Publish Advisories

GHSA-pcjv-393q-rqf2
GHSA-78xx-4783-fh7x
GHSA-cc62-3p5g-fr7j
GHSA-4773-3jfm-qmx3
GHSA-636g-4q6w-639h
GHSA-6hcq-hmm3-jj3c
GHSA-8hfc-fq58-r658
GHSA-f53h-mxv9-cp98
GHSA-m9r6-9wmx-24jv
GHSA-mf92-479x-3373
GHSA-mgvc-8q2h-5pgc
GHSA-pgvr-52h5-9c35
GHSA-wx98-99rr-664q

Author: advisory-database[bot]

advisories/unreviewed/2024/01/GHSA-pcjv-393q-rqf2/GHSA-pcjv-393q-rqf2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pcjv-393q-rqf2",
-  "modified": "2025-08-04T21:30:36Z",
+  "modified": "2026-03-20T00:31:26Z",
   "published": "2024-01-18T06:30:25Z",
   "aliases": [
     "CVE-2023-6816"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2024:2996"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2024:2995"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2024:2170"

advisories/unreviewed/2026/02/GHSA-78xx-4783-fh7x/GHSA-78xx-4783-fh7x.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-78xx-4783-fh7x",
-  "modified": "2026-02-06T21:30:47Z",
+  "modified": "2026-03-20T00:31:26Z",
   "published": "2026-02-02T18:31:33Z",
   "aliases": [
     "CVE-2026-22225"
@@ -23,6 +23,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22225"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware"
+    },
     {
       "type": "WEB",
       "url": "https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware"
@@ -31,6 +35,10 @@
       "type": "WEB",
       "url": "https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware"
+    },
     {
       "type": "WEB",
       "url": "https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware"

advisories/unreviewed/2026/02/GHSA-cc62-3p5g-fr7j/GHSA-cc62-3p5g-fr7j.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cc62-3p5g-fr7j",
-  "modified": "2026-02-06T21:30:47Z",
+  "modified": "2026-03-20T00:31:26Z",
   "published": "2026-02-02T18:31:33Z",
   "aliases": [
     "CVE-2026-0630"
@@ -23,6 +23,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0630"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware"
+    },
     {
       "type": "WEB",
       "url": "https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware"
@@ -31,6 +35,10 @@
       "type": "WEB",
       "url": "https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware"
+    },
     {
       "type": "WEB",
       "url": "https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware"

advisories/unreviewed/2026/03/GHSA-4773-3jfm-qmx3/GHSA-4773-3jfm-qmx3.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4773-3jfm-qmx3",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-22737"
+  ],
+  "details": "Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22737"
+    },
+    {
+      "type": "WEB",
+      "url": "https://spring.io/security/cve-2026-22737"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-20T00:16:15Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-636g-4q6w-639h/GHSA-636g-4q6w-639h.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-636g-4q6w-639h",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-3948"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3948"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T23:16:45Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-6hcq-hmm3-jj3c/GHSA-6hcq-hmm3-jj3c.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6hcq-hmm3-jj3c",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-22735"
+  ],
+  "details": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22735"
+    },
+    {
+      "type": "WEB",
+      "url": "https://spring.io/security/cve-2026-22735"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-20T00:16:15Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8hfc-fq58-r658/GHSA-8hfc-fq58-r658.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8hfc-fq58-r658",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-22731"
+  ],
+  "details": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22731"
+    },
+    {
+      "type": "WEB",
+      "url": "https://spring.io/security/cve-2026-22731"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-288"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T23:16:41Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-f53h-mxv9-cp98/GHSA-f53h-mxv9-cp98.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f53h-mxv9-cp98",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-4342"
+  ],
+  "details": "A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4342"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/issues/137893"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/19/9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T22:16:43Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-m9r6-9wmx-24jv/GHSA-m9r6-9wmx-24jv.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m9r6-9wmx-24jv",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-4159"
+  ],
+  "details": "1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4159"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/wolfSSL/wolfssl/pull/9945"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T22:16:42Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mf92-479x-3373",
+  "modified": "2026-03-20T00:31:28Z",
+  "published": "2026-03-20T00:31:28Z",
+  "aliases": [
+    "CVE-2026-22732"
+  ],
+  "details": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \nThis issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22732"
+    },
+    {
+      "type": "WEB",
+      "url": "https://spring.io/security/cve-2026-22732"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-19T23:16:41Z"
+  }
+}