Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8005eb53 by security tracker role at 2026-01-16T20:14:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,178 @@
-CVE-2025-60021
+CVE-2026-23731 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, Th ...)
+ TODO: check
+CVE-2026-23730 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, an ...)
+ TODO: check
+CVE-2026-23729 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, an ...)
+ TODO: check
+CVE-2026-23728 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, an ...)
+ TODO: check
+CVE-2026-23727 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, an ...)
+ TODO: check
+CVE-2026-23726 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, An ...)
+ TODO: check
+CVE-2026-23725 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, a ...)
+ TODO: check
+CVE-2026-23724 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, a ...)
+ TODO: check
+CVE-2026-23723 (WeGIA is a web manager for charitable institutions. Prior to
3.6.2, an ...)
+ TODO: check
+CVE-2026-23722 (WeGIA is a Web Manager for Charitable Institutions. Prior to
3.6.2, a ...)
+ TODO: check
+CVE-2026-23645 (SiYuan is self-hosted, open source personal knowledge
management softw ...)
+ TODO: check
+CVE-2026-23634 (Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr
defaults to ...)
+ TODO: check
+CVE-2026-23535 (wlc is a Weblate command-line client using Weblate's REST API.
Prior t ...)
+ TODO: check
+CVE-2026-23529 (Kafka Connect BigQuery Connector is an implementation of a
sink connec ...)
+ TODO: check
+CVE-2026-23528 (Dask distributed is a distributed task scheduler for Dask.
Prior to 20 ...)
+ TODO: check
+CVE-2026-23523 (Dive is an open-source MCP Host Desktop Application that
enables integ ...)
+ TODO: check
+CVE-2026-23490 (pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2,
a Denial ...)
+ TODO: check
+CVE-2026-22876 (Path Traversal vulnerability exists in multiple Network
Cameras TRIFOR ...)
+ TODO: check
+CVE-2026-22782 (RustFS is a distributed object storage system built in Rust.
From >= 1 ...)
+ TODO: check
+CVE-2026-21625 (User provided uploads to the Easy Discuss component for Joomla
aren't ...)
+ TODO: check
+CVE-2026-21624 (Lack of input filterung leads to a persistent XSS
vulnerability in the ...)
+ TODO: check
+CVE-2026-21623 (Lack of input filterung leads to a persistent XSS
vulnerability in the ...)
+ TODO: check
+CVE-2026-20894 (Cross-site scripting vulnerability exists in multiple Network
Cameras ...)
+ TODO: check
+CVE-2026-20759 (OS Command Injection vulnerability exists in multiple Network
Cameras ...)
+ TODO: check
+CVE-2026-1004 (The Essential Addons for Elementor plugin for WordPress is
vulnerable ...)
+ TODO: check
+CVE-2026-0949 (PEM versions prior to 9.8.1 are affected by a stored Cross-site
Script ...)
+ TODO: check
+CVE-2026-0913 (The User Submitted Posts \u2013 Enable Users to Submit Posts
from the ...)
+ TODO: check
+CVE-2026-0823
+ REJECTED
+CVE-2026-0696 (In ConnectWise PSA versions older than 2026.1, certain session
cookies ...)
+ TODO: check
+CVE-2026-0695 (In ConnectWise PSA versions older than 2026.1, Time Entry notes
stored ...)
+ TODO: check
+CVE-2026-0629 (Authentication bypass in the password recovery feature of the
local we ...)
+ TODO: check
+CVE-2026-0616 (TheLibrarians web_fetch tool can be used to retrieve the
Adminer inter ...)
+ TODO: check
+CVE-2026-0615 (The Librarian `supervisord` status page can be retrieved by the
`web_f ...)
+ TODO: check
+CVE-2026-0613 (The Librarian contains an internal port scanning vulnerability,
facili ...)
+ TODO: check
+CVE-2026-0612 (The Librarian contains a information leakage vulnerability
through the ...)
+ TODO: check
+CVE-2025-71020 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack
overflow in t ...)
+ TODO: check
+CVE-2025-70746 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack
overflow in t ...)
+ TODO: check
+CVE-2025-69581 (An issue was discovered in Chamillo LMS 1.11.2. The Social
Network /pe ...)
+ TODO: check
+CVE-2025-68924 (In Umbraco UmbracoForms through 8.13.16, an authenticated
attacker can ...)
