Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
68335166 by Salvatore Bonaccorso at 2026-02-27T21:35:07+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,13 +1,13 @@
CVE-2026-3327 (Authenticated Iframe Injection in Dato CMS Web Previews plugin.
This v ...)
- TODO: check
+ NOT-FOR-US: Dato CMS Web Previews plugin
CVE-2026-3304 (Multer is a node.js middleware for handling
`multipart/form-data`. A v ...)
- TODO: check
+ NOT-FOR-US: Node multer
CVE-2026-3277 (The OpenID Connect (OIDC) authentication configuration in
PowerShell ...)
NOT-FOR-US: Devolutions
CVE-2026-3223 (Arbitrary file write & potential privilege escalation
exploiting zip s ...)
- TODO: check
+ NOT-FOR-US: Google Web Designer
CVE-2026-2880 (A vulnerability in @fastify/middie versions < 9.2.0 can result
in auth ...)
- TODO: check
+ NOT-FOR-US: fastify/middie
CVE-2026-2831 (The MailArchiver plugin for WordPress is vulnerable to SQL
Injection v ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2751 (Blind SQL Injection via unsanitized array keys in Service
Dependencies ...)
@@ -21,7 +21,7 @@ CVE-2026-2383 (The Simple Download Monitor plugin for
WordPress is vulnerable to
CVE-2026-2362 (The WP Accessibility plugin for WordPress is vulnerable to
Stored DOM- ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2359 (Multer is a node.js middleware for handling
`multipart/form-data`. A v ...)
- TODO: check
+ NOT-FOR-US: Node multer
CVE-2026-2293 (A NestJS application using @nestjs/platform-fastify can allow
bypass o ...)
TODO: check
CVE-2026-2252 (An XML External Entity (XXE) vulnerability allows malicious
user to pe ...)
@@ -29,41 +29,41 @@ CVE-2026-2252 (An XML External Entity (XXE) vulnerability
allows malicious user
CVE-2026-2251 (Improper limitation of a pathname to a restricted directory
(Path Trav ...)
NOT-FOR-US: Xerox
CVE-2026-28354 (ClipBucket v5 is an open source video sharing platform. Prior
to versi ...)
- TODO: check
+ NOT-FOR-US: ClipBucket
CVE-2026-27947 (Group-Office is an enterprise customer relationship management
and gro ...)
- TODO: check
+ NOT-FOR-US: Group-Office
CVE-2026-27836 (phpMyFAQ is an open source FAQ web application. Prior to
version 4.0.1 ...)
- TODO: check
+ NOT-FOR-US: phpMyFAQ
CVE-2026-27832 (Group-Office is an enterprise customer relationship management
and gro ...)
- TODO: check
+ NOT-FOR-US: Group-Office
CVE-2026-27824 (calibre is a cross-platform e-book manager for viewing,
converting, ed ...)
TODO: check
CVE-2026-27810 (calibre is a cross-platform e-book manager for viewing,
converting, ed ...)
TODO: check
CVE-2026-27793 (Seerr is an open-source media request and discovery manager
for Jellyf ...)
- TODO: check
+ NOT-FOR-US: Seerr
CVE-2026-27792 (Seerr is an open-source media request and discovery manager
for Jellyf ...)
- TODO: check
+ NOT-FOR-US: Seerr
CVE-2026-27758 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a c ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27757 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain an ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27756 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a r ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27755 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a w ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27754 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use
the cry ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27753 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain an ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27752 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
transmit au ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27751 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a d ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27734 (Beszel is a server monitoring platform. Prior to version
0.18.2, the h ...)
TODO: check
CVE-2026-27707 (Seerr is an open-source media request and discovery manager
for Jellyf ...)
- TODO: check
+ NOT-FOR-US: Seerr
CVE-2026-27583
REJECTED
CVE-2026-27582
@@ -83,11 +83,11 @@ CVE-2026-27201
CVE-2026-27200
REJECTED
CVE-2026-26997 (ClipBucket v5 is an open source video sharing platform. Prior
to versi ...)
- TODO: check
+ NOT-FOR-US: ClipBucket
CVE-2026-26862 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to
DOM-base ...)
- TODO: check
+ NOT-FOR-US: CleverTap Web SDK
CVE-2026-26861 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to
Cross-Si ...)
- TODO: check
+ NOT-FOR-US: CleverTap Web SDK
CVE-2026-25147 (OpenEMR is a free and open source electronic health records
and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-24488 (OpenEMR is a free and open source electronic health records
and medica ...)
@@ -99,9 +99,9 @@ CVE-2026-24351 (PluXml CMS is vulnerable to Stored XSS in
Static Pages editing f
CVE-2026-24350 (PluXml CMS is vulnerable to Stored XSS in file uploading
functionality ...)
