Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 34542387acdd · 2026-01-17T21:31:53.000Z
GHSA-5xmm-95mj-42h8 GHSA-953g-4687-9x69 GHSA-998w-jcr6-gwpq GHSA-pw2c-2hgc-6mqr GHSA-rh9h-pmww-rx47 GHSA-wch8-cq6g-885r GHSA-wpc5-4frv-w876
diff --git a/advisories/unreviewed/2025/08/GHSA-5xmm-95mj-42h8/GHSA-5xmm-95mj-42h8.json b/advisories/unreviewed/2025/08/GHSA-5xmm-95mj-42h8/GHSA-5xmm-95mj-42h8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5xmm-95mj-42h8",
-  "modified": "2025-11-05T00:31:24Z",
+  "modified": "2026-01-17T21:30:27Z",
   "published": "2025-08-11T21:31:40Z",
   "aliases": [
     "CVE-2025-40920"
@@ -23,6 +23,10 @@
       "type": "WEB",
       "url": "https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18.patch"
diff --git a/advisories/unreviewed/2026/01/GHSA-953g-4687-9x69/GHSA-953g-4687-9x69.json b/advisories/unreviewed/2026/01/GHSA-953g-4687-9x69/GHSA-953g-4687-9x69.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-953g-4687-9x69",
+  "modified": "2026-01-17T21:30:28Z",
+  "published": "2026-01-17T21:30:28Z",
+  "aliases": [
+    "CVE-2026-1064"
+  ],
+  "details": "A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1064"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report2.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341632"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341632"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731308"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-17T21:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-998w-jcr6-gwpq/GHSA-998w-jcr6-gwpq.json b/advisories/unreviewed/2026/01/GHSA-998w-jcr6-gwpq/GHSA-998w-jcr6-gwpq.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-998w-jcr6-gwpq",
+  "modified": "2026-01-17T21:30:28Z",
+  "published": "2026-01-17T21:30:28Z",
+  "aliases": [
+    "CVE-2026-1066"
+  ],
+  "details": "A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1066"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/DReazer/CV3/blob/main/Krce.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341665"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341665"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731436"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-17T21:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-pw2c-2hgc-6mqr/GHSA-pw2c-2hgc-6mqr.json b/advisories/unreviewed/2026/01/GHSA-pw2c-2hgc-6mqr/GHSA-pw2c-2hgc-6mqr.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pw2c-2hgc-6mqr",
+  "modified": "2026-01-17T21:30:27Z",
+  "published": "2026-01-17T21:30:27Z",
+  "aliases": [
+    "CVE-2026-1059"
+  ],
+  "details": "A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1059"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wangchaoxing/CVE/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341628"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341628"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731236"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-17T19:15:50Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-rh9h-pmww-rx47/GHSA-rh9h-pmww-rx47.json b/advisories/unreviewed/2026/01/GHSA-rh9h-pmww-rx47/GHSA-rh9h-pmww-rx47.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rh9h-pmww-rx47",
+  "modified": "2026-01-17T21:30:27Z",
+  "published": "2026-01-17T21:30:27Z",
+  "aliases": [
+    "CVE-2026-1062"
+  ],
+  "details": "A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1062"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341630"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341630"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731241"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731242"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-17T20:15:53Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-wch8-cq6g-885r/GHSA-wch8-cq6g-885r.json b/advisories/unreviewed/2026/01/GHSA-wch8-cq6g-885r/GHSA-wch8-cq6g-885r.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wch8-cq6g-885r",
+  "modified": "2026-01-17T21:30:27Z",
+  "published": "2026-01-17T21:30:27Z",
+  "aliases": [
+    "CVE-2026-1061"
+  ],
+  "details": "A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1061"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341629"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341629"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731240"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-17T19:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-wpc5-4frv-w876/GHSA-wpc5-4frv-w876.json b/advisories/unreviewed/2026/01/GHSA-wpc5-4frv-w876/GHSA-wpc5-4frv-w876.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wpc5-4frv-w876",
+  "modified": "2026-01-17T21:30:28Z",
+  "published": "2026-01-17T21:30:28Z",
+  "aliases": [
+    "CVE-2026-1063"
+  ],
+  "details": "A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1063"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report1.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341631"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341631"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731303"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-17T20:15:53Z"
+  }
+}
