Publish Advisories

GHSA-78pv-qq8x-94px
GHSA-g347-f6xx-g55w
GHSA-p6p5-j5xg-r643
GHSA-p88x-88cf-mv94
GHSA-qmq6-f8pr-cx5x
GHSA-wrv8-79m2-qg24

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-78pv-qq8x-94px/GHSA-78pv-qq8x-94px.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-78pv-qq8x-94px",
+  "modified": "2026-04-23T06:30:22Z",
+  "published": "2026-04-23T06:30:22Z",
+  "aliases": [
+    "CVE-2026-41990"
+  ],
+  "details": "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41990"
+    },
+    {
+      "type": "WEB",
+      "url": "https://dev.gnupg.org/T8208"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/04/21/1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-23T05:16:05Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-g347-f6xx-g55w/GHSA-g347-f6xx-g55w.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g347-f6xx-g55w",
+  "modified": "2026-04-23T06:30:22Z",
+  "published": "2026-04-23T06:30:22Z",
+  "aliases": [
+    "CVE-2026-40529"
+  ],
+  "details": "CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN08026319"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-23T05:16:04Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-p6p5-j5xg-r643/GHSA-p6p5-j5xg-r643.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p6p5-j5xg-r643",
+  "modified": "2026-04-23T06:30:22Z",
+  "published": "2026-04-23T06:30:22Z",
+  "aliases": [
+    "CVE-2026-3361"
+  ],
+  "details": "The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3361"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3482539/wp-store-locator"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b6cbb5-d82d-4035-b0c8-5c1aaee31993?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-23T04:16:18Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-p88x-88cf-mv94/GHSA-p88x-88cf-mv94.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p88x-88cf-mv94",
+  "modified": "2026-04-23T06:30:22Z",
+  "published": "2026-04-23T06:30:22Z",
+  "aliases": [
+    "CVE-2026-3007"
+  ],
+  "details": "Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3007"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-042"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-23T04:16:07Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-qmq6-f8pr-cx5x/GHSA-qmq6-f8pr-cx5x.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qmq6-f8pr-cx5x",
+  "modified": "2026-04-23T06:30:22Z",
+  "published": "2026-04-23T06:30:22Z",
+  "aliases": [
+    "CVE-2026-41988"
+  ],
+  "details": "uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41988"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-670"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-23T05:16:05Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-wrv8-79m2-qg24/GHSA-wrv8-79m2-qg24.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wrv8-79m2-qg24",
+  "modified": "2026-04-23T06:30:22Z",
+  "published": "2026-04-23T06:30:22Z",
+  "aliases": [
+    "CVE-2026-41989"
+  ],
+  "details": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41989"
+    },
+    {
+      "type": "WEB",
+      "url": "https://dev.gnupg.org/T8211"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/04/21/1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-23T05:16:05Z"
+  }
+}