Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b5aaf366 by security tracker role at 2026-02-06T08:13:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,101 @@
+CVE-2026-2010 (A vulnerability has been found in Sanluan PublicCMS up to
4.0.202506.d ...)
+ TODO: check
+CVE-2026-2009 (A flaw has been found in SourceCodester Gas Agency Management
System 1 ...)
+ TODO: check
+CVE-2026-2008 (A vulnerability was detected in abhiphile fermat-mcp up to
47f11def1cd ...)
+ TODO: check
+CVE-2026-2000 (A vulnerability was found in DCN DCME-320 up to 20260121.
Impacted is ...)
+ TODO: check
+CVE-2026-25815 (Fortinet FortiOS through 7.6.6 allows attackers to decrypt
LDAP creden ...)
+ TODO: check
+CVE-2026-25698
+ REJECTED
+CVE-2026-25697
+ REJECTED
+CVE-2026-25696
+ REJECTED
+CVE-2026-25695
+ REJECTED
+CVE-2026-25694
+ REJECTED
+CVE-2026-25693
+ REJECTED
+CVE-2026-25692
+ REJECTED
+CVE-2026-24302 (Azure Arc Elevation of Privilege Vulnerability)
+ TODO: check
+CVE-2026-24300 (Azure Front Door Elevation of Privilege Vulnerability)
+ TODO: check
+CVE-2026-23623 (Collabora Online is a collaborative online office suite based
on Libre ...)
+ TODO: check
+CVE-2026-21626 (Access control settings for forum post custom fields are not
applied t ...)
+ TODO: check
+CVE-2026-21532 (Azure Function Information Disclosure Vulnerability)
+ TODO: check
+CVE-2026-1998 (A flaw has been found in micropython up to 1.27.0. This
vulnerability ...)
+ TODO: check
+CVE-2026-1991 (A vulnerability was detected in libuvc up to 0.0.7. Affected is
the fu ...)
+ TODO: check
+CVE-2026-1990 (A security vulnerability has been detected in oatpp up to
1.3.1. This ...)
+ TODO: check
+CVE-2026-1979 (A flaw has been found in mruby up to 3.4.0. This affects the
function ...)
+ TODO: check
+CVE-2026-1978 (A vulnerability was detected in kalyan02 NanoCMS up to 0.4.
Affected b ...)
+ TODO: check
+CVE-2026-1977 (A security vulnerability has been detected in isaacwasserman
mcp-vegal ...)
+ TODO: check
+CVE-2026-1976 (A weakness has been identified in Free5GC up to 4.1.0. Affected
is the ...)
+ TODO: check
+CVE-2026-1975 (A security flaw has been discovered in Free5GC up to 4.1.0.
This impac ...)
+ TODO: check
+CVE-2026-1974 (A vulnerability was identified in Free5GC up to 4.1.0. This
affects th ...)
+ TODO: check
+CVE-2026-1973 (A vulnerability was determined in Free5GC up to 4.1.0. The
impacted el ...)
+ TODO: check
+CVE-2026-1972 (A vulnerability was found in Edimax BR-6208AC 2_1.02. The
affected ele ...)
+ TODO: check
+CVE-2026-1971 (A vulnerability has been found in Edimax BR-6288ACL up to 1.12.
Impact ...)
+ TODO: check
+CVE-2026-1970 (A flaw has been found in Edimax BR-6258n up to 1.18. This issue
affect ...)
+ TODO: check
+CVE-2026-1964 (A vulnerability was determined in WeKan up to 8.20. This
impacts an un ...)
+ TODO: check
+CVE-2026-1963 (A vulnerability was found in WeKan up to 8.20. This affects an
unknown ...)
+ TODO: check
+CVE-2026-1962 (A vulnerability has been found in WeKan up to 8.20. The
impacted eleme ...)
+ TODO: check
+CVE-2026-1909 (The WaveSurfer-WP plugin for WordPress is vulnerable to Stored
Cross-S ...)
