Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c69b7a50fed9 · 2026-05-12T06:34:04.000Z
GHSA-2rgv-5m49-97j4 GHSA-c7j6-24cr-x2rf GHSA-g8fh-6crc-6rfw GHSA-j38v-jpjg-hvr2 GHSA-mcjh-pcfv-25rh GHSA-ppfx-mp77-6vfg GHSA-v6gq-gxgm-g38r
diff --git a/advisories/unreviewed/2026/05/GHSA-2rgv-5m49-97j4/GHSA-2rgv-5m49-97j4.json b/advisories/unreviewed/2026/05/GHSA-2rgv-5m49-97j4/GHSA-2rgv-5m49-97j4.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2rgv-5m49-97j4",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-7255"
+  ],
+  "details": "** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to brute-force the password and bypass authentication.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7255"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zyxel.com/global/en/support/end-of-life"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-307"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T04:16:29Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-c7j6-24cr-x2rf/GHSA-c7j6-24cr-x2rf.json b/advisories/unreviewed/2026/05/GHSA-c7j6-24cr-x2rf/GHSA-c7j6-24cr-x2rf.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c7j6-24cr-x2rf",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-7256"
+  ],
+  "details": "** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending a crafted HTTP request.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7256"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zyxel.com/global/en/support/end-of-life"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T04:16:29Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-g8fh-6crc-6rfw/GHSA-g8fh-6crc-6rfw.json b/advisories/unreviewed/2026/05/GHSA-g8fh-6crc-6rfw/GHSA-g8fh-6crc-6rfw.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g8fh-6crc-6rfw",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-41530"
+  ],
+  "details": "The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41530"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN68350834"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.chitora.com/jvn68350834.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T06:16:09Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-j38v-jpjg-hvr2/GHSA-j38v-jpjg-hvr2.json b/advisories/unreviewed/2026/05/GHSA-j38v-jpjg-hvr2/GHSA-j38v-jpjg-hvr2.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j38v-jpjg-hvr2",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-7287"
+  ],
+  "details": "** UNSUPPORTED WHEN ASSIGNED ** A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100-N customized firmware version 1.00(AACE.1)C0 could allow an attacker to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to a vulnerable device.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7287"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zyxel.com/global/en/support/end-of-life"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T04:16:29Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-mcjh-pcfv-25rh/GHSA-mcjh-pcfv-25rh.json b/advisories/unreviewed/2026/05/GHSA-mcjh-pcfv-25rh/GHSA-mcjh-pcfv-25rh.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mcjh-pcfv-25rh",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-41872"
+  ],
+  "details": "\"Kura Sushi Official App\" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41872"
+    },
+    {
+      "type": "WEB",
+      "url": "https://apps.apple.com/jp/app/id942355925"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN38632731"
+    },
+    {
+      "type": "WEB",
+      "url": "https://play.google.com/store/apps/details?id=jp.co.kura_corpo&hl=ja"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T06:16:09Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-ppfx-mp77-6vfg/GHSA-ppfx-mp77-6vfg.json b/advisories/unreviewed/2026/05/GHSA-ppfx-mp77-6vfg/GHSA-ppfx-mp77-6vfg.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ppfx-mp77-6vfg",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-7257"
+  ],
+  "details": "** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow a local attacker with administrator privileges to download and decrypt a backup configuration file.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7257"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zyxel.com/global/en/support/end-of-life"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-922"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T04:16:29Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-v6gq-gxgm-g38r/GHSA-v6gq-gxgm-g38r.json b/advisories/unreviewed/2026/05/GHSA-v6gq-gxgm-g38r/GHSA-v6gq-gxgm-g38r.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v6gq-gxgm-g38r",
+  "modified": "2026-05-12T06:31:39Z",
+  "published": "2026-05-12T06:31:39Z",
+  "aliases": [
+    "CVE-2026-45430"
+  ],
+  "details": "The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45430"
+    },
+    {
+      "type": "WEB",
+      "url": "https://backdropcms.org/security/backdrop-sa-contrib-2026-001"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-12T04:16:28Z"
+  }
+}
