Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit be00087d790d · 2025-12-18T12:31:57.000Z
GHSA-xh5w-g8gq-r3v9 GHSA-3fjx-35vx-pq97 GHSA-rj3q-q9f3-gr2v GHSA-r6gx-fcg6-8hhj GHSA-269f-8844-8wj6 GHSA-7fj8-g5x7-m9v3 GHSA-f6mf-j487-747p GHSA-fw2m-wrv6-prrx GHSA-j77f-3hf7-7rvg GHSA-p9f8-2p87-2pq5 GHSA-q5wr-jxr7-gxfv GHSA-x4q2-5wx6-98m5
diff --git a/advisories/github-reviewed/2025/11/GHSA-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json b/advisories/github-reviewed/2025/11/GHSA-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xh5w-g8gq-r3v9",
-  "modified": "2025-12-16T21:30:50Z",
+  "modified": "2025-12-18T12:30:27Z",
   "published": "2025-11-24T18:31:14Z",
   "aliases": [
     "CVE-2025-13609"
@@ -56,6 +56,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23210"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23628"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13609"
diff --git a/advisories/unreviewed/2022/05/GHSA-3fjx-35vx-pq97/GHSA-3fjx-35vx-pq97.json b/advisories/unreviewed/2022/05/GHSA-3fjx-35vx-pq97/GHSA-3fjx-35vx-pq97.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3fjx-35vx-pq97",
-  "modified": "2022-05-14T00:55:55Z",
+  "modified": "2025-12-18T12:30:27Z",
   "published": "2022-05-14T00:55:55Z",
   "aliases": [
     "CVE-2019-3859"
@@ -35,6 +35,14 @@
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO"
+    },
     {
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O"
diff --git a/advisories/unreviewed/2022/05/GHSA-rj3q-q9f3-gr2v/GHSA-rj3q-q9f3-gr2v.json b/advisories/unreviewed/2022/05/GHSA-rj3q-q9f3-gr2v/GHSA-rj3q-q9f3-gr2v.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rj3q-q9f3-gr2v",
-  "modified": "2022-05-14T01:28:01Z",
+  "modified": "2025-12-18T12:30:27Z",
   "published": "2022-05-14T01:28:01Z",
   "aliases": [
     "CVE-2018-15919"
diff --git a/advisories/unreviewed/2025/11/GHSA-r6gx-fcg6-8hhj/GHSA-r6gx-fcg6-8hhj.json b/advisories/unreviewed/2025/11/GHSA-r6gx-fcg6-8hhj/GHSA-r6gx-fcg6-8hhj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r6gx-fcg6-8hhj",
-  "modified": "2025-12-17T15:34:51Z",
+  "modified": "2025-12-18T12:30:27Z",
   "published": "2025-11-25T09:31:24Z",
   "aliases": [
     "CVE-2025-13502"
@@ -47,6 +47,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23452"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23583"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23591"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13502"
diff --git a/advisories/unreviewed/2025/12/GHSA-269f-8844-8wj6/GHSA-269f-8844-8wj6.json b/advisories/unreviewed/2025/12/GHSA-269f-8844-8wj6/GHSA-269f-8844-8wj6.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-269f-8844-8wj6",
+  "modified": "2025-12-18T12:30:27Z",
+  "published": "2025-12-18T12:30:27Z",
+  "aliases": [
+    "CVE-2025-14364"
+  ],
+  "details": "The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14364"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3420645/demo-importer-plus/trunk/inc/Ajax.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff9364a9-18f8-47d3-b992-e39c8d99d6ea?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T10:16:11Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-7fj8-g5x7-m9v3/GHSA-7fj8-g5x7-m9v3.json b/advisories/unreviewed/2025/12/GHSA-7fj8-g5x7-m9v3/GHSA-7fj8-g5x7-m9v3.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7fj8-g5x7-m9v3",
+  "modified": "2025-12-18T12:30:27Z",
+  "published": "2025-12-18T12:30:27Z",
+  "aliases": [
+    "CVE-2025-10910"
+  ],
+  "details": "A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account.\nThe server‑side API allows device association using a set of identifiers: \"device\", \"sku\", \"type\", and a client‑computed \"value\", that are not cryptographically bound to a secret originating from the device itself.\n\nThe vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is not able to provide a list of affected products, but rolls out a firmware and server-side fixes. Devices that reached end‑of‑life for security support need replacement with newer models supporting updates.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10910"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/en/posts/2025/12/CVE-2025-10910"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T12:16:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-f6mf-j487-747p/GHSA-f6mf-j487-747p.json b/advisories/unreviewed/2025/12/GHSA-f6mf-j487-747p/GHSA-f6mf-j487-747p.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f6mf-j487-747p",
