Publish Advisories

GHSA-cpm8-v4gw-hgvh
GHSA-h2gm-8gg9-5mh6
GHSA-j694-j6ff-75p6

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-cpm8-v4gw-hgvh/GHSA-cpm8-v4gw-hgvh.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cpm8-v4gw-hgvh",
+  "modified": "2025-11-25T03:30:20Z",
+  "published": "2025-11-25T03:30:20Z",
+  "aliases": [
+    "CVE-2025-6389"
+  ],
+  "details": "The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6389"
+    },
+    {
+      "type": "WEB",
+      "url": "https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-25T03:15:44Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-h2gm-8gg9-5mh6/GHSA-h2gm-8gg9-5mh6.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h2gm-8gg9-5mh6",
+  "modified": "2025-11-25T03:30:19Z",
+  "published": "2025-11-25T03:30:19Z",
+  "aliases": [
+    "CVE-2025-59373"
+  ],
+  "details": "A local privilege escalation vulnerability exists in \n\n the restore mechanism of \n\nASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM.\nFor more information, please refer to section Security Update for MyAsus in the ASUS Security Advisory.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59373"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.asus.com/content/security-advisory"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-732"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-25T02:15:44Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-j694-j6ff-75p6/GHSA-j694-j6ff-75p6.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j694-j6ff-75p6",
+  "modified": "2025-11-25T03:30:19Z",
+  "published": "2025-11-25T03:30:19Z",
+  "aliases": [
+    "CVE-2025-9803"
+  ],
+  "details": "lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9803"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-25T01:15:47Z"
+  }
+}