Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d1706c64 by Salvatore Bonaccorso at 2026-02-26T22:12:26+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,15 +1,15 @@
CVE-2026-3071 (Deserialization of untrusted data in the LanguageModel class of
Flair ...)
NOT-FOR-US: LanguageModel class of Flair
CVE-2026-2680 (Reflected Cross-Site Scripting (XSS) on the A3factura web
platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2679 (Reflected Cross-Site Scripting (XSS) on the A3factura web
platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2678 (Reflected Cross-Site Scripting (XSS) on the A3factura web
platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2677 (Reflected Cross-Site Scripting (XSS) on the A3factura web
platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2244 (A vulnerability in Google Cloud Vertex AI Workbench
from7/21/2025 to 0 ...)
- TODO: check
+ NOT-FOR-US: Google Cloud Vertex AI Workbench
CVE-2026-28296 (A flaw was found in the FTP GVfs backend. A remote attacker
could expl ...)
TODO: check
CVE-2026-28295 (A flaw was found in the FTP GVfs backend. A malicious FTP
server can e ...)
@@ -47,13 +47,13 @@ CVE-2026-26934 (Improper Validation of Specified Quantity
in Input (CWE-1284) in
CVE-2026-26932 (Improper Validation of Array Index (CWE-129) in the PostgreSQL
protoco ...)
TODO: check
CVE-2026-26682 (An issue in fastCMS before v.0.1.6 allows a local attacker to
execute ...)
- TODO: check
+ NOT-FOR-US: fastCMS
CVE-2026-26265 (Discourse is an open source discussion platform. Prior to
versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-26228 (VideoLAN VLC for Android prior to version 3.7.0 contains a
path traver ...)
- TODO: check
+ NOT-FOR-US: VideoLAN VLC for Android
CVE-2026-26227 (VideoLAN VLC for Android prior to version 3.7.0 contains an
authentica ...)
- TODO: check
+ NOT-FOR-US: VideoLAN VLC for Android
CVE-2026-26207 (Discourse is an open source discussion platform. Prior to
versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-26078 (Discourse is an open source discussion platform. Prior to
versions 202 ...)
@@ -61,35 +61,35 @@ CVE-2026-26078 (Discourse is an open source discussion
platform. Prior to versio
CVE-2026-26077 (Discourse is an open source discussion platform. Prior to
versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-23939 (Improper Limitation of a Pathname to a Restricted Directory
('Path Tra ...)
- TODO: check
+ NOT-FOR-US: hexpm
CVE-2026-23750 (Golioth Pouch version 0.1.0, prior to commit 1b2219a1,
contains a heap ...)
- TODO: check
+ NOT-FOR-US: Golioth Pouch
CVE-2026-23749 (Golioth Firmware SDK version0.19.1prior to 0.22.0, fixed in
commit0e78 ...)
- TODO: check
+ NOT-FOR-US: Golioth
CVE-2026-23748 (Golioth Firmware SDK version0.10.0 prior to 0.22.0, fixed in
commitd7f ...)
- TODO: check
+ NOT-FOR-US: Golioth
CVE-2026-23747 (Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in
commit48 ...)
- TODO: check
+ NOT-FOR-US: Golioth
CVE-2026-22722 (A malicious actor with authenticated user privileges on a
Windows base ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-22715 (VMWare Workstation and Fusion contain a logic flaw in the
management o ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-1565 (The User Frontend: AI Powered Frontend Posting, User Directory,
Profil ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1241 (The Pelco, Inc. Sarix Professional 3 Series Cameras are
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: Pelco, Inc. Sarix Professional 3 Series Cameras
CVE-2026-1198 (SIMPLE.ERP is vulnerable to the SQL Injection in search
functionality ...)
- TODO: check
+ NOT-FOR-US: SIMPLE.ERP
CVE-2025-71057 (Improper session management in D-Link Wireless N 300 ADSL2+
Modem Rout ...)
NOT-FOR-US: D-Link
CVE-2025-64999 (Improper neutralization of input in Checkmk versions 2.4.0
before 2.4. ...)
TODO: check
CVE-2025-56605 (A reflected Cross-Site Scripting (XSS) vulnerability exists in
the reg ...)
- TODO: check
+ NOT-FOR-US: PuneethReddyHC Event Management System
CVE-2025-50857 (ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory
Travers ...)
- TODO: check
+ NOT-FOR-US: ZenTaoPMS
CVE-2025-14343 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
- TODO: check
+ NOT-FOR-US: okuzsoft Technology E-Commerce Product
CVE-2025-11384
REJECTED
CVE-2025-11383
@@ -216,7 +216,7 @@ CVE-2026-27837 (Dottie provides nested object access and
manipulation in JavaScr
NOTE: Fixed by:
https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
(v2.0.7)
NOTE: CVE exists because of an incomplete fix for CVE-2023-26132.
