Publish Advisories

GHSA-5fj6-q8x2-56g8
GHSA-hg24-p7xv-jhq8
GHSA-25fg-84xv-353x
GHSA-445m-jc4j-p5gf
GHSA-5c89-ppg6-hr22
GHSA-5fjm-c352-35cv
GHSA-5jxj-w72m-5c8f
GHSA-769c-phxp-jfff
GHSA-79wq-mgjf-5cc2
GHSA-7gjx-r4jj-vjx7
GHSA-8rxc-fxqr-8jx3
GHSA-cqhp-94c2-gjjc
GHSA-cwm4-pqjw-r7wj
GHSA-f5x4-gf23-wqm9
GHSA-ffq4-j9j8-23g6
GHSA-frr2-5qjr-h4hw
GHSA-j5q3-pwqh-x9p9
GHSA-jvjc-r7p7-fpch
GHSA-mfj7-9xw3-8j4j
GHSA-qvmh-94p6-pp46
GHSA-rh96-w7cw-pph4
GHSA-w49q-28cv-9prc
GHSA-wm74-pvww-q7h2
GHSA-wv7p-q4p2-p6pf

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-5fj6-q8x2-56g8/GHSA-5fj6-q8x2-56g8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5fj6-q8x2-56g8",
-  "modified": "2026-01-16T21:30:36Z",
+  "modified": "2026-03-23T21:30:49Z",
   "published": "2026-01-16T18:31:33Z",
   "aliases": [
     "CVE-2025-51602"
@@ -23,6 +23,10 @@
       "type": "WEB",
       "url": "https://code.videolan.org/videolan/vlc/-/issues/29146"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00011.html"
+    },
     {
       "type": "WEB",
       "url": "https://www.videolan.org/security/sb-vlc3022.html"

advisories/unreviewed/2026/02/GHSA-hg24-p7xv-jhq8/GHSA-hg24-p7xv-jhq8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hg24-p7xv-jhq8",
-  "modified": "2026-02-13T12:31:21Z",
+  "modified": "2026-03-23T21:30:49Z",
   "published": "2026-02-13T12:31:21Z",
   "aliases": [
     "CVE-2026-2443"
@@ -26,6 +26,10 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439671"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/487"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/03/GHSA-25fg-84xv-353x/GHSA-25fg-84xv-353x.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-25fg-84xv-353x",
+  "modified": "2026-03-23T21:30:51Z",
+  "published": "2026-03-23T21:30:51Z",
+  "aliases": [
+    "CVE-2026-2298"
+  ],
+  "details": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2298"
+    },
+    {
+      "type": "WEB",
+      "url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-88"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T20:16:25Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-445m-jc4j-p5gf/GHSA-445m-jc4j-p5gf.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-445m-jc4j-p5gf",
+  "modified": "2026-03-23T21:30:52Z",
+  "published": "2026-03-23T21:30:52Z",
+  "aliases": [
+    "CVE-2026-4368"
+  ],
+  "details": "Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4368"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T21:17:17Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-5c89-ppg6-hr22/GHSA-5c89-ppg6-hr22.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5c89-ppg6-hr22",
+  "modified": "2026-03-23T21:30:51Z",
+  "published": "2026-03-23T21:30:51Z",
+  "aliases": [
+    "CVE-2026-0898"
+  ],
+  "details": "An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes malicious code. The vulnerability may be exploited if a Pega Robot Studio developer is deceived into visiting this website during interrogation mode in Robot Studio.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0898"
+    },
+    {
+      "type": "WEB",
+      "url": "https://support.pega.com/support-doc/pega-security-advisory-p25-vulnerability-remediation-note"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T19:16:39Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-5fjm-c352-35cv/GHSA-5fjm-c352-35cv.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5fjm-c352-35cv",
+  "modified": "2026-03-23T21:30:52Z",
+  "published": "2026-03-23T21:30:52Z",
+  "aliases": [
+    "CVE-2026-32851"
+  ],
+  "details": "MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32851"
+    },
+    {
+      "type": "WEB",
+      "url": "https://karmainsecurity.com/KIS-2026-05"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mailenable.com/Standard-ReleaseNotes.txt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mailenable.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-attendees-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T20:16:27Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-5jxj-w72m-5c8f/GHSA-5jxj-w72m-5c8f.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5jxj-w72m-5c8f",
-  "modified": "2026-03-23T18:30:31Z",
+  "modified": "2026-03-23T21:30:51Z",
   "published": "2026-03-23T18:30:31Z",
   "aliases": [
     "CVE-2026-32845"
   ],
   "details": "cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-769c-phxp-jfff/GHSA-769c-phxp-jfff.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-769c-phxp-jfff",
-  "modified": "2026-03-17T18:30:33Z",
+  "modified": "2026-03-23T21:30:49Z",
   "published": "2026-03-17T18:30:33Z",
   "aliases": [
     "CVE-2026-32292"
@@ -23,6 +23,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32292"
     },
+    {
+      "type": "WEB",
+      "url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2"
+    },
     {
       "type": "WEB",
       "url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network"

advisories/unreviewed/2026/03/GHSA-79wq-mgjf-5cc2/GHSA-79wq-mgjf-5cc2.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-79wq-mgjf-5cc2",
+  "modified": "2026-03-23T21:30:51Z",
+  "published": "2026-03-23T21:30:51Z",
+  "aliases": [
+    "CVE-2025-52204"
+  ],
+  "details": "A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52204"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/j0qq3r/CVE-2025-52204"
+    },
+    {
+      "type": "WEB",
+      "url": "http://znuny.com"
+    },
+    {
+      "type": "WEB",
+      "url": "http://znunyitsm.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T20:16:23Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-7gjx-r4jj-vjx7/GHSA-7gjx-r4jj-vjx7.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7gjx-r4jj-vjx7",
+  "modified": "2026-03-23T21:30:51Z",
+  "published": "2026-03-23T21:30:51Z",
+  "aliases": [
+    "CVE-2025-15606"
+  ],
+  "details": "A Denial-of-Service (DoS) vulnerability in the httpd component of TP-Link's TD-W8961N v4.0 due to improper input sanitization, allows crafted requests to trigger a processing error that causes the httpd service to crash.  Successful exploitation may allow the attacker to cause service interruption, resulting in a DoS condition.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15606"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/en/support/download/td-w8961n/v4/#Firmware"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/faq/5028"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-23T19:16:38Z"
+  }
+}