Publish Advisories

GHSA-76h8-9q54-37cc
GHSA-9gww-cr64-679c
GHSA-m76j-7jh6-jxj5
GHSA-rqh7-4vgv-648p

Author: advisory-database[bot]

advisories/unreviewed/2025/04/GHSA-76h8-9q54-37cc/GHSA-76h8-9q54-37cc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-76h8-9q54-37cc",
-  "modified": "2025-04-08T18:34:45Z",
+  "modified": "2026-02-17T00:30:18Z",
   "published": "2025-04-08T18:34:45Z",
   "aliases": [
     "CVE-2025-26637"
@@ -22,6 +22,10 @@
     {
       "type": "WEB",
       "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26637"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2026/Feb/15"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/02/GHSA-9gww-cr64-679c/GHSA-9gww-cr64-679c.json

@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9gww-cr64-679c",
+  "modified": "2026-02-17T00:30:18Z",
+  "published": "2026-02-17T00:30:18Z",
+  "aliases": [
+    "CVE-2026-2439"
+  ],
+  "details": "Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,\n\n  *  There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.\n  *  The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.\n  *  UUIDs are identifiers whose mere possession grants access, as per RFC 9562.\n  *  The output of the built-in rand() function is predictable and unsuitable for security applications.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2439"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c215be65e73b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Sessions-v0.8.5#lib/Concierge/Sessions/Base.pm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://perldoc.perl.org/5.42.0/functions/rand"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T22:22:41Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-m76j-7jh6-jxj5/GHSA-m76j-7jh6-jxj5.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m76j-7jh6-jxj5",
+  "modified": "2026-02-17T00:30:18Z",
+  "published": "2026-02-17T00:30:18Z",
+  "aliases": [
+    "CVE-2025-15578"
+  ],
+  "details": "Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15578"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-16T22:22:40Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-rqh7-4vgv-648p/GHSA-rqh7-4vgv-648p.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rqh7-4vgv-648p",
+  "modified": "2026-02-17T00:30:18Z",
+  "published": "2026-02-17T00:30:18Z",
+  "aliases": [
+    "CVE-2025-12062"
+  ],
+  "details": "The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12062"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3405282"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/815e5b86-2d1b-4794-b761-dad770393d3e?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-17T00:16:17Z"
+  }
+}