+ TODO: check
+CVE-2026-1888 (The Docus \u2013 YouTube Video Playlist plugin for WordPress is
vulner ...)
+ TODO: check
+CVE-2026-1808 (The Orange Confort+ accessibility toolbar for WordPress plugin
for Wor ...)
+ TODO: check
+CVE-2026-1401 (The Tune Library plugin for WordPress is vulnerable to Stored
Cross-Si ...)
+ TODO: check
+CVE-2026-1279 (The Employee Directory plugin for WordPress is vulnerable to
Stored Cr ...)
+ TODO: check
+CVE-2026-1228 (The Timeline Block \u2013 Beautiful Timeline Builder for
WordPress (Ve ...)
+ TODO: check
+CVE-2026-0598 (A security flaw was identified in the Ansible Lightspeed API
conversat ...)
+ TODO: check
+CVE-2026-0521 (A reflected cross-site scripting (XSS) vulnerability in the PDF
export ...)
+ TODO: check
+CVE-2026-0391 (User interface (ui) misrepresentation of critical information
in Micro ...)
+ TODO: check
+CVE-2026-0106 (In vpu_mmap of vpu_ioctl, there is a possible arbitrary address
mmap d ...)
+ TODO: check
+CVE-2025-68458 (Webpack is a module bundler. From version 5.49.0 to before
5.104.1, wh ...)
+ TODO: check
+CVE-2025-68157 (Webpack is a module bundler. From version 5.49.0 to before
5.104.0, wh ...)
+ TODO: check
+CVE-2025-32393 (AutoGPT is a platform that allows users to create, deploy, and
manage ...)
+ TODO: check
+CVE-2025-15566 (A security issue was discovered in ingress-nginxwhere the
`nginx.ingre ...)
+ TODO: check
+CVE-2025-12131 (A truncated 802.15.4 packet can lead to an assert, resulting
in a deni ...)
+ TODO: check
+CVE-2025-10753 (The OAuth Single Sign On \u2013 SSO (OAuth Client) plugin for
WordPres ...)
+ TODO: check
CVE-2026-25630
REJECTED
CVE-2026-23797 (In Quick.Cart user passwords are stored in plaintext form. An
attacker ...)
@@ -1006,9 +1104,11 @@ CVE-2026-1801 (A flaw was found in libsoup, an HTTP
client/server library. This
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/506
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/b9a1c0663ff8ab6e79715db4b35b54f560416ddd
CVE-2026-1862 (Type Confusion in V8 in Google Chrome prior to 144.0.7559.132
allowed ...)
+ {DSA-6122-1}
- chromium 144.0.7559.109-2
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-1861 (Heap buffer overflow in libvpx in Google Chrome prior to
144.0.7559.13 ...)
+ {DSA-6122-1}
- chromium 144.0.7559.109-2
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-25616 (Blesta 3.x through 5.x before 5.13.3 mishandles input
validation, aka ...)
@@ -2416,6 +2516,7 @@ CVE-2026-25210 (In libexpat before 2.7.4, the doContent
function does not proper
NOTE: Fixed by:
https://github.com/libexpat/libexpat/commit/8855346359a475c022ec8c28484a76c852f144d9
(R_2_7_4)
NOTE: Fixed by:
https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
(R_2_7_4)
CVE-2026-25068 (alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to
commit ...)
+ {DLA-4469-1}
- alsa-lib <unfixed> (bug #1126629)
[trixie] - alsa-lib <no-dsa> (Minor issue)
[bookworm] - alsa-lib <no-dsa> (Minor issue)
@@ -3782,7 +3883,7 @@ CVE-2026-23864 (Multiple denial of service
vulnerabilities exist in React Server
TODO: check
CVE-2026-21509 (Reliance on untrusted inputs in a security decision in
Microsoft Offic ...)
NOT-FOR-US: Microsoft
-CVE-2026-1446 (There is a Cross Site Scripting issue in Esri ArcGIS Pro
versions 3.6. ...)
