Publish Advisories

GHSA-249q-vrhp-j59w
GHSA-3fvx-8h8j-fxvf
GHSA-58gv-j5qc-234v
GHSA-5w89-2c2x-6x66
GHSA-7mr4-xjxg-34g6
GHSA-8jg2-726g-xh43
GHSA-cfp9-33rc-j74f
GHSA-cqrx-3m42-5p5w
GHSA-fv83-x2xw-2j55
GHSA-g2wf-gm3w-w9x3
GHSA-gc82-3hj3-59h8
GHSA-gjvh-7jh8-7xhm
GHSA-jrg3-gfjw-hm96
GHSA-m4pr-4j3g-9v7v
GHSA-mcrh-qj64-9c3p
GHSA-rc2g-jh8w-mqh9
GHSA-x4jj-h2v8-hqqv
GHSA-x64c-qgm9-xp36
GHSA-xj38-jxc5-rppx

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-249q-vrhp-j59w/GHSA-249q-vrhp-j59w.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-249q-vrhp-j59w",
+  "modified": "2026-04-08T03:32:13Z",
+  "published": "2026-04-08T03:32:13Z",
+  "aliases": [
+    "CVE-2026-1343"
+  ],
+  "details": "IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1343"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7268253"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T01:16:40Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-3fvx-8h8j-fxvf/GHSA-3fvx-8h8j-fxvf.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3fvx-8h8j-fxvf",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-5726"
+  ],
+  "details": "ASDA-Soft Stack-based Buffer Overflow Vulnerability",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5726"
+    },
+    {
+      "type": "WEB",
+      "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00007_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-5726).pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-121"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T03:16:07Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-58gv-j5qc-234v/GHSA-58gv-j5qc-234v.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-58gv-j5qc-234v",
+  "modified": "2026-04-08T03:32:13Z",
+  "published": "2026-04-08T03:32:13Z",
+  "aliases": [
+    "CVE-2026-4788"
+  ],
+  "details": "IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4788"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7268267"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T01:16:41Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-5w89-2c2x-6x66/GHSA-5w89-2c2x-6x66.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5w89-2c2x-6x66",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-27140"
+  ],
+  "details": "SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27140"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/cl/763768"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/78335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2026-4871"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T02:16:02Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-7mr4-xjxg-34g6/GHSA-7mr4-xjxg-34g6.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7mr4-xjxg-34g6",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-32289"
+  ],
+  "details": "Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/cl/763762"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/78331"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2026-4865"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T02:16:03Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8jg2-726g-xh43/GHSA-8jg2-726g-xh43.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8jg2-726g-xh43",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-1163"
+  ],
+  "details": "An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1163"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-613"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T03:16:07Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-cfp9-33rc-j74f/GHSA-cfp9-33rc-j74f.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cfp9-33rc-j74f",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-27143"
+  ],
+  "details": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/cl/763765"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/78333"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2026-4868"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T02:16:03Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-cqrx-3m42-5p5w/GHSA-cqrx-3m42-5p5w.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cqrx-3m42-5p5w",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-27144"
+  ],
+  "details": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/cl/763764"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/78371"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2026-4867"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T02:16:03Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-fv83-x2xw-2j55/GHSA-fv83-x2xw-2j55.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fv83-x2xw-2j55",
+  "modified": "2026-04-08T03:32:14Z",
+  "published": "2026-04-08T03:32:14Z",
+  "aliases": [
+    "CVE-2026-33810"
+  ],
+  "details": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/cl/763763"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/issue/78332"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2026-4866"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-08T02:16:03Z"
+  }
+}