Publish Advisories

GHSA-rmj9-74gc-9wvx
GHSA-96g3-r54f-fx2v
GHSA-m6qc-6c6w-6687
GHSA-vjm9-gq46-wc5j

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-rmj9-74gc-9wvx/GHSA-rmj9-74gc-9wvx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rmj9-74gc-9wvx",
-  "modified": "2025-10-23T15:30:34Z",
+  "modified": "2025-12-20T00:30:26Z",
   "published": "2025-10-23T15:30:34Z",
   "aliases": [
     "CVE-2025-8427"

advisories/unreviewed/2025/12/GHSA-96g3-r54f-fx2v/GHSA-96g3-r54f-fx2v.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-96g3-r54f-fx2v",
-  "modified": "2025-12-18T18:30:30Z",
+  "modified": "2025-12-20T00:30:27Z",
   "published": "2025-12-18T18:30:30Z",
   "aliases": [
     "CVE-2025-63388"
   ],
   "details": "A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-346"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-18T16:15:54Z"

advisories/unreviewed/2025/12/GHSA-m6qc-6c6w-6687/GHSA-m6qc-6c6w-6687.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m6qc-6c6w-6687",
-  "modified": "2025-12-18T18:30:30Z",
+  "modified": "2025-12-20T00:30:27Z",
   "published": "2025-12-18T18:30:30Z",
   "aliases": [
     "CVE-2025-63390"
   ],
   "details": "An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-18T16:15:54Z"

advisories/unreviewed/2025/12/GHSA-vjm9-gq46-wc5j/GHSA-vjm9-gq46-wc5j.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vjm9-gq46-wc5j",
-  "modified": "2025-12-18T18:30:30Z",
+  "modified": "2025-12-20T00:30:27Z",
   "published": "2025-12-18T18:30:30Z",
   "aliases": [
     "CVE-2025-63386"
   ],
   "details": "A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-346"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-18T16:15:54Z"