Skip to content

Commit 20640c5

Browse files
1 parent 25d31fe commit 20640c5

9 files changed

Lines changed: 536 additions & 0 deletions

File tree

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2r76-r3fx-jwv2",
4+
"modified": "2026-06-01T00:30:22Z",
5+
"published": "2026-06-01T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-10197"
8+
],
9+
"details": "A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10197"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/assimp/assimp/issues/6608"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/assimp/assimp/pull/6645"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/assimp/assimp"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/user-attachments/files/27193894/poc.zip"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://vuldb.com/cve/CVE-2026-10197"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://vuldb.com/submit/821177"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://vuldb.com/vuln/367477"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://vuldb.com/vuln/367477/cti"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-404"
62+
],
63+
"severity": "LOW",
64+
"github_reviewed": false,
65+
"github_reviewed_at": null,
66+
"nvd_published_at": "2026-05-31T22:16:54Z"
67+
}
68+
}
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6jj7-xf98-rxhg",
4+
"modified": "2026-06-01T00:30:22Z",
5+
"published": "2026-06-01T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-10201"
8+
],
9+
"details": "A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10201"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/assimp/assimp/issues/6613"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/assimp/assimp"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/user-attachments/files/27153727/poc.zip"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/cve/CVE-2026-10201"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://vuldb.com/submit/821182"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://vuldb.com/vuln/367481"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://vuldb.com/vuln/367481/cti"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-369"
58+
],
59+
"severity": "LOW",
60+
"github_reviewed": false,
61+
"github_reviewed_at": null,
62+
"nvd_published_at": "2026-06-01T00:16:41Z"
63+
}
64+
}
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6rfw-vrjc-wff7",
4+
"modified": "2026-06-01T00:30:22Z",
5+
"published": "2026-06-01T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-10199"
8+
],
9+
"details": "A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10199"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/assimp/assimp/issues/6611"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/assimp/assimp/pull/6646"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/assimp/assimp/commit/d24b85319bd70c65883a2b96613e07e23fb95981"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/assimp/assimp"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/user-attachments/files/27194148/poc.zip"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://vuldb.com/cve/CVE-2026-10199"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://vuldb.com/submit/821179"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://vuldb.com/vuln/367479"
57+
},
58+
{
59+
"type": "WEB",
60+
"url": "https://vuldb.com/vuln/367479/cti"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-404"
66+
],
67+
"severity": "LOW",
68+
"github_reviewed": false,
69+
"github_reviewed_at": null,
70+
"nvd_published_at": "2026-05-31T23:16:42Z"
71+
}
72+
}
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7m2c-m24q-64cc",
4+
"modified": "2026-06-01T00:30:22Z",
5+
"published": "2026-06-01T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-10198"
8+
],
9+
"details": "A flaw has been found in Assimp up to 6.0.4. Affected by this vulnerability is the function Assimp::glTFImporter::ImportMeshes of the file glTFImporter.cpp of the component glTFImporter. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been published and may be used. The project tagged the reported issue as bug.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10198"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/assimp/assimp/issues/6609"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://github.com/assimp/assimp"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/user-attachments/files/27193865/poc.zip"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/cve/CVE-2026-10198"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://vuldb.com/submit/821178"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://vuldb.com/vuln/367478"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://vuldb.com/vuln/367478/cti"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-404"
58+
],
59+
"severity": "LOW",
60+
"github_reviewed": false,
61+
"github_reviewed_at": null,
62+
"nvd_published_at": "2026-05-31T23:16:41Z"
63+
}
64+
}
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7q9m-w2v3-fh9v",
4+
"modified": "2026-06-01T00:30:22Z",
5+
"published": "2026-06-01T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-10204"
8+
],
9+
"details": "A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \\ofcms-admin\\src\\main\\java\\com\\ofsoft\\cms\\admin\\controller\\system\\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10204"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://gitee.com/oufu/ofcms/issues/IJLL09"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/cve/CVE-2026-10204"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/submit/821697"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/367484"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://vuldb.com/vuln/367484/cti"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-74"
50+
],
51+
"severity": "LOW",
52+
"github_reviewed": false,
53+
"github_reviewed_at": null,
54+
"nvd_published_at": "2026-06-01T00:16:42Z"
55+
}
56+
}
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c5w8-92g9-6wrj",
4+
"modified": "2026-06-01T00:30:22Z",
5+
"published": "2026-06-01T00:30:22Z",
6+
"aliases": [
7+
"CVE-2026-10203"
8+
],
9+
"details": "A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \\ofcms-admin\\src\\main\\java\\com\\ofsoft\\cms\\admin\\controller\\system\\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10203"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://gitee.com/oufu/ofcms/issues/IJLIYP"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/cve/CVE-2026-10203"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/submit/821197"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/367483"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://vuldb.com/vuln/367483/cti"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-74"
50+
],
51+
"severity": "LOW",
52+
"github_reviewed": false,
53+
"github_reviewed_at": null,
54+
"nvd_published_at": "2026-06-01T00:16:42Z"
55+
}
56+
}

0 commit comments

Comments
 (0)