Publish Advisories

GHSA-2q7x-94rj-f68w
GHSA-5gwr-vqfx-wj2m
GHSA-8q8p-fv92-864w
GHSA-fxp5-37mh-vff5
GHSA-vwhf-x6j3-3qfg
GHSA-xc6x-xvx8-wqf4

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-2q7x-94rj-f68w/GHSA-2q7x-94rj-f68w.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2q7x-94rj-f68w",
+  "modified": "2025-12-03T09:31:12Z",
+  "published": "2025-12-03T09:31:12Z",
+  "aliases": [
+    "CVE-2025-13945"
+  ],
+  "details": "HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13945"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/wireshark/wireshark/-/issues/20860"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wireshark.org/security/wnpa-sec-2025-07.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1325"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-03T08:15:47Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5gwr-vqfx-wj2m/GHSA-5gwr-vqfx-wj2m.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5gwr-vqfx-wj2m",
+  "modified": "2025-12-03T09:31:12Z",
+  "published": "2025-12-03T09:31:12Z",
+  "aliases": [
+    "CVE-2025-13946"
+  ],
+  "details": "MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13946"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/wireshark/wireshark/-/issues/20884"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wireshark.org/security/wnpa-sec-2025-08.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-835"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-03T08:15:48Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-8q8p-fv92-864w/GHSA-8q8p-fv92-864w.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8q8p-fv92-864w",
+  "modified": "2025-12-03T09:31:12Z",
+  "published": "2025-12-03T09:31:12Z",
+  "aliases": [
+    "CVE-2025-13486"
+  ],
+  "details": "The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13486"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3400134/acf-extended"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-03T07:16:02Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-fxp5-37mh-vff5/GHSA-fxp5-37mh-vff5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fxp5-37mh-vff5",
+  "modified": "2025-12-03T09:31:13Z",
+  "published": "2025-12-03T09:31:13Z",
+  "aliases": [
+    "CVE-2025-13472"
+  ],
+  "details": "A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13472"
+    },
+    {
+      "type": "WEB",
+      "url": "https://portal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-03T09:15:47Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-vwhf-x6j3-3qfg/GHSA-vwhf-x6j3-3qfg.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vwhf-x6j3-3qfg",
+  "modified": "2025-12-03T09:31:13Z",
+  "published": "2025-12-03T09:31:12Z",
+  "aliases": [
+    "CVE-2025-12744"
+  ],
+  "details": "A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-12744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2412467"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-03T09:15:46Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-xc6x-xvx8-wqf4/GHSA-xc6x-xvx8-wqf4.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xc6x-xvx8-wqf4",
+  "modified": "2025-12-03T09:31:13Z",
+  "published": "2025-12-03T09:31:13Z",
+  "aliases": [
+    "CVE-2025-29864"
+  ],
+  "details": "Protection Mechanism Failure vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass.This issue affects ALZip: from 12.01 before 12.29.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29864"
+    },
+    {
+      "type": "WEB",
+      "url": "https://altools.co.kr/product/ALZIP"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-03T09:15:47Z"
+  }
+}