Publish Advisories

GHSA-78cg-fc6c-w44w
GHSA-9m3c-qcxr-9x87
GHSA-gcvm-c75m-h4p4
GHSA-wqxq-w68r-wg85
GHSA-78cg-fc6c-w44w
GHSA-9m3c-qcxr-9x87

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-78cg-fc6c-w44w/GHSA-78cg-fc6c-w44w.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-78cg-fc6c-w44w",
+  "modified": "2026-04-10T21:24:13Z",
+  "published": "2026-04-09T18:31:26Z",
+  "aliases": [
+    "CVE-2026-33005"
+  ],
+  "summary": "Apache OpenMeetings has an Improper Handling of Insufficient Privileges vulnerability",
+  "details": "Sny registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.\n\nThis issue affects Apache OpenMeetings: from 3.10 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.openmeetings:openmeetings-parent"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.10"
+            },
+            {
+              "fixed": "9.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33005"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/openmeetings"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-274"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T21:24:13Z",
+    "nvd_published_at": "2026-04-09T16:16:26Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-9m3c-qcxr-9x87/GHSA-9m3c-qcxr-9x87.json

@@ -0,0 +1,217 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9m3c-qcxr-9x87",
+  "modified": "2026-04-10T21:25:28Z",
+  "published": "2026-04-09T21:31:29Z",
+  "aliases": [
+    "CVE-2026-25854"
+  ],
+  "summary": "Apache Tomcat has an Open Redirect vulnerability",
+  "details": "Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\nOther, unsupported versions may also be affected\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-catalina"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0.M23"
+            },
+            {
+              "fixed": "9.0.116"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-catalina"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.1.0-M1"
+            },
+            {
+              "fixed": "10.1.53"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-catalina"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0-M1"
+            },
+            {
+              "fixed": "11.0.20"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0.M23"
+            },
+            {
+              "fixed": "9.0.116"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.1.0-M1"
+            },
+            {
+              "fixed": "10.1.53"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0-M1"
+            },
+            {
+              "fixed": "11.0.20"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat.embed:tomcat-embed-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0.M23"
+            },
+            {
+              "fixed": "9.0.116"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat.embed:tomcat-embed-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.1.0-M1"
+            },
+            {
+              "fixed": "10.1.53"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat.embed:tomcat-embed-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0-M1"
+            },
+            {
+              "fixed": "11.0.20"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25854"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/tomcat"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/21"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-601"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T21:25:28Z",
+    "nvd_published_at": "2026-04-09T20:16:24Z"
+  }
+}

…-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json …-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.jsonadvisories/unreviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json renamed to advisories/github-reviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json advisories/unreviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json renamed to advisories/github-reviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json

@@ -1,19 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gcvm-c75m-h4p4",
-  "modified": "2026-04-09T18:31:27Z",
+  "modified": "2026-04-10T21:24:43Z",
   "published": "2026-04-09T18:31:27Z",
   "aliases": [
     "CVE-2026-34020"
   ],
+  "summary": "Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings ",
   "details": "Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.\n\nThe REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact\n\n\nThis issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.openmeetings:openmeetings-parent"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.1.3"
+            },
+            {
+              "fixed": "9.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34020"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/openmeetings"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db"
@@ -31,9 +61,9 @@
     "cwe_ids": [
       "CWE-598"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T21:24:43Z",
     "nvd_published_at": "2026-04-09T16:16:27Z"
   }
 }