+CVE-2026-1446 (There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS
Pro ve ...)
NOT-FOR-US: Esri
CVE-2026-1429 (Single Sign-On Portal System developed by WellChoose has a
Reflected C ...)
NOT-FOR-US: WellChoose
@@ -38512,7 +38613,7 @@ CVE-2025-62263 (Multiple cross-site scripting (XSS)
vulnerabilities in Liferay P
CVE-2025-62253 (Open redirect vulnerability in page administration in Liferay
Portal 7 ...)
NOT-FOR-US: Liferay
CVE-2025-61795 (Improper Resource Shutdown or Release vulnerability in Apache
Tomcat. ...)
- {DSA-6120-1 DLA-4468-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4468-1}
- tomcat11 11.0.15-1 (bug #1119293)
- tomcat10 10.1.52-1 (bug #1119294)
- tomcat9 9.0.70-2
@@ -38581,7 +38682,7 @@ CVE-2025-59151 (Pi-hole Admin Interface is a web
interface for managing Pi-hole,
CVE-2025-58356 (Constellation is the first Confidential Kubernetes. The
Constellation ...)
NOT-FOR-US: Constellation
CVE-2025-55754 (Improper Neutralization of Escape, Meta, or Control Sequences
vulnerab ...)
- {DSA-6120-1 DLA-4468-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4468-1}
- tomcat11 11.0.11-1
- tomcat10 10.1.46-1
- tomcat9 9.0.70-2
@@ -38591,7 +38692,7 @@ CVE-2025-55754 (Improper Neutralization of Escape,
Meta, or Control Sequences vu
NOTE:
https://github.com/apache/tomcat/commit/138d7f5cfaae683078948303333c080e6faa75d2
(10.1.45)
NOTE:
https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5
(9.0.109)
CVE-2025-55752 (Relative Path Traversal vulnerability in Apache Tomcat. The
fix for b ...)
- {DSA-6120-1 DLA-4468-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4468-1}
- tomcat11 11.0.11-1
- tomcat10 10.1.46-1
- tomcat9 9.0.70-2
@@ -66120,7 +66221,7 @@ CVE-2025-6186 (An issue has been discovered in GitLab
CE/EE affecting all versio
CVE-2025-5819 (An issue has been discovered in GitLab CE/EE affecting all
versions fr ...)
- gitlab <unfixed>
CVE-2025-55668 (Session Fixation vulnerability in Apache Tomcat via rewrite
valve. Th ...)
- {DSA-6120-1}
+ {DSA-6121-1 DSA-6120-1}
- tomcat11 11.0.11-1 (bug #1111099)
- tomcat10 10.1.46-1 (bug #1111098)
- tomcat9 9.0.70-2
@@ -66225,7 +66326,7 @@ CVE-2025-50594 (An issue was discovered in
/Code/Websites/DanpheEMR/Controllers/
CVE-2025-50251 (Server side request forgery (SSRF) vulnerability in makeplane
plane 0. ...)
NOT-FOR-US: makeplane plane
CVE-2025-48989 (Improper Resource Shutdown or Release vulnerability in Apache
Tomcat m ...)
- {DSA-6120-1}
+ {DSA-6121-1 DSA-6120-1}
- tomcat11 11.0.11-1 (bug #1111097)
- tomcat10 10.1.52-1 (bug #1111096)
- tomcat9 9.0.70-2
@@ -75165,7 +75266,7 @@ CVE-2025-53549 (The Matrix Rust SDK is a collection of
libraries that make it ea
CVE-2025-53542 (Headlamp is an extensible Kubernetes web UI. A command
injection vulne ...)
NOT-FOR-US: Headlamp
CVE-2025-53506 (Uncontrolled Resource Consumption vulnerability in Apache
Tomcat if an ...)
