Publish Advisories

GHSA-64w3-5q9m-68xf
GHSA-895x-rfqp-jh5c
GHSA-rg35-5v25-mqvp
GHSA-24hm-wm2h-h8w7
GHSA-2gg2-m8xj-hx68
GHSA-64r8-mrv6-hj88
GHSA-6p6f-w7vp-pv39
GHSA-76f9-42qx-mfmx
GHSA-9c32-r6xg-x5p7
GHSA-f85c-2x25-hppv
GHSA-p5wv-67hv-xm4c
GHSA-wv5r-gfp7-rgxv
GHSA-x832-fpvj-r5ph

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-64w3-5q9m-68xf/GHSA-64w3-5q9m-68xf.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-64w3-5q9m-68xf",
-  "modified": "2025-10-23T19:24:48Z",
+  "modified": "2025-11-28T06:32:05Z",
   "published": "2025-10-23T15:30:34Z",
   "aliases": [
     "CVE-2025-11429"
@@ -52,6 +52,14 @@
       "type": "WEB",
       "url": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22088"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22089"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-11429"

advisories/github-reviewed/2025/10/GHSA-895x-rfqp-jh5c/GHSA-895x-rfqp-jh5c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-895x-rfqp-jh5c",
-  "modified": "2025-11-14T00:30:27Z",
+  "modified": "2025-11-28T06:32:05Z",
   "published": "2025-10-23T15:30:34Z",
   "aliases": [
     "CVE-2025-12110"
@@ -52,6 +52,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:21371"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22088"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22089"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-12110"

advisories/github-reviewed/2025/10/GHSA-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rg35-5v25-mqvp",
-  "modified": "2025-11-14T00:30:27Z",
+  "modified": "2025-11-28T06:32:05Z",
   "published": "2025-10-28T15:30:43Z",
   "aliases": [
     "CVE-2025-12390"
@@ -68,6 +68,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:21371"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22088"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22089"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-12390"

advisories/unreviewed/2025/11/GHSA-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-24hm-wm2h-h8w7",
+  "modified": "2025-11-28T06:32:06Z",
+  "published": "2025-11-28T06:32:06Z",
+  "aliases": [
+    "CVE-2025-66371"
+  ],
+  "details": "Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66371"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/iterasdev/peppol-py/pull/16"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/iterasdev/peppol-py/releases/tag/1.1.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:01Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-2gg2-m8xj-hx68/GHSA-2gg2-m8xj-hx68.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2gg2-m8xj-hx68",
+  "modified": "2025-11-28T06:32:05Z",
+  "published": "2025-11-28T06:32:05Z",
+  "aliases": [
+    "CVE-2025-58302"
+  ],
+  "details": "Permission control vulnerability in the Settings module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58302"
+    },
+    {
+      "type": "WEB",
+      "url": "https://consumer.huawei.com/en/support/bulletin/2025/11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:00Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-64r8-mrv6-hj88/GHSA-64r8-mrv6-hj88.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-64r8-mrv6-hj88",
+  "modified": "2025-11-28T06:32:06Z",
+  "published": "2025-11-28T06:32:06Z",
+  "aliases": [
+    "CVE-2025-58311"
+  ],
+  "details": "UAF vulnerability in the USB driver module.\nImpact: Successful exploitation of this vulnerability will affect availability and confidentiality.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58311"
+    },
+    {
+      "type": "WEB",
+      "url": "https://consumer.huawei.com/en/support/bulletin/2025/11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:00Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-6p6f-w7vp-pv39/GHSA-6p6f-w7vp-pv39.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6p6f-w7vp-pv39",
+  "modified": "2025-11-28T06:32:06Z",
+  "published": "2025-11-28T06:32:06Z",
+  "aliases": [
+    "CVE-2025-66370"
+  ],
+  "details": "Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66370"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.kivitendo.de/?p=1415"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:01Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-76f9-42qx-mfmx/GHSA-76f9-42qx-mfmx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-76f9-42qx-mfmx",
+  "modified": "2025-11-28T06:32:06Z",
+  "published": "2025-11-28T06:32:06Z",
+  "aliases": [
+    "CVE-2025-58308"
+  ],
+  "details": "Vulnerability of improper criterion security check in the call module.\nImpact: Successful exploitation of this vulnerability may cause features to perform abnormally.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58308"
+    },
+    {
+      "type": "WEB",
+      "url": "https://consumer.huawei.com/en/support/bulletin/2025/11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-358"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:00Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-9c32-r6xg-x5p7/GHSA-9c32-r6xg-x5p7.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9c32-r6xg-x5p7",
+  "modified": "2025-11-28T06:32:06Z",
+  "published": "2025-11-28T06:32:06Z",
+  "aliases": [
+    "CVE-2025-58305"
+  ],
+  "details": "Identity authentication bypass vulnerability in the Gallery app.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58305"
+    },
+    {
+      "type": "WEB",
+      "url": "https://consumer.huawei.com/en/support/bulletin/2025/11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:00Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-f85c-2x25-hppv/GHSA-f85c-2x25-hppv.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f85c-2x25-hppv",
+  "modified": "2025-11-28T06:32:05Z",
+  "published": "2025-11-28T06:32:05Z",
+  "aliases": [
+    "CVE-2025-13737"
+  ],
+  "details": "The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13737"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/nextend-facebook-connect/tags/3.1.21/includes/provider.php#L772"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3404174/nextend-facebook-connect/trunk/includes/provider.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6b747e-d267-4fd3-a4fd-022aa657c796?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-28T04:16:00Z"
+  }
+}