GHSA/SYNC: 1 new advisory; Added new contributor

CONTRIBUTORS.md

@@ -41,5 +41,6 @@ This database would not be possible without volunteers willing to submit pull re
 * [Adrian Hirt](https://github.com/Adrian-Hirt)
 * [Huda Kharrufa](https://github.com/hudakh)
 * [Mike Dalessio](https://github.com/flavorjones)
+* [Dennis Paagman](https://github.com/dennispaagman)
 
 The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

gems/katello/CVE-2026-12515.yml

@@ -0,0 +1,31 @@
+---
+gem: katello
+cve: 2026-12515
+ghsa: c43c-rf7g-5xpg
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-12515
+title: katello - missing repository authorization in content_uploads
+  exposes cross-product content existence
+date: 2026-06-17
+description: |
+  A flaw was found in Katello's of Red Hat Satellite. A content upload
+  functionality where insufficient authorization checks in the
+  ContentUploadsController allowed users with the edit_products
+  permission to query content information for repositories outside
+  the products they were authorized to manage. An authenticated attacker
+  could exploit this issue to determine whether specific content
+  exists within repositories that should otherwise be inaccessible.
+  This issue does not allow unauthorized modification, import, or
+  publication of content.
+cvss_v3: 4.3
+patched_versions:
+  - ">= 4.21.0.rc1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-12515
+    - https://rubygems.org/gems/katello/versions/4.21.0
+    - https://github.com/Katello/katello/pull/11712
+    - https://access.redhat.com/security/cve/CVE-2026-12515
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2489812
+    - https://github.com/advisories/GHSA-c43c-rf7g-5xpg
+notes: |
+  - cvss_v3 from nist reference; no cvss_v2 or cvss_v4 values