+ TODO: check
+CVE-2025-68921 (SteelSeries Nahimic 3 1.10.7 allows Directory traversal.)
+ TODO: check
+CVE-2025-59870 (HCL MyXalytics v6.7 is affected by improper management of a
static JWT ...)
+ TODO: check
+CVE-2025-48647 (In cpm_fwtp_msg_handler of
cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, t ...)
+ TODO: check
+CVE-2025-43508 (A logging issue was addressed with improved data redaction.
This issue ...)
+ TODO: check
+CVE-2025-31186 (A permissions issue was addressed with additional
restrictions. This i ...)
+ TODO: check
+CVE-2025-29943 (Write what were condition within AMD CPUs may allow an
admin-privilege ...)
+ TODO: check
+CVE-2025-24090 (A permissions issue was addressed with additional
restrictions. This i ...)
+ TODO: check
+CVE-2025-24089 (A permissions issue was addressed with additional
restrictions. This i ...)
+ TODO: check
+CVE-2025-15104 (Nu Html Checker (validator.nu) contains a restriction bypass
that allo ...)
+ TODO: check
+CVE-2025-15032 (Missing about:blank indicator in custom-sized new windows in
Dia befor ...)
+ TODO: check
+CVE-2025-14894 (Livewire Filemanager, commonly used in Laravel applications,
contains ...)
+ TODO: check
+CVE-2025-14844 (The Membership Plugin \u2013 Restrict Content plugin for
WordPress is ...)
+ TODO: check
+CVE-2025-14822 (Mattermost versions 10.11.x <= 10.11.8 fail to validate input
size bef ...)
+ TODO: check
+CVE-2025-14757 (The Cost Calculator Builder plugin for WordPress is vulnerable
to Unau ...)
+ TODO: check
+CVE-2025-14510 (Incorrect Implementation of Authentication Algorithm
vulnerability in ...)
+ TODO: check
+CVE-2025-14435 (Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1,
11.0.x <= 11 ...)
+ TODO: check
+CVE-2025-12007 (There is a vulnerability in the Supermicro BMC firmware
validation log ...)
+ TODO: check
+CVE-2025-12006 (There is a vulnerability in the Supermicro BMC firmware
validation log ...)
+ TODO: check
+CVE-2024-54556 (This issue was addressed through improved state management.
This issue ...)
+ TODO: check
+CVE-2024-44238 (The issue was addressed with improved bounds checks. This
issue is fix ...)
+ TODO: check
+CVE-2024-44210 (This issue was addressed with improved permissions checking.
This issu ...)
+ TODO: check
+CVE-2021-47847 (Disk Sorter Server 13.6.12 contains an unquoted service path
vulnerabi ...)
+ TODO: check
+CVE-2021-47845 (Spy Emergency 25.0.650 contains an unquoted service path
vulnerability ...)
+ TODO: check
+CVE-2021-47844 (Xmind 2020 contains a cross-site scripting vulnerability that
allows a ...)
+ TODO: check
+CVE-2021-47842 (StudyMD 0.3.2 contains a persistent cross-site scripting
vulnerability ...)
+ TODO: check
+CVE-2021-47841 (SnipCommand 0.1.0 contains a cross-site scripting
vulnerability that a ...)
+ TODO: check
+CVE-2021-47840 (Moeditor 0.2.0 contains a persistent cross-site scripting
vulnerabilit ...)
+ TODO: check
+CVE-2021-47839 (Marky 0.0.1 contains a persistent cross-site scripting
vulnerability t ...)
+ TODO: check
+CVE-2021-47838 (Markright 1.0 contains a persistent cross-site scripting
vulnerability ...)
+ TODO: check
+CVE-2021-47837 (Markdownify 1.2.0 contains a persistent cross-site scripting
vulnerabi ...)
+ TODO: check
+CVE-2021-47836 (Markdown Explorer 0.1.1 contains a cross-site scripting
vulnerability ...)
+ TODO: check
+CVE-2021-47835 (Freeter 1.2.1 contains a persistent cross-site scripting
vulnerability ...)
+ TODO: check
+CVE-2021-47834 (Schlix CMS 2.2.6-6 contains a persistent cross-site scripting
vulnerab ...)
+ TODO: check
+CVE-2021-47833 (WifiHotSpot 1.0.0.0 contains an unquoted service path
vulnerability in ...)
