Publish Advisories

GHSA-wp3j-xq48-xpjw
GHSA-7376-x4rm-3v8x
GHSA-83xx-9f6p-vwfj
GHSA-qg4c-8pj4-qgw2
GHSA-55w5-976h-wfmc
GHSA-5wcj-3gqq-r8fv
GHSA-7r3h-69g8-3vqv
GHSA-9x3m-44rv-9cpf
GHSA-f6x3-5ffg-hff5
GHSA-h5x7-xvx7-3c6r
GHSA-j979-3w8f-32rw
GHSA-m8q3-732g-g5mm
GHSA-ww5c-h42x-mc5x
GHSA-x369-c988-fxc9

Author: advisory-database[bot]

advisories/github-reviewed/2025/09/GHSA-wp3j-xq48-xpjw/GHSA-wp3j-xq48-xpjw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wp3j-xq48-xpjw",
-  "modified": "2025-09-24T00:30:41Z",
+  "modified": "2025-10-22T06:31:11Z",
   "published": "2025-09-04T20:01:54Z",
   "aliases": [
     "CVE-2025-9566"
@@ -102,6 +102,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:16515"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:18218"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-9566"

advisories/unreviewed/2025/06/GHSA-7376-x4rm-3v8x/GHSA-7376-x4rm-3v8x.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7376-x4rm-3v8x",
-  "modified": "2025-10-21T21:33:25Z",
+  "modified": "2025-10-22T06:31:11Z",
   "published": "2025-06-09T21:30:52Z",
   "aliases": [
     "CVE-2025-5914"
@@ -39,6 +39,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:18219"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:18218"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:16524"

advisories/unreviewed/2025/06/GHSA-83xx-9f6p-vwfj/GHSA-83xx-9f6p-vwfj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-83xx-9f6p-vwfj",
-  "modified": "2025-10-21T21:33:25Z",
+  "modified": "2025-10-22T06:31:11Z",
   "published": "2025-06-16T18:32:19Z",
   "aliases": [
     "CVE-2025-49796"
@@ -31,6 +31,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:18219"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:18218"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:15828"

advisories/unreviewed/2025/06/GHSA-qg4c-8pj4-qgw2/GHSA-qg4c-8pj4-qgw2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qg4c-8pj4-qgw2",
-  "modified": "2025-10-21T21:33:25Z",
+  "modified": "2025-10-22T06:31:11Z",
   "published": "2025-06-16T18:32:19Z",
   "aliases": [
     "CVE-2025-49794"
@@ -31,6 +31,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:18219"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:18218"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:15828"

advisories/unreviewed/2025/10/GHSA-55w5-976h-wfmc/GHSA-55w5-976h-wfmc.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-55w5-976h-wfmc",
+  "modified": "2025-10-22T06:31:11Z",
+  "published": "2025-10-22T06:31:11Z",
+  "aliases": [
+    "CVE-2025-62773"
+  ],
+  "details": "Mercku M6a devices through 2.1.0 allow TELNET sessions via a router.telnet.enabled.update request by an administrator.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62773"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.nullvoid.me/posts/mercku-exploits"
+    },
+    {
+      "type": "WEB",
+      "url": "https://seclists.org/fulldisclosure/2025/Oct/10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-912"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-22T04:16:08Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-5wcj-3gqq-r8fv/GHSA-5wcj-3gqq-r8fv.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5wcj-3gqq-r8fv",
+  "modified": "2025-10-22T06:31:11Z",
+  "published": "2025-10-22T06:31:11Z",
+  "aliases": [
+    "CVE-2024-58274"
+  ],
+  "details": "Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2024-08-01 allows execution of a command within $( ) in /center/api/installation/detection JSON data, as exploited in the wild in 2024 and 2025.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58274"
+    },
+    {
+      "type": "WEB",
+      "url": "https://forum.butian.net/article/498"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ahisec/nuclei-tps/blob/main/http/vulnerabilities/hikvision/hikvision-csmp-installation-rce.yaml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://xz.aliyun.com/news/14639"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-22T04:15:55Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-7r3h-69g8-3vqv/GHSA-7r3h-69g8-3vqv.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7r3h-69g8-3vqv",
+  "modified": "2025-10-22T06:31:11Z",
+  "published": "2025-10-22T06:31:11Z",
+  "aliases": [
+    "CVE-2025-62774"
+  ],
+  "details": "On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62774"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.nullvoid.me/posts/mercku-exploits"
+    },
+    {
+      "type": "WEB",
+      "url": "https://seclists.org/fulldisclosure/2025/Oct/10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-331"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-22T04:16:09Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-9x3m-44rv-9cpf/GHSA-9x3m-44rv-9cpf.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9x3m-44rv-9cpf",
+  "modified": "2025-10-22T06:31:11Z",
+  "published": "2025-10-22T06:31:11Z",
+  "aliases": [
+    "CVE-2025-5983"
+  ],
+  "details": "The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5983"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/4a2d4dcf-bb34-4eec-b5de-31c6a4d823cf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-22T06:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-f6x3-5ffg-hff5/GHSA-f6x3-5ffg-hff5.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f6x3-5ffg-hff5",
+  "modified": "2025-10-22T06:31:11Z",
+  "published": "2025-10-22T06:31:11Z",
+  "aliases": [
+    "CVE-2025-10638"
+  ],
+  "details": "The NS Maintenance Mode for WP WordPress plugin through 1.3.1 lacks authorization in its subscriber export function allowing unauthenticated attackers to download a list of a site's subscribers containing their name and email address",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10638"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/1998a079-d986-47fe-907f-d4d295b06603"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-22T06:15:30Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-h5x7-xvx7-3c6r/GHSA-h5x7-xvx7-3c6r.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h5x7-xvx7-3c6r",
+  "modified": "2025-10-22T06:31:11Z",
+  "published": "2025-10-22T06:31:11Z",
+  "aliases": [
+    "CVE-2025-62772"
+  ],
+  "details": "On Mercku M6a devices through 2.1.0, session tokens remain valid for at least months in some cases.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62772"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.nullvoid.me/posts/mercku-exploits"
+    },
+    {
+      "type": "WEB",
+      "url": "https://seclists.org/fulldisclosure/2025/Oct/10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-305"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-22T04:16:08Z"
+  }
+}