Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4df00e17 by Salvatore Bonaccorso at 2026-01-22T22:37:05+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -93,7 +93,7 @@ CVE-2026-24001 (jsdiff is a JavaScript text differencing
implementation. Prior t
NOTE: Fixed by:
https://github.com/kpdecker/jsdiff/commit/78017899c4c80d51db805b6e013079cadc6ed0ae
(v5.2.1)
NOTE: Fixed by:
https://github.com/kpdecker/jsdiff/commit/4568cae5ae7646962bf3c5641907d1fb5af90683
(v4.0.3)
CVE-2026-23996 (FastAPI Api Key provides a backend-agnostic library that
provides an A ...)
- TODO: check
+ NOT-FOR-US: FastAPI Api Key
CVE-2026-23992 (go-tuf is a Go implementation of The Update Framework (TUF).
Starting ...)
- golang-github-theupdateframework-go-tuf <unfixed>
NOTE:
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525
@@ -117,11 +117,11 @@ CVE-2026-23974 (Missing Authorization vulnerability in
uxper Golo golo allows Ex
CVE-2026-23968 (Copier is a library and CLI app for rendering project
templates. Prior ...)
NOT-FOR-US: Copier library and CLI app
CVE-2026-23967 (sm-crypto provides JavaScript implementations of the Chinese
cryptogra ...)
- TODO: check
+ NOT-FOR-US: sm-crypto
CVE-2026-23966 (sm-crypto provides JavaScript implementations of the Chinese
cryptogra ...)
- TODO: check
+ NOT-FOR-US: sm-crypto
CVE-2026-23965 (sm-crypto provides JavaScript implementations of the Chinese
cryptogra ...)
- TODO: check
+ NOT-FOR-US: sm-crypto
CVE-2026-23964 (Mastodon is a free, open-source social network server based on
Activit ...)
- mastodon <itp> (bug #859741)
CVE-2026-23963 (Mastodon is a free, open-source social network server based on
Activit ...)
@@ -147,53 +147,53 @@ CVE-2026-23946 (Tendenci is an open source content
management system built for n
CVE-2026-23893 (openCryptoki is a PKCS#11 library and provides tooling for
Linux and A ...)
TODO: check
CVE-2026-23887 (Group-Office is an enterprise customer relationship management
and gro ...)
- TODO: check
+ NOT-FOR-US: Group-Office
CVE-2026-23873 (hustoj is an open source online judge based on
PHP/C++/MySQL/Linux for ...)
- TODO: check
+ NOT-FOR-US: hustoj
CVE-2026-23764 (VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter
Potato (vers ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23763 (VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2
and 2.0 ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23762 (VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter
Potato (vers ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23761 (VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter
Potato (vers ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23760 (SmarterTools SmarterMail versions prior to build 9511 contain
an authe ...)
- TODO: check
+ NOT-FOR-US: SmarterTools SmarterMail
CVE-2026-23737 (seroval facilitates JS value stringification, including
complex struct ...)
- TODO: check
+ NOT-FOR-US: Seroval
CVE-2026-23736 (seroval facilitates JS value stringification, including
complex struct ...)
- TODO: check
+ NOT-FOR-US: Seroval
CVE-2026-23699 (AP180 series with firmware versions prior to AP_RGOS
11.9(4)B1P8 conta ...)
- TODO: check
+ NOT-FOR-US: ruijie
CVE-2026-23630 (Docmost is open-source collaborative wiki and documentation
software. ...)
- TODO: check
+ NOT-FOR-US: Docmost
CVE-2026-23526 (CVAT is an open source interactive video and image annotation
tool for ...)
- TODO: check
+ NOT-FOR-US: Computer Vision Annotation Tool (CVAT)
CVE-2026-23524 (Laravel Reverb provides a real-time WebSocket communication
backend fo ...)
- TODO: check
+ NOT-FOR-US: Laravel Reverb
CVE-2026-23518 (Fleet is open source device management software. In versions
prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23517 (Fleet is open source device management software. A broken
access contr ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23516 (CVAT is an open source interactive video and image annotation
tool for ...)
