Publish Advisories

GHSA-c2vx-rx6x-m9wj
GHSA-pc5g-j9j7-p4q3
GHSA-qgc9-p7cj-jvh6
GHSA-pc5g-j9j7-p4q3

Author: advisory-database[bot]

…-c2vx-rx6x-m9wj/GHSA-c2vx-rx6x-m9wj.json …-c2vx-rx6x-m9wj/GHSA-c2vx-rx6x-m9wj.jsonadvisories/unreviewed/2025/12/GHSA-c2vx-rx6x-m9wj/GHSA-c2vx-rx6x-m9wj.json renamed to advisories/github-reviewed/2025/12/GHSA-c2vx-rx6x-m9wj/GHSA-c2vx-rx6x-m9wj.json advisories/unreviewed/2025/12/GHSA-c2vx-rx6x-m9wj/GHSA-c2vx-rx6x-m9wj.json renamed to advisories/github-reviewed/2025/12/GHSA-c2vx-rx6x-m9wj/GHSA-c2vx-rx6x-m9wj.json

@@ -1,19 +1,30 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c2vx-rx6x-m9wj",
-  "modified": "2025-12-01T21:30:26Z",
+  "modified": "2025-12-02T17:37:18Z",
   "published": "2025-12-01T15:30:18Z",
   "aliases": [
     "CVE-2025-63520"
   ],
+  "summary": "FeehiCMS is vulnerable to cross-site scripting via the id parameter of the User Update function",
   "details": "Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate).",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "feehi/feehicms"
+      },
+      "versions": [
+        "2.1.1"
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +37,19 @@
     {
       "type": "WEB",
       "url": "https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63520.md"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liufee/cms"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-02T17:37:18Z",
     "nvd_published_at": "2025-12-01T15:15:50Z"
   }
 }

advisories/github-reviewed/2025/12/GHSA-pc5g-j9j7-p4q3/GHSA-pc5g-j9j7-p4q3.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pc5g-j9j7-p4q3",
+  "modified": "2025-12-02T17:37:08Z",
+  "published": "2025-12-02T15:30:32Z",
+  "aliases": [
+    "CVE-2025-65858"
+  ],
+  "summary": "Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation",
+  "details": "A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "calibreweb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.6.25"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65858"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/janeczku/calibre-web"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-02T17:37:08Z",
+    "nvd_published_at": "2025-12-02T14:16:25Z"
+  }
+}

…-qgc9-p7cj-jvh6/GHSA-qgc9-p7cj-jvh6.json …-qgc9-p7cj-jvh6/GHSA-qgc9-p7cj-jvh6.jsonadvisories/unreviewed/2025/12/GHSA-qgc9-p7cj-jvh6/GHSA-qgc9-p7cj-jvh6.json renamed to advisories/github-reviewed/2025/12/GHSA-qgc9-p7cj-jvh6/GHSA-qgc9-p7cj-jvh6.json advisories/unreviewed/2025/12/GHSA-qgc9-p7cj-jvh6/GHSA-qgc9-p7cj-jvh6.json renamed to advisories/github-reviewed/2025/12/GHSA-qgc9-p7cj-jvh6/GHSA-qgc9-p7cj-jvh6.json

@@ -1,19 +1,30 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qgc9-p7cj-jvh6",
-  "modified": "2025-12-01T21:30:26Z",
+  "modified": "2025-12-02T17:37:23Z",
   "published": "2025-12-01T15:30:18Z",
   "aliases": [
     "CVE-2025-63523"
   ],
+  "summary": "FeehiCMS fails to enforce server-side immutability",
   "details": "FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as \"read-only.\" An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "feehi/feehicms"
+      },
+      "versions": [
+        "2.1.1"
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +37,19 @@
     {
       "type": "WEB",
       "url": "https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liufee/cms"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-125"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-02T17:37:23Z",
     "nvd_published_at": "2025-12-01T15:15:50Z"
   }
 }