- {DSA-6120-1 DLA-4244-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4244-1}
- tomcat11 11.0.11-1 (bug #1109113)
- tomcat10 10.1.46-1 (bug #1109114)
- tomcat9 9.0.70-2
@@ -75192,7 +75293,7 @@ CVE-2025-52837 (Trend Micro Password Manager (Consumer)
version 5.8.0.1327 and b
CVE-2025-52521 (Trend Micro Security 17.8 (Consumer) is vulnerable to a link
following ...)
NOT-FOR-US: Trend Micro
CVE-2025-52520 (For some unlikely configurations of multipart upload, an
Integer Overf ...)
- {DSA-6120-1 DLA-4244-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4244-1}
- tomcat11 11.0.11-1 (bug #1109111)
- tomcat10 10.1.46-1 (bug #1109112)
- tomcat9 9.0.70-2
@@ -84173,7 +84274,7 @@ CVE-2025-4565 (Any project that uses Protobuf
Pure-Python backendto parse untrus
[bullseye] - protobuf <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
CVE-2025-49125 (Authentication Bypass Using an Alternate Path or Channel
vulnerability ...)
- {DSA-6120-1 DLA-4244-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4244-1}
- tomcat11 11.0.11-1 (bug #1108114)
- tomcat10 10.1.46-1 (bug #1108115)
- tomcat9 9.0.70-2
@@ -84188,7 +84289,7 @@ CVE-2025-49124 (Untrusted Search Path vulnerability in
Apache Tomcat installer f
- tomcat9 <not-affected> (Windows-specific)
NOTE: https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv
CVE-2025-48988 (Allocation of Resources Without Limits or Throttling
vulnerability in ...)
- {DSA-6120-1 DLA-4244-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4244-1}
- tomcat11 11.0.11-1 (bug #1108116)
- tomcat10 10.1.46-1 (bug #1108117)
- tomcat9 9.0.70-2
@@ -84198,7 +84299,7 @@ CVE-2025-48988 (Allocation of Resources Without Limits
or Throttling vulnerabili
NOTE:
https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6
(10.1.42)
NOTE:
https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
(9.0.106)
CVE-2025-48976 (Allocation of resources for multipart headers with
insufficient limits ...)
- {DSA-6120-1 DLA-4245-1 DLA-4244-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4245-1 DLA-4244-1}
- libcommons-fileupload-java <unfixed> (bug #1108120)
[trixie] - libcommons-fileupload-java <no-dsa> (Minor issue)
[bookworm] - libcommons-fileupload-java <no-dsa> (Minor issue)
@@ -88779,7 +88880,7 @@ CVE-2025-46823 (openmrs-module-fhir2 provides the FHIR
REST API and related serv
CVE-2025-46722 (vLLM is an inference and serving engine for large language
models (LLM ...)
- vllm <itp> (bug #1095237)
CVE-2025-46701 (Improper Handling of Case Sensitivity vulnerability in Apache
Tomcat's ...)
- {DSA-6120-1 DLA-4244-1}
+ {DSA-6121-1 DSA-6120-1 DLA-4244-1}
- tomcat11 11.0.11-1 (bug #1106821)
- tomcat10 10.1.46-1 (bug #1106820)
- tomcat9 9.0.70-2
@@ -117794,7 +117895,7 @@ CVE-2024-51966 (There is a path traversal
vulnerability in ESRI ArcGIS Server ve
NOT-FOR-US: Esri
CVE-2024-51963 (There is a stored Cross-site Scripting vulnerability in ArcGIS
Server ...)
NOT-FOR-US: Esri
-CVE-2024-51962 (A SQL injection vulnerability in ArcGIS Server allows an
EDIToperation ...)
+CVE-2024-51962 (A SQL injection vulnerability in ArcGIS Server allows an EDIT
operatio ...)
NOT-FOR-US: Esri
CVE-2024-51961 (There is a local file inclusion vulnerability in ArcGIS Server
11.3 an ...)
