Publish Advisories

GHSA-2j8h-v2cv-qh49
GHSA-52xr-h9vp-pxcj
GHSA-582g-j67j-5q79
GHSA-75rg-9xc6-32c8
GHSA-8x9f-c335-83wq
GHSA-9grv-gr5x-p4v6
GHSA-9v4r-x2jq-w7jg
GHSA-c8m8-4468-h6xx
GHSA-hpq9-6qf2-m9fm
GHSA-j8r9-fj5r-fm7x
GHSA-m47x-pvpv-3jg6
GHSA-p873-9x3v-gmvh
GHSA-x32v-jmqh-4323

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-2j8h-v2cv-qh49/GHSA-2j8h-v2cv-qh49.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2j8h-v2cv-qh49",
+  "modified": "2026-04-06T06:30:29Z",
+  "published": "2026-04-06T06:30:29Z",
+  "aliases": [
+    "CVE-2026-5621"
+  ],
+  "details": "A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config_path results in os command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5621"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wing3e/public_exp/issues/27"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785591"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355411"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355411/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-06T05:16:02Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-52xr-h9vp-pxcj/GHSA-52xr-h9vp-pxcj.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-52xr-h9vp-pxcj",
+  "modified": "2026-04-06T06:30:29Z",
+  "published": "2026-04-06T06:30:29Z",
+  "aliases": [
+    "CVE-2026-5616"
+  ],
+  "details": "A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to missing authentication. The attack can be executed remotely. The name of the patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. It is best practice to apply a patch to resolve this issue. The project fixed the issue with a commit which shall be part of the next official release.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5616"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jeecgboot/JeecgBoot/issues/9464"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jeecgboot/JeecgBoot/pull/9463"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jeecgboot/JeecgBoot/commit/b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jeecgboot/JeecgBoot"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785570"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355407"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355407/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-06T04:16:13Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-582g-j67j-5q79/GHSA-582g-j67j-5q79.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-582g-j67j-5q79",
+  "modified": "2026-04-06T06:30:29Z",
+  "published": "2026-04-06T06:30:29Z",
+  "aliases": [
+    "CVE-2026-5618"
+  ],
+  "details": "A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5618"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785572"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355408"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355408/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulnplus-note.wetolink.com/share/3VtzyzYgcS4b"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-06T04:16:14Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-75rg-9xc6-32c8/GHSA-75rg-9xc6-32c8.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-75rg-9xc6-32c8",
+  "modified": "2026-04-06T06:30:30Z",
+  "published": "2026-04-06T06:30:30Z",
+  "aliases": [
+    "CVE-2026-5628"
+  ],
+  "details": "A security vulnerability has been detected in Belkin F9K1015 1.00.10. Impacted is the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. The manipulation of the argument webpage leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5628"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/Belkin%20F9K1015/vul_12/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785555"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355416"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355416/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-06T06:16:22Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8x9f-c335-83wq/GHSA-8x9f-c335-83wq.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8x9f-c335-83wq",
+  "modified": "2026-04-06T06:30:29Z",
+  "published": "2026-04-06T06:30:29Z",
+  "aliases": [
+    "CVE-2026-5624"
+  ],
+  "details": "A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version r2029 is able to resolve this issue. The patch is named 2c0d25824ab571b6c219ac1a188ad9350149661b. You should upgrade the affected component.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5624"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend/commit/2c0d25824ab571b6c219ac1a188ad9350149661b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/projectsend/projectsend/releases/tag/r2029"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785731"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355414"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355414/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-06T06:16:21Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-9grv-gr5x-p4v6/GHSA-9grv-gr5x-p4v6.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9grv-gr5x-p4v6",
+  "modified": "2026-04-06T06:30:28Z",
+  "published": "2026-04-06T06:30:28Z",
+  "aliases": [
+    "CVE-2026-5614"
+  ],
+  "details": "A security flaw has been discovered in Belkin F9K1015 1.00.10. Impacted is the function formSetPassword of the file /goform/formSetPassword. The manipulation of the argument webpage results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5614"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/Belkin%20F9K1015/vul_11/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/785554"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355405"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355405/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-06T04:16:09Z"
+  }
+}