Publish Advisories

GHSA-38p8-mxmp-83gm
GHSA-3xxw-5cqg-mq5w
GHSA-7v96-f75p-x544
GHSA-gw7f-q8q2-2529
GHSA-hhfg-c9m2-wg35
GHSA-j725-9864-6gc2
GHSA-jfcc-49w9-fccv
GHSA-vf6v-86gw-v5p3

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-38p8-mxmp-83gm/GHSA-38p8-mxmp-83gm.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38p8-mxmp-83gm",
+  "modified": "2025-12-22T03:30:16Z",
+  "published": "2025-12-22T03:30:16Z",
+  "aliases": [
+    "CVE-2025-15004"
+  ],
+  "details": "A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15004"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/JPq560c6F6tu"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337710"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337710"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.717316"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-22T01:16:05Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3xxw-5cqg-mq5w/GHSA-3xxw-5cqg-mq5w.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3xxw-5cqg-mq5w",
-  "modified": "2025-12-16T09:31:07Z",
+  "modified": "2025-12-22T03:30:16Z",
   "published": "2025-12-16T09:31:07Z",
   "aliases": [
     "CVE-2025-66635"
@@ -23,6 +23,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66635"
     },
+    {
+      "type": "WEB",
+      "url": "https://epson.com/Support/wa00971"
+    },
     {
       "type": "WEB",
       "url": "https://jvn.jp/en/jp/JVN51846148"

advisories/unreviewed/2025/12/GHSA-7v96-f75p-x544/GHSA-7v96-f75p-x544.json

@@ -0,0 +1,54 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7v96-f75p-x544",
+  "modified": "2025-12-22T03:30:16Z",
+  "published": "2025-12-22T03:30:16Z",
+  "aliases": [
+    "CVE-2025-15005"
+  ],
+  "details": "A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument K_RECAPTCHA_SITE_KEY/K_RECAPTCHA_SECRET_KEY results in use of hard-coded cryptographic key\n . It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15005"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl#-span--strong-proof-of-concept---strong---span-"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337711"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337711"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.718998"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-22T01:16:06Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-gw7f-q8q2-2529/GHSA-gw7f-q8q2-2529.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gw7f-q8q2-2529",
+  "modified": "2025-12-22T03:30:16Z",
+  "published": "2025-12-22T03:30:16Z",
+  "aliases": [
+    "CVE-2025-15006"
+  ],
+  "details": "A weakness has been identified in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/CheckTools of the component HTTP Request Handler. This manipulation of the argument ipaddress causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15006"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md#reproduce"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337712"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337712"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.719315"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-22T02:16:01Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-hhfg-c9m2-wg35/GHSA-hhfg-c9m2-wg35.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hhfg-c9m2-wg35",
+  "modified": "2025-12-22T03:30:16Z",
+  "published": "2025-12-22T03:30:16Z",
+  "aliases": [
+    "CVE-2025-15008"
+  ],
+  "details": "A vulnerability was detected in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/L7Port of the component HTTP Request Handler. Performing manipulation of the argument page results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15008"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md#reproduce"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337714"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337714"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.719317"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-22T03:15:47Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-j725-9864-6gc2/GHSA-j725-9864-6gc2.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j725-9864-6gc2",
+  "modified": "2025-12-22T03:30:16Z",
+  "published": "2025-12-22T03:30:16Z",
+  "aliases": [
+    "CVE-2025-15009"
+  ],
+  "details": "A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15009"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md#vulnerability-proof"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337715"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337715"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.719590"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-22T03:15:47Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-jfcc-49w9-fccv/GHSA-jfcc-49w9-fccv.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jfcc-49w9-fccv",
+  "modified": "2025-12-22T03:30:16Z",
+  "published": "2025-12-22T03:30:16Z",
+  "aliases": [
+    "CVE-2025-15007"
+  ],
+  "details": "A security vulnerability has been detected in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/L7Im of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15007"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md#poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.337713"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.337713"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.719316"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-22T02:16:01Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-vf6v-86gw-v5p3/GHSA-vf6v-86gw-v5p3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vf6v-86gw-v5p3",
-  "modified": "2025-12-10T09:30:25Z",
+  "modified": "2025-12-22T03:30:15Z",
   "published": "2025-12-10T09:30:25Z",
   "aliases": [
     "CVE-2025-66004"
@@ -26,6 +26,10 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66004"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00027.html"
     }
   ],
   "database_specific": {