NOT-FOR-US: Esri
@@ -164419,7 +164520,7 @@ CVE-2024-9054 (Improper Neutralization of Special
Elements used in an OS Command
NOT-FOR-US: Microchip
CVE-2024-8499 (The Checkout Field Editor (Checkout Manager) for WooCommerce
plugin fo ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-8149 (There is a reflected XSS vulnerability in Esri Portal for
ArcGIS versi ...)
+CVE-2024-8149 (There is a reflected Cross\u2011Site Scripting (XSS)
vulnerability in ...)
NOT-FOR-US: Esri Portal for ArcGIS
CVE-2024-8148 (There is an unvalidated redirect vulnerability in Esri Portal
for ArcG ...)
NOT-FOR-US: Esri Portal for ArcGIS
@@ -216458,13 +216559,13 @@ CVE-2024-27575 (INOTEC Sicherheitstechnik WebServer
CPS220/64 3.3.19 allows a re
NOT-FOR-US: INOTEC
CVE-2024-27268 (IBM WebSphere Application Server Liberty 18.0.0.2 through
24.0.0.4 is ...)
NOT-FOR-US: IBM
-CVE-2024-25709 (There is a stored Cross-site Scripting vulnerability in Esri
Portal fo ...)
+CVE-2024-25709 (There is a stored Cross\u2011Site Scripting (XSS)
vulnerability in Esr ...)
NOT-FOR-US: Esri Portal
CVE-2024-25708 (There is a stored Cross-site Scripting vulnerability in Esri
Portal fo ...)
NOT-FOR-US: Esri Portal
CVE-2024-25706 (There is an HTML injection vulnerability in Esri Portal for
ArcGIS 11. ...)
NOT-FOR-US: Esri Portal
-CVE-2024-25705 (There is a cross site scripting vulnerability in the Esri
Portal for A ...)
+CVE-2024-25705 (There is a cross\u2011site scripting (XSS) vulnerability in
Esri Porta ...)
NOT-FOR-US: Esri Portal
CVE-2024-25704
REJECTED
@@ -216472,7 +216573,7 @@ CVE-2024-25703
REJECTED
CVE-2024-25700 (There is a stored Cross-site Scripting vulnerability in Esri
Portal fo ...)
NOT-FOR-US: Esri
-CVE-2024-25699 (There is a difficult to exploit improper authentication issue
in the H ...)
+CVE-2024-25699 (There is a difficult\u2011to\u2011exploit improper
authentication issu ...)
NOT-FOR-US: Esri Portal
CVE-2024-25698 (There is a reflected cross site scripting vulnerability in the
home ap ...)
NOT-FOR-US: Esri Portal
@@ -292102,11 +292203,11 @@ CVE-2023-25839 (There is SQL injection
vulnerability in Esri ArcGIS Insights Des
NOT-FOR-US: Esri ArcGIS
CVE-2023-25838 (There is SQL injection vulnerabilityin Esri ArcGIS Insights
2022.1 for ...)
NOT-FOR-US: Esri ArcGIS
-CVE-2023-25837 (There is a Cross-site Scripting vulnerabilityin Esri ArcGIS
Enterprise ...)
+CVE-2023-25837 (There is a Cross\u2011Site Scripting (XSS) vulnerability in
Esri ArcGI ...)
NOT-FOR-US: Esri
CVE-2023-25836 (There is a Cross-site Scripting vulnerabilityin Esri Portal
for ArcGIS ...)
NOT-FOR-US: Esri
-CVE-2023-25835 (There is a stored Cross-site Scripting vulnerabilityin Esri
Portal for ...)
+CVE-2023-25835 (There is a stored Cross\u2011Site Scripting (XSS)
vulnerability in Esr ...)
NOT-FOR-US: Esri
CVE-2023-25834 (Changes to user permissions in Portal for ArcGIS 10.9.1 and
below are ...)
NOT-FOR-US: Esri
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5aaf366ee379f1bdfa545b8b49ea1d711bbdabe
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5aaf366ee379f1bdfa545b8b49ea1d711bbdabe
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
