Publish Advisories

GHSA-3222-mcx9-476q
GHSA-668h-3f4c-v8mw
GHSA-cx4j-69qv-4cwj
GHSA-gwm6-pqm9-27rp
GHSA-hcg2-h235-rfjm
GHSA-r5f8-6g75-8gj8
GHSA-rx3f-2wfj-p6wv
GHSA-v9p2-66r4-9qhr
GHSA-wcvq-gwcq-gwhf
GHSA-xc7m-2p37-4qw2
GHSA-xv48-qfxm-rc53

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-3222-mcx9-476q/GHSA-3222-mcx9-476q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3222-mcx9-476q",
-  "modified": "2026-01-05T21:30:32Z",
+  "modified": "2026-01-06T00:30:22Z",
   "published": "2026-01-05T21:30:32Z",
   "aliases": [
     "CVE-2025-49495"
   ],
   "details": "An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580. Mishandling of an NL80211 vendor command leads to a buffer overflow.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T19:15:56Z"

advisories/unreviewed/2026/01/GHSA-668h-3f4c-v8mw/GHSA-668h-3f4c-v8mw.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-668h-3f4c-v8mw",
-  "modified": "2026-01-05T21:30:32Z",
+  "modified": "2026-01-06T00:30:22Z",
   "published": "2026-01-05T21:30:32Z",
   "aliases": [
     "CVE-2025-43706"
   ],
   "details": "An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T19:15:56Z"

advisories/unreviewed/2026/01/GHSA-cx4j-69qv-4cwj/GHSA-cx4j-69qv-4cwj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cx4j-69qv-4cwj",
-  "modified": "2026-01-05T21:30:32Z",
+  "modified": "2026-01-06T00:30:22Z",
   "published": "2026-01-05T21:30:32Z",
   "aliases": [
     "CVE-2025-53966"
   ],
   "details": "An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow during handling of an IOCTL message.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T19:15:56Z"

advisories/unreviewed/2026/01/GHSA-gwm6-pqm9-27rp/GHSA-gwm6-pqm9-27rp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gwm6-pqm9-27rp",
-  "modified": "2026-01-05T18:30:23Z",
+  "modified": "2026-01-06T00:30:22Z",
   "published": "2026-01-05T18:30:23Z",
   "aliases": [
     "CVE-2025-67316"
   ],
   "details": "An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T17:15:46Z"

advisories/unreviewed/2026/01/GHSA-hcg2-h235-rfjm/GHSA-hcg2-h235-rfjm.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hcg2-h235-rfjm",
+  "modified": "2026-01-06T00:30:24Z",
+  "published": "2026-01-06T00:30:24Z",
+  "aliases": [
+    "CVE-2026-0606"
+  ],
+  "details": "A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0606"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md#vulnerability-details-and-poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.339550"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.339550"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.731696"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-05T23:15:41Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-r5f8-6g75-8gj8/GHSA-r5f8-6g75-8gj8.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r5f8-6g75-8gj8",
-  "modified": "2026-01-05T18:30:22Z",
+  "modified": "2026-01-06T00:30:21Z",
   "published": "2026-01-05T18:30:22Z",
   "aliases": [
     "CVE-2025-52519"
   ],
   "details": "An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, and W1000. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T17:15:45Z"

advisories/unreviewed/2026/01/GHSA-rx3f-2wfj-p6wv/GHSA-rx3f-2wfj-p6wv.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rx3f-2wfj-p6wv",
-  "modified": "2026-01-05T18:30:23Z",
+  "modified": "2026-01-06T00:30:22Z",
   "published": "2026-01-05T18:30:23Z",
   "aliases": [
     "CVE-2025-65922"
   ],
   "details": "PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because \"PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes.\"",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-1021"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T18:15:44Z"

advisories/unreviewed/2026/01/GHSA-v9p2-66r4-9qhr/GHSA-v9p2-66r4-9qhr.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v9p2-66r4-9qhr",
+  "modified": "2026-01-06T00:30:23Z",
+  "published": "2026-01-06T00:30:23Z",
+  "aliases": [
+    "CVE-2026-0625"
+  ],
+  "details": "Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0625"
+    },
+    {
+      "type": "WEB",
+      "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-05T22:15:54Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-wcvq-gwcq-gwhf/GHSA-wcvq-gwcq-gwhf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wcvq-gwcq-gwhf",
-  "modified": "2026-01-05T18:30:22Z",
+  "modified": "2026-01-06T00:30:21Z",
   "published": "2026-01-05T18:30:22Z",
   "aliases": [
     "CVE-2025-57836"
   ],
   "details": "An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-427"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-05T17:15:45Z"