+ TODO: check
+CVE-2021-47832 (Sandboxie Plus 0.7.4 contains an unquoted service path
vulnerability i ...)
+ TODO: check
+CVE-2021-47831 (Sandboxie 5.49.7 contains a denial of service vulnerability
that allow ...)
+ TODO: check
+CVE-2021-47829 (DHCP Broadband 4.1.0.1503 contains an unquoted service path
vulnerabil ...)
+ TODO: check
+CVE-2021-47828 (BOOTP Turbo 2.0.0.1253 contains an unquoted service path
vulnerability ...)
+ TODO: check
+CVE-2021-47827 (WebSSH for iOS 14.16.10 contains a denial of service
vulnerability in ...)
+ TODO: check
+CVE-2021-47826 (Acer Backup Manager 3.0.0.99 contains an unquoted service path
vulnera ...)
+ TODO: check
+CVE-2021-47825 (Acer Updater Service 1.2.3500.0 contains an unquoted service
path vuln ...)
+ TODO: check
+CVE-2021-47824 (iDailyDiary 4.30 contains a denial of service vulnerability
that allow ...)
+ TODO: check
+CVE-2021-47823 (Acer ePowerSvc 6.0.3008.0 contains an unquoted service path
vulnerabil ...)
+ TODO: check
+CVE-2021-47822 (DiskBoss Service 12.2.18 contains an unquoted service path
vulnerabili ...)
+ TODO: check
+CVE-2021-47821 (RarmaRadio 2.72.8 contains a denial of service vulnerability
that allo ...)
+ TODO: check
+CVE-2021-47820 (Ubee EVW327 contains a cross-site request forgery
vulnerability that a ...)
+ TODO: check
+CVE-2021-47818 (DupTerminator 1.4.5639.37199 contains a denial of service
vulnerabilit ...)
+ TODO: check
+CVE-2021-47816 (Thecus N4800Eco NAS Server Control Panel contains a command
injection ...)
+ TODO: check
+CVE-2025-60021 (Remote command injection vulnerability in heap profiler
builtin servic ...)
- brpc <itp> (bug #1060006)
CVE-2025-15497
- openvpn 2.7.0~rc5-1
@@ -323,9 +497,9 @@ CVE-2025-61728 [archive/zip: denial of service when parsing
arbitrary ZIP archiv
NOTE: https://github.com/golang/go/issues/77102
NOTE: Fixed by:
https://github.com/golang/go/commit/9d497df196d66553ae844c22a53fb86cd422e80c
(go1.25.6)
NOTE: Fixed by:
https://github.com/golang/go/commit/3235ef3db85c2d7e797b976822a7addaf6d5ca2a
(go1.24.12)
-CVE-2025-68675
+CVE-2025-68675 (In Apache Airflow versions before 3.1.6, the proxies and proxy
fields ...)
- airflow <itp> (bug #819700)
-CVE-2025-68438
+CVE-2025-68438 (In Apache Airflow versions before 3.1.6, when rendered
template fields ...)
- airflow <itp> (bug #819700)
CVE-2026-0988
[experimental] - glib2.0 2.87.1-1
@@ -1278,7 +1452,8 @@ CVE-2022-50913 (ITeC ITeCProteccioAppServer contains an
unquoted service path vu
NOT-FOR-US: ITeC ITeCProteccioAppServer
CVE-2022-50912 (ImpressCMS 1.4.4 contains a file upload vulnerability with
weak extens ...)
NOT-FOR-US: ImpressCMS
-CVE-2022-50911 (Bitrix24 contains an authenticated remote code execution
vulnerability ...)
+CVE-2022-50911
+ REJECTED
NOT-FOR-US: Bitrix24
CVE-2022-50910 (Beehive Forum 1.5.2 contains a host header injection
vulnerability in ...)
NOT-FOR-US: Beehive Forum
@@ -2950,7 +3125,7 @@ CVE-2020-36875 (AccessAlly WordPress plugin versions
prior to3.3.2 contain an un
NOT-FOR-US: WordPress plugin
CVE-2025-14459
NOT-FOR-US: Red Hat virt-cdi-controller
-CVE-2025-51602 [vlc MMS out of bounds read]
+CVE-2025-51602 (mmstu.c in VideoLAN VLC media player before 3.0.22 allows an
out-of-bo ...)
