Skip to content

Commit 97d3166

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-4gvx-284h-fwmm GHSA-5xx4-vfw9-vhfp
1 parent 133f2ec commit 97d3166

File tree

2 files changed

+120
-0
lines changed

2 files changed

+120
-0
lines changed

advisories/unreviewed/2026/04/GHSA-4gvx-284h-fwmm/GHSA-4gvx-284h-fwmm.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4gvx-284h-fwmm",
4+
"modified": "2026-04-12T00:32:57Z",
5+
"published": "2026-04-12T00:32:57Z",
6+
"aliases": [
7+
"CVE-2026-6106"
8+
],
9+
"details": "A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6106"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/AnalogyC0de/public_exp/issues/23"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/1Panel-dev/MaxKB/pull/4919"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/1Panel-dev/MaxKB"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://vuldb.com/submit/781810"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://vuldb.com/vuln/356965"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://vuldb.com/vuln/356965/cti"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-79"
62+
],
63+
"severity": "MODERATE",
64+
"github_reviewed": false,
65+
"github_reviewed_at": null,
66+
"nvd_published_at": "2026-04-11T23:16:05Z"
67+
}
68+
}

advisories/unreviewed/2026/04/GHSA-5xx4-vfw9-vhfp/GHSA-5xx4-vfw9-vhfp.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5xx4-vfw9-vhfp",
4+
"modified": "2026-04-12T00:32:57Z",
5+
"published": "2026-04-12T00:32:57Z",
6+
"aliases": [
7+
"CVE-2026-6105"
8+
],
9+
"details": "A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6105"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://gitee.com/ying-xiujie/cve/issues/IGB6M9"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/781598"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/356964"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/356964/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-266"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-11T22:16:01Z"
51+
}
52+
}

0 commit comments

Comments
 (0)