-  "modified": "2025-12-17T15:34:51Z",
+  "modified": "2025-12-18T12:30:27Z",
   "published": "2025-12-04T18:30:53Z",
   "aliases": [
     "CVE-2025-66287"
@@ -47,6 +47,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23452"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23583"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23591"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-66287"
diff --git a/advisories/unreviewed/2025/12/GHSA-fw2m-wrv6-prrx/GHSA-fw2m-wrv6-prrx.json b/advisories/unreviewed/2025/12/GHSA-fw2m-wrv6-prrx/GHSA-fw2m-wrv6-prrx.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fw2m-wrv6-prrx",
+  "modified": "2025-12-18T12:30:27Z",
+  "published": "2025-12-18T12:30:27Z",
+  "aliases": [
+    "CVE-2025-13730"
+  ],
+  "details": "The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openid_connect_generic_auth_url' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13730"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client-wrapper.php#L241"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/daggerhart-openid-connect-generic/trunk/openid-connect-generic.php#L168"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3418927"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe5fd453-b1fc-4d52-bb46-aebd68508891?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T10:16:11Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-j77f-3hf7-7rvg/GHSA-j77f-3hf7-7rvg.json b/advisories/unreviewed/2025/12/GHSA-j77f-3hf7-7rvg/GHSA-j77f-3hf7-7rvg.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j77f-3hf7-7rvg",
-  "modified": "2025-12-17T15:34:51Z",
+  "modified": "2025-12-18T12:30:27Z",
   "published": "2025-12-03T12:30:14Z",
   "aliases": [
     "CVE-2025-13947"
@@ -47,6 +47,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23452"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23583"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23591"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13947"
diff --git a/advisories/unreviewed/2025/12/GHSA-p9f8-2p87-2pq5/GHSA-p9f8-2p87-2pq5.json b/advisories/unreviewed/2025/12/GHSA-p9f8-2p87-2pq5/GHSA-p9f8-2p87-2pq5.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p9f8-2p87-2pq5",
+  "modified": "2025-12-18T12:30:27Z",
+  "published": "2025-12-18T12:30:27Z",
+  "aliases": [
+    "CVE-2025-40602"
+  ],
+  "details": "A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40602"
+    },
+    {
+      "type": "WEB",
+      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40602"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-250"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T11:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-q5wr-jxr7-gxfv/GHSA-q5wr-jxr7-gxfv.json b/advisories/unreviewed/2025/12/GHSA-q5wr-jxr7-gxfv/GHSA-q5wr-jxr7-gxfv.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q5wr-jxr7-gxfv",
+  "modified": "2025-12-18T12:30:27Z",
+  "published": "2025-12-18T12:30:27Z",
+  "aliases": [
+    "CVE-2025-13641"
+  ],
+  "details": "The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13641"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php#L152"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3415575/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3004370&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T10:16:10Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-x4q2-5wx6-98m5/GHSA-x4q2-5wx6-98m5.json b/advisories/unreviewed/2025/12/GHSA-x4q2-5wx6-98m5/GHSA-x4q2-5wx6-98m5.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x4q2-5wx6-98m5",
+  "modified": "2025-12-18T12:30:27Z",
+  "published": "2025-12-18T12:30:27Z",
+  "aliases": [
+    "CVE-2025-64997"
+  ],
+  "details": "Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64997"
+    },
+    {
+      "type": "WEB",
+      "url": "https://checkmk.com/werk/18681"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-280"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-18T10:16:11Z"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-rj3q-q9f3-gr2v",`
`4`		`- "modified": "2022-05-14T01:28:01Z",`
	`4`	`+ "modified": "2025-12-18T12:30:27Z",`
`5`	`5`	`"published": "2022-05-14T01:28:01Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2018-15919"`