- TODO: check
+ NOT-FOR-US: Computer Vision Annotation Tool (CVAT)
CVE-2026-23499 (Saleor is an e-commerce platform. Starting in version 3.0.0
and prior ...)
- TODO: check
+ NOT-FOR-US: Saleor
CVE-2026-22849 (Saleor is an e-commerce platform. Starting in version 3.0.0
and prior ...)
- TODO: check
+ NOT-FOR-US: Saleor
CVE-2026-22822 (External Secrets Operator reads information from a third-party
service ...)
- TODO: check
+ NOT-FOR-US: External Secrets Operator
CVE-2026-22808 (fleetdm/fleet is open source device management software. Prior
to vers ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-22807 (vLLM is an inference and serving engine for large language
models (LLM ...)
TODO: check
CVE-2026-22793 (5ire is a cross-platform desktop artificial intelligence
assistant and ...)
- TODO: check
+ NOT-FOR-US: 5ire
CVE-2026-22792 (5ire is a cross-platform desktop artificial intelligence
assistant and ...)
- TODO: check
+ NOT-FOR-US: 5ire
CVE-2026-22598 (ManageIQ is an open-source management platform. A flaw was
found in th ...)
- TODO: check
+ NOT-FOR-US: ManageIQ
CVE-2026-22483 (Cross-Site Request Forgery (CSRF) vulnerability in winkm89
teachPress ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-22482 (Server-Side Request Forgery (SSRF) vulnerability in wbolt.com
IMGspide ...)
@@ -283,13 +283,13 @@ CVE-2026-22279 (Dell PowerScale OneFS, versions prior
9.13.0.0, contains an insu
CVE-2026-22278 (Dell PowerScale OneFS versions prior to 9.13.0.0 contains an
improper ...)
NOT-FOR-US: Dell / EMC
CVE-2026-21852 (Claude Code is an agentic coding tool. Prior to version
2.0.65, vulner ...)
- TODO: check
+ NOT-FOR-US: Claude Code
CVE-2026-1332 (MeetingHub developed by HAMASTAR Technology has a Missing
Authenticati ...)
- TODO: check
+ NOT-FOR-US: MeetingHub
CVE-2026-1331 (MeetingHub developed by HAMASTAR Technology has an Arbitrary
File Uplo ...)
- TODO: check
+ NOT-FOR-US: MeetingHub
CVE-2026-1330 (MeetingHub developed by HAMASTAR Technology has an Arbitrary
File Read ...)
- TODO: check
+ NOT-FOR-US: MeetingHub
CVE-2026-1329 (A flaw has been found in Tenda AX1803 1.0.0.1. The affected
element is ...)
NOT-FOR-US: Tenda
CVE-2026-1328 (A vulnerability was detected in Totolink NR1800X
9.1.0u.6279_B20210910 ...)
@@ -299,11 +299,11 @@ CVE-2026-1327 (A security vulnerability has been detected
in Totolink NR1800X 9.
CVE-2026-1326 (A weakness has been identified in Totolink NR1800X
9.1.0u.6279_B202109 ...)
NOT-FOR-US: TOTOLINK
CVE-2026-1325 (A security flaw has been discovered in Sangfor Operation and
Maintenan ...)
- TODO: check
+ NOT-FOR-US: Sangfor Operation and Maintenance Security Management System
CVE-2026-1324 (A vulnerability was identified in Sangfor Operation and
Maintenance Ma ...)
- TODO: check
+ NOT-FOR-US: Sangfor Operation and Maintenance Security Management System
CVE-2026-1260 (Invalid memory access in Sentencepiece versions less than 0.2.1
when u ...)
- TODO: check
+ NOT-FOR-US: Sentencepiece
CVE-2026-1225 (ACE vulnerability in configuration file processing by QOS.CH
logback- ...)
TODO: check
CVE-2026-1036 (The Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery
plugin ...)
@@ -321,17 +321,17 @@ CVE-2025-71176 (pytest through 9.0.2 on UNIX relies on
directories with the /tmp
CVE-2025-70899 (PHPgurukul Online Course Registration v3.1 lacks Cross-Site
Request Fo ...)
