493c-qp6m.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-9x3p-mvq5-2fgh/GHSA-9x3p-mvq5-2fgh.json‎
Lines changed: 5 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-9x3p-mvq5-2fgh/GHSA-9x3p-mvq5-2fgh.json‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/10/GHSA-p598-ccq9-3xq4/GHSA-p598-ccq9-3xq4.json‎
Lines changed: 2 additions & 1 deletion b/‎advisories/unreviewed/2025/10/GHSA-p598-ccq9-3xq4/GHSA-p598-ccq9-3xq4.json‎
Lines changed: 2 additions & 1 deletion
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4vcx-3pj3-44m7",
+  "modified": "2025-11-04T15:31:48Z",
+  "published": "2025-11-04T15:31:48Z",
+  "aliases": [
+    "CVE-2025-64184"
+  ],
+  "summary": "Dosage vulnerable to a Directory Traversal through crafted HTTP responses",
+  "details": "### Impact\n\nWhen downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP `Content-Type` header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). \n\n### Patches\n\nFixed in release 3.2. The [fix is small and self-contained](https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e), so distributors might elect to backport the fix to older versions.\n\n### Workarounds\n\nNo",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "dosage"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/webcomics/dosage"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-04T15:31:48Z",
+    "nvd_published_at": null
+  }
+}
@@ -38,7 +38,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,
 
@@ -38,7 +38,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,
 
@@ -38,7 +38,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,
 
@@ -30,7 +30,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-121"
+      "CWE-121",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,
 
@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6fjm-ffgr-g6gp",
-  "modified": "2025-10-23T15:30:34Z",
+  "modified": "2025-11-04T15:31:29Z",
   "published": "2025-10-23T15:30:34Z",
   "aliases": [
     "CVE-2025-53702"
   ],
   "details": "Vilar VS-IPC1002 IP cameras are vulnerable to DoS (Denial-of-Service) attacks. An unauthenticated attacker on the same local network might send a crafted request to /cgi-bin/action endpoint and render the device completely unresponsive. A manual restart of the device is required. \nThe vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
 
@@ -34,7 +34,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-122"
+      "CWE-122",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,
 
@@ -34,7 +34,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-122"
+      "CWE-122",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,
 
@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9x3p-mvq5-2fgh",
-  "modified": "2025-10-23T15:30:34Z",
+  "modified": "2025-11-04T15:31:29Z",
   "published": "2025-10-23T15:30:34Z",
   "aliases": [
     "CVE-2025-53701"
   ],
   "details": "Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-site Scripting) attacks, because parameters in GET requests sent to /cgi-bin/action endpoint are not sanitized properly, making it possible to target logged in admin users.\nThe vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
 
@@ -38,7 +38,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,