Publish Advisories

GHSA-2969-xpvc-282x
GHSA-2j48-mfm5-x2hv
GHSA-4574-jvgw-55gr
GHSA-rqmp-494m-8qgf

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-2969-xpvc-282x/GHSA-2969-xpvc-282x.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2969-xpvc-282x",
+  "modified": "2026-03-29T18:30:19Z",
+  "published": "2026-03-29T18:30:19Z",
+  "aliases": [
+    "CVE-2026-34005"
+  ],
+  "details": "In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34005"
+    },
+    {
+      "type": "WEB",
+      "url": "https://uky007.github.io/CVE-2026-34005"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.xiongmaitech.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-29T17:16:44Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2j48-mfm5-x2hv/GHSA-2j48-mfm5-x2hv.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2j48-mfm5-x2hv",
+  "modified": "2026-03-29T18:30:20Z",
+  "published": "2026-03-29T18:30:20Z",
+  "aliases": [
+    "CVE-2026-0562"
+  ],
+  "details": "A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0562"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-29T18:16:14Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-4574-jvgw-55gr/GHSA-4574-jvgw-55gr.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4574-jvgw-55gr",
+  "modified": "2026-03-29T18:30:20Z",
+  "published": "2026-03-29T18:30:19Z",
+  "aliases": [
+    "CVE-2026-0558"
+  ],
+  "details": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0558"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-29T18:16:13Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-rqmp-494m-8qgf/GHSA-rqmp-494m-8qgf.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rqmp-494m-8qgf",
+  "modified": "2026-03-29T18:30:20Z",
+  "published": "2026-03-29T18:30:20Z",
+  "aliases": [
+    "CVE-2026-0560"
+  ],
+  "details": "A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0560"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-29T18:16:14Z"
+  }
+}