NOT-FOR-US: PHPGurukul
CVE-2025-69828 (File Upload vulnerability in TMS Global Software TMS
Management Consol ...)
- TODO: check
+ NOT-FOR-US: TMS Global Software TMS Management Console
CVE-2025-69822 (An issue in Atomberg Atomberg Erica Smart Fan Firmware
Version: V1.0.3 ...)
- TODO: check
+ NOT-FOR-US: Atomberg
CVE-2025-69821 (An issue in Beat XP VEGA Smartwatch (Firmware Version -
RB303ATV006229 ...)
- TODO: check
+ NOT-FOR-US: Beat XP VEGA Smartwatch
CVE-2025-69820 (Directory Traversal vulnerability in Beam beta9 v.0.1.552
allows a rem ...)
- TODO: check
+ NOT-FOR-US: Beam beta9
CVE-2025-69764 (Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer
overflow ...)
NOT-FOR-US: Tenda
CVE-2025-69612 (A path traversal vulnerability exists in TMS Management
Console (versi ...)
- TODO: check
+ NOT-FOR-US: TMS Management Console
CVE-2025-69321 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-69320 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
@@ -361,7 +361,7 @@ CVE-2025-69293 (Incorrect Privilege Assignment
vulnerability in e-plugins Final
CVE-2025-69292 (Incorrect Privilege Assignment vulnerability in e-plugins WP
Membershi ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-69285 (SQLBot is an intelligent data query system based on a large
language m ...)
- TODO: check
+ NOT-FOR-US: SQLBot
CVE-2025-69193 (Missing Authorization vulnerability in e-plugins WP Membership
wp-memb ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-69192 (Missing Authorization vulnerability in e-plugins Real Estate
Pro real- ...)
@@ -697,9 +697,9 @@ CVE-2025-67938 (Improper Control of Filename for
Include/Require Statement in PH
CVE-2025-67923 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-67684 (Quick.Cart is vulnerable to Local File Inclusion and Path
Traversal is ...)
- TODO: check
+ NOT-FOR-US: Quick.Cart
CVE-2025-67683 (Quick.Cart is vulnerable to reflected XSS via the sSort
parameter. An ...)
- TODO: check
+ NOT-FOR-US: Quick.Cart
CVE-2025-67626 (Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa
WP SEO ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-67620 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
@@ -715,9 +715,9 @@ CVE-2025-67615 (Improper Control of Filename for
Include/Require Statement in PH
CVE-2025-67614 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-67221 (The orjson.dumps function in orjson thru 3.11.4 does not limit
recursi ...)
- TODO: check
+ NOT-FOR-US: orjson
CVE-2025-66428 (An issue with WordPress directory names in WebPros WordPress
Toolkit b ...)
- TODO: check
+ NOT-FOR-US: WordPress Toolkit
CVE-2025-66143 (Missing Authorization vulnerability in merkulove Crumber
crumber-eleme ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-66142 (Missing Authorization vulnerability in merkulove Comparimager
for Elem ...)
@@ -737,11 +737,11 @@ CVE-2025-66136 (Missing Authorization vulnerability in
merkulove Carter for Elem
CVE-2025-66135 (Missing Authorization vulnerability in merkulove Imager for
Elementor ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-65098 (Typebot is an open-source chatbot builder. In versions prior
to 3.13.2 ...)
- TODO: check
+ NOT-FOR-US: Typebot
CVE-2025-64252 (Server-Side Request Forgery (SSRF) vulnerability in Marco
Milesi ANAC ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-64097 (NervesHub is a web service that allows users to manage
over-the-air (O ...)
- TODO: check
+ NOT-FOR-US: NervesHub
CVE-2025-63051 (Exposure of Sensitive System Information to an Unauthorized
Control Sp ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-63026 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
@@ -767,9 +767,9 @@ CVE-2025-62050 (Unrestricted Upload of File with Dangerous
Type vulnerability in
CVE-2025-5805 (Missing Authorization vulnerability in Ninetheme Electron
electron all ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-56590 (An issue was discovered in the InsertFromURL() function of the
Apryse ...)
