Publish Advisories

GHSA-c78m-c7wq-r5w4
GHSA-43cp-h386-xgfv
GHSA-83g8-4c46-g95x
GHSA-gvh9-7g44-g9mq
GHSA-q26q-g7qp-vmrr
GHSA-q92w-c8r9-vmc7
GHSA-w337-cfcg-vpqj
GHSA-2342-p33v-prhm
GHSA-2cg7-x3pg-q7xf
GHSA-2j22-hr4w-47gj
GHSA-3762-v4rr-cjw5
GHSA-4hcr-r896-35w9
GHSA-cr8j-9qv8-5jph
GHSA-f6jm-4fxv-gmjp
GHSA-j89q-mf54-x9ch
GHSA-r226-j7pf-48g6
GHSA-rj4f-7f4c-6qh7
GHSA-v3rg-4rhw-582m

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-c78m-c7wq-r5w4/GHSA-c78m-c7wq-r5w4.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-284"
+      "CWE-284",
+      "CWE-434"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/11/GHSA-43cp-h386-xgfv/GHSA-43cp-h386-xgfv.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-43cp-h386-xgfv",
-  "modified": "2025-11-11T18:30:17Z",
+  "modified": "2025-12-08T15:30:29Z",
   "published": "2025-11-11T18:30:17Z",
   "aliases": [
     "CVE-2025-12940"
   ],
   "details": "Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610\nand WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6\nAccess Points). An user having access to the syslog server can read the logs containing these credentials. \n\nThis issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4.\n\n\nDevices\nmanaged with Insight get automatic updates. If not, please check the firmware version\nand update to the latest. \n\n\n\n\n\nFixed in:\n\n\n\nWAX610 firmware\n11.8.0.10 or later.\n\n\n\nWAX610Y firmware\n11.8.0.10 or later.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Amber"

advisories/unreviewed/2025/11/GHSA-83g8-4c46-g95x/GHSA-83g8-4c46-g95x.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-83g8-4c46-g95x",
-  "modified": "2025-11-11T18:30:17Z",
+  "modified": "2025-12-08T15:30:30Z",
   "published": "2025-11-11T18:30:17Z",
   "aliases": [
     "CVE-2025-12942"
   ],
   "details": "Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R6260: through 1.1.0.86; R6850: through 1.1.0.86.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Amber"

advisories/unreviewed/2025/11/GHSA-gvh9-7g44-g9mq/GHSA-gvh9-7g44-g9mq.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gvh9-7g44-g9mq",
-  "modified": "2025-11-11T18:30:17Z",
+  "modified": "2025-12-08T15:30:30Z",
   "published": "2025-11-11T18:30:17Z",
   "aliases": [
     "CVE-2025-12943"
   ],
   "details": "Improper certificate\nvalidation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream\nAX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band\nWiFi 6E Router) allows attackers with the ability to intercept and\ntamper traffic destined to the device to execute arbitrary commands on the\ndevice.\n\nDevices\nwith automatic updates enabled may already have this patch applied. If not,\nplease check the firmware version and update to the\nlatest.\n\n\n\nFixed in:\n\n\n\nRAX30 firmware\n1.0.14.108 or later.\n\n\n\nRAXE300 firmware\n1.0.9.82 or later",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Amber"

advisories/unreviewed/2025/11/GHSA-q26q-g7qp-vmrr/GHSA-q26q-g7qp-vmrr.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q26q-g7qp-vmrr",
-  "modified": "2025-11-11T18:30:17Z",
+  "modified": "2025-12-08T15:30:31Z",
   "published": "2025-11-11T18:30:17Z",
   "aliases": [
     "CVE-2025-12944"
   ],
   "details": "Improper input validation\nin NETGEAR DGN2200v4 (N300 Wireless ADSL2+ Modem Router) allows attackers with\ndirect network access to the device to potentially execute code on the device.\n\nPlease check the firmware version and update to the latest.\n\n\n\nFixed\nin:\n\n\n\n DGN2200v4\nfirmware 1.0.0.132 or later",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:L/U:Amber"

advisories/unreviewed/2025/11/GHSA-q92w-c8r9-vmc7/GHSA-q92w-c8r9-vmc7.json

@@ -62,7 +62,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-119"
+      "CWE-119",
+      "CWE-120"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2025/11/GHSA-w337-cfcg-vpqj/GHSA-w337-cfcg-vpqj.json

@@ -26,7 +26,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-121"
+      "CWE-121",
+      "CWE-787"
     ],
     "severity": "CRITICAL",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-2342-p33v-prhm/GHSA-2342-p33v-prhm.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2342-p33v-prhm",
+  "modified": "2025-12-08T15:30:31Z",
+  "published": "2025-12-08T15:30:31Z",
+  "aliases": [
+    "CVE-2025-14248"
+  ],
+  "details": "A vulnerability was identified in code-projects Simple Shopping Cart 1.0. Impacted is an unknown function of the file /adminlogin.php. The manipulation of the argument admin_username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14248"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zzb1388/cve/issues/92"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.334758"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.334758"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.702464"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T15:15:49Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2cg7-x3pg-q7xf/GHSA-2cg7-x3pg-q7xf.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2cg7-x3pg-q7xf",
+  "modified": "2025-12-08T15:30:28Z",
+  "published": "2025-12-08T15:30:28Z",
+  "aliases": [
+    "CVE-2025-9809"
+  ],
+  "details": "Out-of-bounds write in cdfs_open_cue_track in libretro libretro-common latest on all platforms allows remote attackers to execute arbitrary code via a crafted .cue file with a file path exceeding PATH_MAX_LENGTH that is copied using memcpy into a fixed-size buffer.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9809"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libretro/libretro-common/issues/222"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libretro/libretro-common/blob/master/formats/cdfs/cdfs.c#L471"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-01T19:15:32Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2j22-hr4w-47gj/GHSA-2j22-hr4w-47gj.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2j22-hr4w-47gj",
+  "modified": "2025-12-08T15:30:31Z",
+  "published": "2025-12-08T15:30:31Z",
+  "aliases": [
+    "CVE-2025-60912"
+  ],
+  "details": "phpIPAM v1.7.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the database export functionality. The generate-mysql.php function, located in the /app/admin/import-export/ endpoint, allows remote attackers to trigger large database dump downloads via crafted HTTP GET requests if an administrator has an active session.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60912"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/amandrei/a8377d9b71c55156d22aaaf485463d15"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/phpipam/phpipam"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T15:15:50Z"
+  }
+}