Publish Advisories

GHSA-23hm-6gvp-w3w5
GHSA-5jvc-6gmm-9m79
GHSA-5pf3-56wj-95xv
GHSA-5w97-394v-8832
GHSA-8p2h-64fj-mxhv
GHSA-9cgv-w9j2-3763
GHSA-cq3m-gjvw-x3vj
GHSA-gfv2-c97j-jcxp
GHSA-hg45-6q92-44jh
GHSA-hvg7-rv27-w39j
GHSA-vm64-7vcf-58w4

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-23hm-6gvp-w3w5/GHSA-23hm-6gvp-w3w5.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23hm-6gvp-w3w5",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25574"
+  ],
+  "details": "Green CMS 2.x contains a path traversal vulnerability that allows authenticated attackers to download arbitrary files and directories by injecting directory traversal sequences. Attackers can manipulate the theme_name parameter in the themeexporthandle action or supply base64-encoded file paths to the downfile action to retrieve sensitive files outside intended directories.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25574"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codeload.github.com/GreenCMS/GreenCMS/zip/beta"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46245"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/green-cms-2-x-path-traversal-arbitrary-file-download"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.greencms.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-5jvc-6gmm-9m79/GHSA-5jvc-6gmm-9m79.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5jvc-6gmm-9m79",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25580"
+  ],
+  "details": "ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25580"
+    },
+    {
+      "type": "WEB",
+      "url": "https://datapacket.dl.sourceforge.net/project/owndms/owndms_47.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46168"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/owndms-sql-injection-via-pdfstream-php-imagestream-php"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.owndms.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:02Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-5pf3-56wj-95xv/GHSA-5pf3-56wj-95xv.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5pf3-56wj-95xv",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25582"
+  ],
+  "details": "i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with file_manager=image and supply arbitrary file paths like src/config.inc.php to retrieve configuration files and sensitive system data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25582"
+    },
+    {
+      "type": "WEB",
+      "url": "https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46133"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.i-doit.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/i-doit-cmdb-arbitrary-file-download-via-file-manager-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:02Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-5w97-394v-8832/GHSA-5w97-394v-8832.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5w97-394v-8832",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25579"
+  ],
+  "details": "phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and retrieve files outside the intended directory.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25579"
+    },
+    {
+      "type": "WEB",
+      "url": "https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46192"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/phptransformer-directory-traversal-via-jqueryfileupload"
+    },
+    {
+      "type": "WEB",
+      "url": "http://phptransformer.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:01Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8p2h-64fj-mxhv/GHSA-8p2h-64fj-mxhv.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8p2h-64fj-mxhv",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25573"
+  ],
+  "details": "Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25573"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codeload.github.com/GreenCMS/GreenCMS/zip/beta"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46244"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/green-cms-2-x-sql-injection-via-cat-parameter"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.greencms.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-9cgv-w9j2-3763/GHSA-9cgv-w9j2-3763.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9cgv-w9j2-3763",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25577"
+  ],
+  "details": "SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attackers can send POST requests to /backend/backend_theme/editcss/ or /backend/backend_theme/editjs/ with directory traversal sequences in the getcss or getjs parameters to retrieve file contents.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25577"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46190"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.seotoaster.com/shopping-cart"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/seotoaster-ecommerce-local-file-inclusion-via-backend-theme"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:01Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-cq3m-gjvw-x3vj/GHSA-cq3m-gjvw-x3vj.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cq3m-gjvw-x3vj",
+  "modified": "2026-03-21T18:31:05Z",
+  "published": "2026-03-21T18:31:05Z",
+  "aliases": [
+    "CVE-2019-25576"
+  ],
+  "details": "Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25576"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script"
+    },
+    {
+      "type": "WEB",
+      "url": "https://keplerwallpapers.online"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/46207"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/kepler-wallpaper-script-sql-injection-via-category"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-21T16:16:01Z"
+  }
+}