Publish Advisories

GHSA-43hq-c99c-6p3f
GHSA-53pc-prxg-7xp2
GHSA-648p-48g9-674x
GHSA-hhp2-jq65-cjxx
GHSA-j6c2-7rv4-43qj
GHSA-jp64-2qcg-892x
GHSA-m9rv-g47r-qvh2
GHSA-pmc7-2mv9-jmgx
GHSA-pwmf-gq5q-rjmq
GHSA-qr7g-8gm2-h5q6
GHSA-wcrw-whfv-8v36
GHSA-x476-g3pc-3h6p
GHSA-xr9w-r8gw-wjhw
GHSA-xx7c-xcq4-cj23

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-43hq-c99c-6p3f/GHSA-43hq-c99c-6p3f.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-43hq-c99c-6p3f",
+  "modified": "2025-12-09T00:31:16Z",
+  "published": "2025-12-09T00:31:16Z",
+  "aliases": [
+    "CVE-2025-36015"
+  ],
+  "details": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36015"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7253273"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T22:15:51Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-53pc-prxg-7xp2/GHSA-53pc-prxg-7xp2.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53pc-prxg-7xp2",
+  "modified": "2025-12-09T00:31:16Z",
+  "published": "2025-12-09T00:31:16Z",
+  "aliases": [
+    "CVE-2025-64650"
+  ],
+  "details": "IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64650"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7253864"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T22:15:52Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-648p-48g9-674x/GHSA-648p-48g9-674x.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-648p-48g9-674x",
+  "modified": "2025-12-09T00:31:16Z",
+  "published": "2025-12-09T00:31:16Z",
+  "aliases": [
+    "CVE-2025-36140"
+  ],
+  "details": "IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36140"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7253932"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T23:15:47Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-hhp2-jq65-cjxx/GHSA-hhp2-jq65-cjxx.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hhp2-jq65-cjxx",
+  "modified": "2025-12-09T00:31:16Z",
+  "published": "2025-12-09T00:31:16Z",
+  "aliases": [
+    "CVE-2025-14276"
+  ],
+  "details": "A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the argument line causes command injection. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is recommended. The vendor confirms the issue and recommends: \"We already know that issue and on most devices are already solved, also it’s not needed to open the port to outside world so we advised our customer to close it\".",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14276"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.334802"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.334802"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.702649"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ahygt5u6sgqpk5tt?singleDoc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T22:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-j6c2-7rv4-43qj/GHSA-j6c2-7rv4-43qj.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j6c2-7rv4-43qj",
+  "modified": "2025-12-09T00:31:16Z",
+  "published": "2025-12-09T00:31:16Z",
+  "aliases": [
+    "CVE-2025-12832"
+  ],
+  "details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12832"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7253507"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T22:15:49Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-jp64-2qcg-892x/GHSA-jp64-2qcg-892x.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jp64-2qcg-892x",
-  "modified": "2025-12-08T18:30:43Z",
+  "modified": "2025-12-09T00:31:15Z",
   "published": "2025-12-08T18:30:42Z",
   "aliases": [
     "CVE-2025-48580"
   ],
   "details": "In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-08T17:16:15Z"

advisories/unreviewed/2025/12/GHSA-m9rv-g47r-qvh2/GHSA-m9rv-g47r-qvh2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m9rv-g47r-qvh2",
-  "modified": "2025-12-08T21:30:22Z",
+  "modified": "2025-12-09T00:31:16Z",
   "published": "2025-12-08T21:30:22Z",
   "aliases": [
     "CVE-2025-65229"
   ],
   "details": "A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -20,8 +25,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-08T20:15:52Z"

advisories/unreviewed/2025/12/GHSA-pmc7-2mv9-jmgx/GHSA-pmc7-2mv9-jmgx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pmc7-2mv9-jmgx",
+  "modified": "2025-12-09T00:31:16Z",
+  "published": "2025-12-09T00:31:16Z",
+  "aliases": [
+    "CVE-2025-12635"
+  ],
+  "details": "IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12635"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7254078"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T22:15:49Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-pwmf-gq5q-rjmq/GHSA-pwmf-gq5q-rjmq.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pwmf-gq5q-rjmq",
-  "modified": "2025-12-08T18:30:42Z",
+  "modified": "2025-12-09T00:31:15Z",
   "published": "2025-12-08T18:30:42Z",
   "aliases": [
     "CVE-2025-48573"
   ],
   "details": "In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-250"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-08T17:16:15Z"

advisories/unreviewed/2025/12/GHSA-qr7g-8gm2-h5q6/GHSA-qr7g-8gm2-h5q6.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qr7g-8gm2-h5q6",
-  "modified": "2025-12-08T18:30:43Z",
+  "modified": "2025-12-09T00:31:16Z",
   "published": "2025-12-08T18:30:43Z",
   "aliases": [
     "CVE-2025-48583"
   ],
   "details": "In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-08T17:16:15Z"