CVE-2026-27831 (rldns is an open source DNS server. Version 2.3 has a
heap-based out-o ...)
- TODO: check
+ NOT-FOR-US: rldns
CVE-2026-27830 (c3p0, a JDBC Connection pooling library, is vulnerable to
attack via m ...)
TODO: check
CVE-2026-27829 (Astro is a web framework. In versions 9.0.0 through 9.5.3, a
bug in As ...)
@@ -260,7 +260,7 @@ CVE-2026-27710 (NanaZip is an open source file archive.
Starting in version 5.0.
CVE-2026-27709 (NanaZip is an open source file archive. Starting in version
5.0.1252.0 ...)
NOT-FOR-US: NanaZip
CVE-2026-27635 (Manyfold is an open source, self-hosted web application for
managing a ...)
- TODO: check
+ NOT-FOR-US: Manyfold
CVE-2026-27633 (TinyWeb is a web server (HTTP, HTTPS) written in Delphi for
Win32. Ver ...)
NOT-FOR-US: TinyWeb
CVE-2026-27630 (TinyWeb is a web server (HTTP, HTTPS) written in Delphi for
Win32. Ver ...)
@@ -292,49 +292,49 @@ CVE-2026-27148 (Storybook is a frontend workshop for
building user interface com
CVE-2026-27116 (Vikunja is an open-source self-hosted task management
platform. Prior ...)
NOT-FOR-US: Vikunja
CVE-2026-26985 (LORIS (Longitudinal Online Research and Imaging System) is a
self-host ...)
- TODO: check
+ NOT-FOR-US: LORIS (Longitudinal Online Research and Imaging System)
CVE-2026-26984 (LORIS (Longitudinal Online Research and Imaging System) is a
self-host ...)
- TODO: check
+ NOT-FOR-US: LORIS (Longitudinal Online Research and Imaging System)
CVE-2026-26186 (Fleet is open source device management software. A SQL
injection vulne ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-25963 (Fleet is open source device management software. In versions
prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-25736 (Rucio is a software framework that provides functionality to
organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25735 (Rucio is a software framework that provides functionality to
organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25734 (Rucio is a software framework that provides functionality to
organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25733 (Rucio is a software framework that provides functionality to
organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25191 (The installer of FinalCode Client provided by Digital Arts
Inc. contai ...)
- TODO: check
+ NOT-FOR-US: Digital Arts
CVE-2026-24004 (Fleet is open source device management software. In versions
prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23999 (Fleet is open source device management software. In versions
prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23703 (The installer of FinalCode Client provided by Digital Arts
Inc. contai ...)
- TODO: check
+ NOT-FOR-US: Digital Arts
CVE-2026-22728 (Bitnami Sealed Secretsis vulnerable to a scope-widening attack
during ...)
- TODO: check
+ NOT-FOR-US: Bitnami Sealed Secrets
CVE-2026-22721 (VMware Aria Operations contains a privilege escalation
vulnerability. ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-1779 (The User Registration & Membership plugin for WordPress is
vulnerable ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1698 (A HTTP Host header attack vulnerability affects WebClient and
the WebS ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1697 (The Secure and SameSite attribute are missing in the
GraphicalData web ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1696 (Some HTTP security headers are not properly set by the web
server when ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1695 (An XSS vulnerability affects the OAuth web services used by the
WebVue ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1694 (HTTP headers are added by the default configuration of IIS and
ASP.net ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1693 (The OAuth grant type Resource Owner Password Credentials (ROPC)
flow i ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1692 (A missing origin validation in WebSockets vulnerability affects
the Gr ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1557 (The WP Responsive Images plugin for WordPress is vulnerable to
Path Tr ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1311 (The Worry Proof Backup plugin for WordPress is vulnerable to
Path Trav ...)
@@ -406,7 +406,7 @@ CVE-2026-2878 (In Progress\xae Telerik\xae UI for AJAX,
versions prior to 2026.1
CVE-2026-2636 (This vulnerability is caused by a CWE\u2011159: "Improper
Handling of ...)
NOT-FOR-US: Fortra
CVE-2026-2624 (Missing Authentication for Critical Function vulnerability in
ePati Cy ...)
- TODO: check
+ NOT-FOR-US: Antikor Next Generation Firewall (NGFW)
CVE-2026-2479 (The Responsive Lightbox & Gallery plugin for WordPress is
vulnerable t ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2416 (The Geo Mashup plugin for WordPress is vulnerable to SQL
Injection via ...)
@@ -468,7 +468,7 @@ CVE-2026-27699 (The `basic-ftp` FTP client library for
Node.js contains a path t
NOTE:
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
NOTE:
https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9
(v5.2.0)
CVE-2026-27695 (zae-limiter is a rate limiting library using the token bucket
algorith ...)
- TODO: check
+ NOT-FOR-US: zae-limiter
CVE-2026-27692 (iccDEV provides a set of libraries and tools for working with
ICC colo ...)
