Publish Advisories

GHSA-263q-5cv3-xq9g
GHSA-4vwr-f92g-29m6
GHSA-5qwr-m3vg-gj86
GHSA-6m8p-6c5x-r759
GHSA-7mhf-6fhv-c83c
GHSA-898p-hh3p-hf9r
GHSA-9492-pwhm-prgg
GHSA-cm54-pfmc-xrwx
GHSA-hg49-2rqm-p9hf
GHSA-q45h-4pv4-p744
GHSA-rrcw-5rjv-vj26
GHSA-xfq3-qj7j-4565

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-263q-5cv3-xq9g/GHSA-263q-5cv3-xq9g.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-263q-5cv3-xq9g",
+  "modified": "2025-12-26T03:30:15Z",
+  "published": "2025-12-26T03:30:15Z",
+  "aliases": [
+    "CVE-2025-68939"
+  ],
+  "details": "Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68939"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/32151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.23.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.23.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-424"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T03:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-4vwr-f92g-29m6/GHSA-4vwr-f92g-29m6.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4vwr-f92g-29m6",
+  "modified": "2025-12-26T03:30:15Z",
+  "published": "2025-12-26T03:30:15Z",
+  "aliases": [
+    "CVE-2025-15097"
+  ],
+  "details": "A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15097"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/apostolovd/f84631eed2f0c0e83e2e174b1480f08c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://help.alteryx.com/release-notes/en/release-notes/server-release-notes/server-2025-1-release-notes.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ict-strypes.eu/wp-content/uploads/2025/12/Alteryx-Second-Research.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338428"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338428"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.710169"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T03:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5qwr-m3vg-gj86/GHSA-5qwr-m3vg-gj86.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5qwr-m3vg-gj86",
+  "modified": "2025-12-26T03:30:16Z",
+  "published": "2025-12-26T03:30:15Z",
+  "aliases": [
+    "CVE-2025-15098"
+  ],
+  "details": "A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15098"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338429"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338429"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.710170"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T03:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-6m8p-6c5x-r759/GHSA-6m8p-6c5x-r759.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6m8p-6c5x-r759",
+  "modified": "2025-12-26T03:30:15Z",
+  "published": "2025-12-26T03:30:15Z",
+  "aliases": [
+    "CVE-2025-15095"
+  ],
+  "details": "A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15095"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postmanlabs/httpbin/issues/735"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338424"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338424"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.709002"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T03:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-7mhf-6fhv-c83c/GHSA-7mhf-6fhv-c83c.json

@@ -1,19 +1,28 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7mhf-6fhv-c83c",
-  "modified": "2025-12-26T00:30:12Z",
+  "modified": "2025-12-26T03:30:14Z",
   "published": "2025-12-26T00:30:12Z",
   "aliases": [
     "CVE-2025-68937"
   ],
   "details": "Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
   "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68937"
     },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.24.7"
+    },
     {
       "type": "WEB",
       "url": "https://codeberg.org/forgejo/forgejo/milestone/27340"
@@ -39,7 +48,7 @@
     "cwe_ids": [
       "CWE-61"
     ],
-    "severity": null,
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-26T00:16:01Z"

advisories/unreviewed/2025/12/GHSA-898p-hh3p-hf9r/GHSA-898p-hh3p-hf9r.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-898p-hh3p-hf9r",
+  "modified": "2025-12-26T03:30:17Z",
+  "published": "2025-12-26T03:30:17Z",
+  "aliases": [
+    "CVE-2025-68942"
+  ],
+  "details": "Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68942"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/31966"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.22.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T03:15:51Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-9492-pwhm-prgg/GHSA-9492-pwhm-prgg.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9492-pwhm-prgg",
+  "modified": "2025-12-26T03:30:14Z",
+  "published": "2025-12-26T03:30:14Z",
+  "aliases": [
+    "CVE-2025-15093"
+  ],
+  "details": "A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15093"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sunkaifei/FlyCms/issues/15"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338422"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338422"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.708996"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T01:15:58Z"
+  }
+}