{DSA-6082-1}
- vlc 3.0.22-1
NOTE: https://www.videolan.org/security/sb-vlc3022.html
@@ -30905,7 +31080,8 @@ CVE-2025-10151 (Improper locking vulnerability in
Softing Industrial Automation
NOT-FOR-US: Softing
CVE-2025-10150 (Webserver crash caused by scanning on TCP port 80 in Softing
Industria ...)
NOT-FOR-US: Softing
-CVE-2025-10145 (The Auto Featured Image (Auto Post Thumbnail) plugin for
WordPress is ...)
+CVE-2025-10145
+ REJECTED
NOT-FOR-US: WordPress plugin
CVE-2025-12343
{DSA-6007-1}
@@ -31215,7 +31391,7 @@ CVE-2023-49440 (AhnLab EPP 1.0.15 is vulnerable to SQL
Injection via the "previe
NOT-FOR-US: AhnLab EPP
CVE-2023-37749 (Incorrect access control in the REST API endpoint of HubSpot
v1.29441 ...)
NOT-FOR-US: HubSpot
-CVE-2025-62291
+CVE-2025-62291 (In the eap-mschapv2 plugin (client-side) in strongSwan before
6.0.3, a ...)
{DSA-6041-1 DLA-4359-1}
- strongswan 6.0.3-1 (bug #1120004)
NOTE:
https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html
@@ -32148,7 +32324,7 @@ CVE-2025-9158 (The Request Tracker software is
vulnerable to a Stored XSS vulner
[trixie] - request-tracker5 5.0.7+dfsg-4+deb13u1
[bookworm] - request-tracker5 <not-affected> (Vulnerable code
introduced later)
NOTE: Fixed by:
https://github.com/bestpractical/rt/commit/04b5694e6cd150492aa51b8edaba75f5997ea40c
(rt-5.0.9)
-CVE-2025-61873
+CVE-2025-61873 (Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and
6.0.2 all ...)
{DSA-6032-1 DSA-6031-1 DLA-4349-1}
- request-tracker5 5.0.7+dfsg-5
- request-tracker4 <unfixed> (bug #1120003)
@@ -87853,7 +88029,7 @@ CVE-2024-8973 (An issue has been discovered in GitLab
CE/EE affecting all versio
- gitlab <unfixed>
CVE-2025-0549 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- gitlab <unfixed>
-CVE-2025-43904
+CVE-2025-43904 (In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the
accounting ...)
{DSA-5961-1}
- slurm-wlm 24.11.5-1 (bug #1104929)
[bullseye] - slurm-wlm <end-of-life> (see #1071127)
@@ -98278,7 +98454,7 @@ CVE-2025-30195 (An attacker can publish a zone
containing specific Resource Reco
[bullseye] - pdns-recursor <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/1
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-01.html
-CVE-2025-31510 [XSS/HTML Injection through tab parameter when using "Choice"
authentication module]
+CVE-2025-31510 (In the portal in LemonLDAP::NG before 2.21.0, cross-site
scripting (XS ...)
{DSA-5897-1 DLA-4119-1}
- lemonldap-ng 2.21.0+ds-1
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341
@@ -119523,7 +119699,7 @@ CVE-2024-12133 (A flaw in libtasn1 causes inefficient
handling of specific certi
NOTE:
https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
(v4.20.0)
NOTE:
https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
(v4.20.0)
NOTE:
https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html
-CVE-2025-24531 [Possible Authentication Bypass in Error Situations]
+CVE-2025-24531 (In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate()
wrongly retu ...)
{DSA-5864-1}
- pam-pkcs11 0.6.13-1 (bug #1095402)
[bullseye] - pam-pkcs11 <not-affected> (Vulnerable code not present)
@@ -121495,7 +121671,7 @@ CVE-2024-12163 (The goodlayers-core WordPress plugin
before 2.1.3 allows users w
NOT-FOR-US: WordPress plugin
CVE-2024-10309 (The Tracking Code Manager WordPress plugin before 2.4.0 does
not sanit ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-24528 [Prevent overflow when calculating ulog block size]
+CVE-2025-24528 (In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental
propagation ...)
{DLA-4065-1}
- krb5 1.21.3-5 (bug #1094730)
[bookworm] - krb5 1.20.1-2+deb12u3
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8005eb53ae92702bd3f6feedaa6d8a1991861849
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8005eb53ae92702bd3f6feedaa6d8a1991861849
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