NOT-FOR-US: iccDEV
CVE-2026-27691 (iccDEV provides a set of libraries and tools for working with
ICC colo ...)
@@ -506,9 +506,9 @@ CVE-2026-25220 (OpenEMR is a free and open source
electronic health records and
CVE-2026-25164 (OpenEMR is a free and open source electronic health records
and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-25138 (Rucio is a software framework that provides functionality to
organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25136 (Rucio is a software framework that provides functionality to
organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-24908 (OpenEMR is a free and open source electronic health records
and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-24890 (OpenEMR is a free and open source electronic health records
and medica ...)
@@ -516,15 +516,15 @@ CVE-2026-24890 (OpenEMR is a free and open source
electronic health records and
CVE-2026-24487 (OpenEMR is a free and open source electronic health records
and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-24005 (Kruise provides automated management of large-scale
applications on Ku ...)
- TODO: check
+ NOT-FOR-US: Kruise
CVE-2026-23627 (OpenEMR is a free and open source electronic health records
and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-22866 (Ethereum Name Service (ENS) is a distributed, open, and
extensible nam ...)
TODO: check
CVE-2026-22720 (VMware Aria Operations contains a stored cross-site scripting
vulnerab ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-22719 (VMware Aria Operations contains a command injection
vulnerability. A m ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-21902 (An Incorrect Permission Assignment for Critical Resource
vulnerability ...)
NOT-FOR-US: Juniper
CVE-2026-21725 (A time-of-create-to-time-of-use (TOCTOU) vulnerability lets
recently d ...)
@@ -542,23 +542,23 @@ CVE-2026-20126 (A vulnerability in Cisco Catalyst SD-WAN
Manager could allow an
CVE-2026-20122 (A vulnerability in the API of Cisco Catalyst SD-WAN Manager
could allo ...)
NOT-FOR-US: Cisco
CVE-2026-20107 (A vulnerability in the Object Model CLI component of Cisco
Application ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20099 (A vulnerability in the web-based management interface of Cisco
FXOS So ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20091 (A vulnerability in the web-based management interface of Cisco
FXOS So ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20051 (A vulnerability with the Ethernet VPN (EVPN) Layer 2 ingress
packet pr ...)
NOT-FOR-US: Cisco
CVE-2026-20048 (A vulnerability in the Simple Network Management Protocol
(SNMP) subsy ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20037 (A vulnerability in the NX-OS CLI privilege levels of Cisco UCS
Manager ...)
NOT-FOR-US: Cisco
CVE-2026-20036 (A vulnerability in the CLI and web-based management interface
of Cisco ...)
NOT-FOR-US: Cisco
CVE-2026-20033 (A vulnerability in Cisco Nexus 9000 Series Fabric Switches in
ACI mode ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20010 (A vulnerability in the Link Layer Discovery Protocol (LLDP)
feature of ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-1929 (The Advanced Woo Labels plugin for WordPress is vulnerable to
Remote C ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1916 (The WPGSI: Spreadsheet Integration plugin for WordPress is
vulnerable ...)
@@ -566,19 +566,19 @@ CVE-2026-1916 (The WPGSI: Spreadsheet Integration plugin
for WordPress is vulner
CVE-2026-0704 (In affected version of Octopus Deploy it was possible to remove
files ...)
NOT-FOR-US: Octopus Deploy
CVE-2025-69771 (An arbitrary file upload vulnerability in the subtitle loading
functio ...)
- TODO: check
+ NOT-FOR-US: asbplayer
CVE-2025-67860 (A vulnerability has been identified in the NeuVector scanner
where the ...)
- TODO: check
+ NOT-FOR-US: NeuVector
CVE-2025-67601 (A vulnerability has been identified within Rancher Manager,
where usin ...)
NOT-FOR-US: SUSE
CVE-2025-62878 (A malicious user can manipulate the parameters.pathPatternto
create Pe ...)
- TODO: check
+ NOT-FOR-US: Rancher
CVE-2025-50180 (esm.sh is a no-build content delivery network (CDN) for web
developmen ...)
- TODO: check
+ NOT-FOR-US: esm.sh
CVE-2025-3525 (GitLab has remediated an issue in GitLab CE/EE affecting all
versions ...)
- gitlab <unfixed>
CVE-2025-1242 (The administrative credentials can be extracted through
application AP ...)
- TODO: check
+ NOT-FOR-US: Gardyn
CVE-2025-14742 (The WP Recipe Maker plugin for WordPress is vulnerable to
unauthorized ...)
NOT-FOR-US: WordPress plugin
CVE-2025-14103 (GitLab has remediated an issue in GitLab CE/EE affecting all
versions ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1706c649f7d675a94639e0b53c483bc8fe21307
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1706c649f7d675a94639e0b53c483bc8fe21307
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
