github
diff --git a/‎advisories/unreviewed/2026/03/GHSA-2926-f789-68jv/GHSA-2926-f789-68jv.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-2926-f789-68jv/GHSA-2926-f789-68jv.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-2qpc-rpxq-phv6/GHSA-2qpc-rpxq-phv6.json‎
Lines changed: 40 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-2qpc-rpxq-phv6/GHSA-2qpc-rpxq-phv6.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-32px-r229-cx92/GHSA-32px-r229-cx92.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-32px-r229-cx92/GHSA-32px-r229-cx92.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-4x24-3v7p-2g45/GHSA-4x24-3v7p-2g45.json‎
Lines changed: 56 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-4x24-3v7p-2g45/GHSA-4x24-3v7p-2g45.json‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-56rf-g9gc-682p/GHSA-56rf-g9gc-682p.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-56rf-g9gc-682p/GHSA-56rf-g9gc-682p.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-6m84-3f7p-p24x/GHSA-6m84-3f7p-p24x.json‎
Lines changed: 25 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-6m84-3f7p-p24x/GHSA-6m84-3f7p-p24x.json‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-78v3-9w5r-92fm/GHSA-78v3-9w5r-92fm.json‎
Lines changed: 25 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-78v3-9w5r-92fm/GHSA-78v3-9w5r-92fm.json‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-7j7f-88p8-wh55/GHSA-7j7f-88p8-wh55.json‎
Lines changed: 25 additions & 0 deletions b/‎advisories/unreviewed/2026/03/GHSA-7j7f-88p8-wh55/GHSA-7j7f-88p8-wh55.json‎
Lines changed: 25 additions & 0 deletions
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2926-f789-68jv",
+  "modified": "2026-03-24T00:30:24Z",
+  "published": "2026-03-24T00:30:24Z",
+  "aliases": [
+    "CVE-2025-60949"
+  ],
+  "details": "Census CSWeb 8.0.1 allows \"app/config\" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8.1.0 alpha.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60949"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hx381/cspro-exploits"
+    },
+    {
+      "type": "WEB",
+      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cve.org/CVERecord?id=CVE-2025-60949"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T22:16:23Z"
+  }
+}
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2qpc-rpxq-phv6",
+  "modified": "2026-03-24T00:30:26Z",
+  "published": "2026-03-24T00:30:26Z",
+  "aliases": [
+    "CVE-2026-4001"
+  ],
+  "details": "The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: \"custom\" with {this.value}).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4001"
+    },
+    {
+      "type": "WEB",
+      "url": "https://acowebs.com/woo-custom-product-addons"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-95"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-24T00:16:31Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-32px-r229-cx92",
+  "modified": "2026-03-24T00:30:24Z",
+  "published": "2026-03-24T00:30:24Z",
+  "aliases": [
+    "CVE-2025-60948"
+  ],
+  "details": "Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hx381/cspro-exploits"
+    },
+    {
+      "type": "WEB",
+      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cve.org/CVERecord?id=CVE-2025-60948"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T22:16:22Z"
+  }
+}
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4x24-3v7p-2g45",
+  "modified": "2026-03-24T00:30:26Z",
+  "published": "2026-03-24T00:30:26Z",
+  "aliases": [
+    "CVE-2026-4614"
+  ],
+  "details": "A vulnerability was determined in itsourcecode sanitize or validate this input 1.0. This issue affects some unknown processing of the file /admin/subjects.php of the component Parameter Handler. This manipulation of the argument subject_code causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4614"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ltranquility/submit/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.352478"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.352478"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775723"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-24T00:16:31Z"
+  }
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-56rf-g9gc-682p",
+  "modified": "2026-03-24T00:30:25Z",
+  "published": "2026-03-24T00:30:25Z",
+  "aliases": [
+    "CVE-2026-4611"
+  ],
+  "details": "A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4611"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.352475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.352475"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.775642"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T22:16:31Z"
+  }
+}
@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6m84-3f7p-p24x",
+  "modified": "2026-03-24T00:30:25Z",
+  "published": "2026-03-24T00:30:25Z",
+  "aliases": [
+    "CVE-2026-32900"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32900"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T22:16:28Z"
+  }
+}
@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-78v3-9w5r-92fm",
+  "modified": "2026-03-24T00:30:25Z",
+  "published": "2026-03-24T00:30:25Z",
+  "aliases": [
+    "CVE-2026-32903"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32903"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T22:16:28Z"
+  }
+}
@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7j7f-88p8-wh55",
+  "modified": "2026-03-24T00:30:25Z",
+  "published": "2026-03-24T00:30:25Z",
+  "aliases": [
+    "CVE-2026-32912"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32912"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T22:16:30Z"
+  }
+}