- TODO: check
+ NOT-FOR-US: Apryse HTML2PDF SDK
CVE-2025-56589 (A Local File Inclusion (LFI) and a Server-Side Request Forgery
(SSRF) ...)
- TODO: check
+ NOT-FOR-US: Apryse HTML2PDF SDK
CVE-2025-54003 (Improper Control of Filename for Include/Require Statement in
PHP Prog ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-54002 (Missing Authorization vulnerability in Jthemes xSmart xsmart
allows Ex ...)
@@ -793,9 +793,9 @@ CVE-2025-50003 (Improper Control of Filename for
Include/Require Statement in PH
CVE-2025-50002 (Unrestricted Upload of File with Dangerous Type vulnerability
in Faros ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-4764 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Hotel Guest Hotspot
CVE-2025-4763 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
- TODO: check
+ NOT-FOR-US: Hotel Guest Hotspot
CVE-2025-49994 (Improper Control of Filename for Include/Require Statement in
PHP Prog ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-49375 (Missing Authorization vulnerability in cozythemes HomeLancer
homelance ...)
@@ -835,19 +835,19 @@ CVE-2025-36588 (Dell Unisphere for PowerMax, version(s)
10.2.0.x, contain(s) an
CVE-2025-32123 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-32057 (The Infotainment ECU manufactured by Bosch which is installed
in Nissa ...)
- TODO: check
+ NOT-FOR-US: Infotainment ECU (Bosch)
CVE-2025-32056 (The anti-theft protection mechanism can be bypassed by
attackers due t ...)
- TODO: check
+ NOT-FOR-US: Nissan Leaf ZE1
CVE-2025-31413 (Cross-Site Request Forgery (CSRF) vulnerability in bdthemes
Element Pa ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-27380 (HTML injection in Project Release in Altium Enterprise Server
(AES) 7. ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27379 (A stored cross-site scripting (XSS) vulnerability in the BOM
Viewer in ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27378 (AES contains a SQL injection vulnerability due to an inactive
configur ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27377 (Altium Designer version 24.9.0 does not validate self-signed
server ce ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27005 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-15523 (MacOS version of Inkscape bundles a Python interpreter that
inherits t ...)
@@ -857,11 +857,11 @@ CVE-2025-14295 (Storing Passwords in a Recoverable Format
vulnerability in Autom
CVE-2025-12738 (Neo4j Enterprise edition versions prior to 2025.11.2 and
5.26.17 are v ...)
TODO: check
CVE-2025-10856 (Unrestricted Upload of File with Dangerous Type vulnerability
in Solve ...)
- TODO: check
+ NOT-FOR-US: Teknoera
CVE-2025-10855 (Authorization Bypass Through User-Controlled Key vulnerability
in Solv ...)
- TODO: check
+ NOT-FOR-US: Teknoera
CVE-2025-10024 (Authorization Bypass Through User-Controlled Key vulnerability
in EXER ...)
- TODO: check
+ NOT-FOR-US: Education Management System
CVE-2024-53252
REJECTED
CVE-2024-53251
@@ -897,7 +897,7 @@ CVE-2024-36988
CVE-2024-22166
REJECTED
CVE-2023-7335 (EduSoho versions prior to 22.4.7 contain an arbitrary file read
vulner ...)
- TODO: check
+ NOT-FOR-US: EduSoho
CVE-2023-32720
REJECTED
CVE-2023-32719
@@ -1088,7 +1088,7 @@ CVE-2021-47778 (GetSimple CMS My SMTP Contact Plugin
1.1.2 contains a PHP code i
CVE-2021-47770 (OpenPLC v3 contains an authenticated remote code execution
vulnerabili ...)
NOT-FOR-US: OpenPLC
CVE-2021-47748 (Hasura GraphQL 1.3.3 contains a remote code execution
vulnerability th ...)
- TODO: check
+ NOT-FOR-US: Hasura GraphQL
CVE-2021-47746 (NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write
vulnerabili ...)
NOT-FOR-US: NodeBB Plugin Emoji
CVE-2026-22977 (In the Linux kernel, the following vulnerability has been
resolved: n ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df00e17b28028a11259395e9b9955af43fad827
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df00e17b28028a11259395e9b9955af43fad827
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
