Publish Advisories

GHSA-38q3-29hj-9w26
GHSA-3w6x-xqhx-2c63
GHSA-5jwq-x5rg-hgv9
GHSA-7wgf-36j2-vf64
GHSA-85v2-6j9h-fhq9
GHSA-8g7h-h6c6-fr83
GHSA-cwgq-hj3j-r5wv
GHSA-g5qq-5f56-7h93
GHSA-jjrw-wx9c-5386
GHSA-m5wr-8mwj-cqpw
GHSA-pm7c-3cpx-6wx4
GHSA-qfvh-gchw-82wr
GHSA-r9x3-jhcx-h8m8
GHSA-r9xx-rmrv-8vpg

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-38q3-29hj-9w26/GHSA-38q3-29hj-9w26.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38q3-29hj-9w26",
+  "modified": "2025-12-18T03:30:17Z",
+  "published": "2025-12-18T03:30:17Z",
+  "aliases": [
+    "CVE-2025-12885"
+  ],
+  "details": "The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12885"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3406443"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efbdf0f0-6b38-418c-b3fb-396f89ada34f?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T03:15:45Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3w6x-xqhx-2c63/GHSA-3w6x-xqhx-2c63.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3w6x-xqhx-2c63",
-  "modified": "2025-12-15T12:30:26Z",
+  "modified": "2025-12-18T03:30:17Z",
   "published": "2025-12-15T12:30:26Z",
   "aliases": [
     "CVE-2025-11670"

advisories/unreviewed/2025/12/GHSA-5jwq-x5rg-hgv9/GHSA-5jwq-x5rg-hgv9.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-7wgf-36j2-vf64/GHSA-7wgf-36j2-vf64.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-85v2-6j9h-fhq9/GHSA-85v2-6j9h-fhq9.json

@@ -25,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-295"
+    ],
     "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2025/12/GHSA-8g7h-h6c6-fr83/GHSA-8g7h-h6c6-fr83.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-cwgq-hj3j-r5wv/GHSA-cwgq-hj3j-r5wv.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-g5qq-5f56-7h93/GHSA-g5qq-5f56-7h93.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-77"
+      "CWE-77",
+      "CWE-78"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-jjrw-wx9c-5386/GHSA-jjrw-wx9c-5386.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jjrw-wx9c-5386",
+  "modified": "2025-12-18T03:30:17Z",
+  "published": "2025-12-18T03:30:17Z",
+  "aliases": [
+    "CVE-2025-14841"
+  ],
+  "details": "A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/DCMTK/dcmtk/commit/ffb1a4a37d2c876e3feeb31df4930f2aed7fa030"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/DCMTK/dcmtk/releases/tag/DCMTK-3.7.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.dcmtk.org/redmine/issues/1183"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337004"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337004"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.714605"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.714634"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T01:15:51Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-m5wr-8mwj-cqpw/GHSA-m5wr-8mwj-cqpw.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m5wr-8mwj-cqpw",
+  "modified": "2025-12-18T03:30:17Z",
+  "published": "2025-12-18T03:30:17Z",
+  "aliases": [
+    "CVE-2025-14856"
+  ],
+  "details": "A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14856"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ltranquility/CVE/issues/26"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337047"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337047"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.710152"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T02:15:46Z"
+  }
+}