Skip to content

Commit 373de36

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-j822-46r5-h4qx GHSA-r7c9-7pjq-hmm8 GHSA-vpxx-h23g-gxh2
1 parent 89feba0 commit 373de36

3 files changed

Lines changed: 94 additions & 12 deletions

File tree

advisories/unreviewed/2026/05/GHSA-j822-46r5-h4qx/GHSA-j822-46r5-h4qx.json renamed to advisories/github-reviewed/2026/05/GHSA-j822-46r5-h4qx/GHSA-j822-46r5-h4qx.json

Lines changed: 36 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,43 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-j822-46r5-h4qx",
4-
"modified": "2026-05-07T18:30:40Z",
4+
"modified": "2026-05-12T16:20:20Z",
55
"published": "2026-05-07T18:30:40Z",
66
"aliases": [
77
"CVE-2026-36341"
88
],
9+
"summary": "Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint",
910
"details": "Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "krayin/laravel-crm"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "2.1.5"
29+
},
30+
{
31+
"fixed": "2.1.6"
32+
}
33+
]
34+
}
35+
],
36+
"versions": [
37+
"2.1.5"
38+
]
39+
}
40+
],
1741
"references": [
1842
{
1943
"type": "ADVISORY",
@@ -23,6 +47,10 @@
2347
"type": "WEB",
2448
"url": "https://github.com/krayin/laravel-crm/pull/2401"
2549
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/krayin/laravel-crm/commit/fc467040de21803cb2b67c2229d2dfcf731d2d3e"
53+
},
2654
{
2755
"type": "WEB",
2856
"url": "https://cyber.spool.co.jp/vulnerabilities/cve-2026-36341"
@@ -35,6 +63,10 @@
3563
"type": "WEB",
3664
"url": "https://github.com/cybercrewinc/CVE-2026-36341"
3765
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/krayin/laravel-crm"
69+
},
3870
{
3971
"type": "WEB",
4072
"url": "https://github.com/krayin/laravel-crm/releases/tag/v2.1.6"
@@ -45,8 +77,8 @@
4577
"CWE-79"
4678
],
4779
"severity": "MODERATE",
48-
"github_reviewed": false,
49-
"github_reviewed_at": null,
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-05-12T16:20:20Z",
5082
"nvd_published_at": "2026-05-07T16:16:18Z"
5183
}
5284
}

advisories/unreviewed/2026/05/GHSA-r7c9-7pjq-hmm8/GHSA-r7c9-7pjq-hmm8.json renamed to advisories/github-reviewed/2026/05/GHSA-r7c9-7pjq-hmm8/GHSA-r7c9-7pjq-hmm8.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,49 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-r7c9-7pjq-hmm8",
4-
"modified": "2026-05-07T21:30:29Z",
4+
"modified": "2026-05-12T16:20:35Z",
55
"published": "2026-05-07T21:30:29Z",
66
"aliases": [
77
"CVE-2026-44742"
88
],
9+
"summary": "Postorius is vulnerable to XSS",
910
"details": "Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "postorius"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.3.13"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44742"
2142
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://gitlab.com/mailman/postorius"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b"
@@ -41,8 +66,8 @@
4166
"CWE-79"
4267
],
4368
"severity": "HIGH",
44-
"github_reviewed": false,
45-
"github_reviewed_at": null,
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-05-12T16:20:35Z",
4671
"nvd_published_at": "2026-05-07T19:16:02Z"
4772
}
4873
}

advisories/unreviewed/2026/05/GHSA-vpxx-h23g-gxh2/GHSA-vpxx-h23g-gxh2.json renamed to advisories/github-reviewed/2026/05/GHSA-vpxx-h23g-gxh2/GHSA-vpxx-h23g-gxh2.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-vpxx-h23g-gxh2",
4-
"modified": "2026-05-07T18:30:40Z",
4+
"modified": "2026-05-12T16:20:14Z",
55
"published": "2026-05-07T18:30:39Z",
66
"aliases": [
77
"CVE-2025-65122"
88
],
9+
"summary": "youtube-regex vulnerable to Regex Denial of Service",
910
"details": "Regex Denial of Service in youtube-regex npm package through version 1.0.5.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "youtube-regex"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.0.5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -26,15 +47,19 @@
2647
{
2748
"type": "WEB",
2849
"url": "https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/regexhq/youtube-regex"
2954
}
3055
],
3156
"database_specific": {
3257
"cwe_ids": [
3358
"CWE-400"
3459
],
3560
"severity": "HIGH",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-05-12T16:20:14Z",
3863
"nvd_published_at": "2026-05-07T16:16:17Z"
3964
}
4065
}

0 commit comments

Comments
 (0)