TODO: check
CVE-2026-22717 (Out-of-bound read vulnerability in VMware Workstation 25H1 and
below o ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-22716 (Out-of-bound write vulnerability in VMware Workstation 25H1
and below ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-21660 (Hardcoded Email Credentials Saved as Plaintext in Firmware
(CWE-256: P ...)
NOT-FOR-US: Johnson Controls
CVE-2026-21659 (Unauthenticated Remote Code Execution and Information
Disclosure due t ...)
@@ -115,17 +115,17 @@ CVE-2026-21656 (Improper Control of Generation of Code
('Code Injection') vulner
CVE-2026-21654 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
NOT-FOR-US: Johnson Controls
CVE-2026-21619 (Uncontrolled Resource Consumption, Deserialization of
Untrusted Data v ...)
- TODO: check
+ NOT-FOR-US: hexpm
CVE-2026-1627 (An attacker may exploit the use of outdated and weak MAC
algorithms in ...)
NOT-FOR-US: SICK AG
CVE-2026-1626 (An attacker may exploit the use of weak CBC-based cipher suites
in the ...)
NOT-FOR-US: SICK AG
CVE-2026-1434 (Omega-PSIR is vulnerable to Reflected XSS via the lang
parameter. An a ...)
- TODO: check
+ NOT-FOR-US: Omega-PSIR
CVE-2026-1305 (The Japanized for WooCommerce plugin for WordPress is
vulnerable to Im ...)
NOT-FOR-US: WordPress plugin
CVE-2025-69437 (PublicCMS v5.202506.d and earlier is vulnerable to stored XSS.
Uploade ...)
- TODO: check
+ NOT-FOR-US: PublicCMS
CVE-2025-15498 (Pro3W CMS if vulnerable toSQL injection attacks.Improper
neutralizatio ...)
TODO: check
CVE-2025-14142 (The Electric Enquiries plugin for WordPress is vulnerable to
Stored Cr ...)
@@ -279,17 +279,17 @@ CVE-2026-27835 (wger is a free, open-source workout and
fitness manager. In vers
CVE-2026-27776 (IM-LogicDesigner module of intra-mart Accel Platform contains
insecure ...)
NOT-FOR-US: IM-LogicDesigner module of intra-mart Accel Platform
CVE-2026-27773 (Charging station authentication identifiers are publicly
accessible vi ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-27772 (WebSocket endpoints lack proper authentication mechanisms,
enabling a ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-27767 (WebSocket endpoints lack proper authentication mechanisms,
enabling a ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-27653 (The installers for multiple products provided by Soliton
Systems K.K. ...)
NOT-FOR-US: Soliton
CVE-2026-27652 (The WebSocket backend uses charging station identifiers to
uniquely a ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-27647 (The WebSocket backend uses charging station identifiers to
uniquely a ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-27638 (Actual is a local-first personal finance tool. Prior to
version 26.2.1 ...)
NOT-FOR-US: Actual
CVE-2026-27457 (Weblate is a web based localization tool. Prior to version
5.16.1, the ...)
@@ -311,35 +311,35 @@ CVE-2026-27150 (Discourse is an open source discussion
platform. Prior to versio
CVE-2026-27149 (Discourse is an open source discussion platform. Prior to
versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-27028 (WebSocket endpoints lack proper authentication mechanisms,
enabling a ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-27021 (Discourse is an open source discussion platform. Prior to
versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-26305 (The WebSocket Application Programming Interface lacks
restrictions on ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-26290 (The WebSocket backend uses charging station identifiers to
uniquely a ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-25945 (The WebSocket Application Programming Interface lacks
restrictions on ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-25851 (WebSocket endpoints lack proper authentication mechanisms,
enabling a ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-25778 (The WebSocket backend uses charging station identifiers to
uniquely a ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-25774 (Charging station authentication identifiers are publicly
accessible vi ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-25741 (Zulip is an open-source team collaboration tool. Prior to
commit bf28c ...)
- zulip-server <itp> (bug #800052)
CVE-2026-25721 (An OS command injection vulnerability exists in XWEB Pro
version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25711 (The WebSocket backend uses charging station identifiers to
uniquely a ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-25196 (An OS command injection vulnerability exists in XWEB Pro
version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25195 (An OS command injection vulnerability exists in XWEB Pro
version 1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25114 (The WebSocket Application Programming Interface lacks
restrictions on ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-25113 (The WebSocket Application Programming Interface lacks
restrictions on ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-25111 (An OS command injection vulnerability exists in XWEB Pro
version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25109 (An OS command injection vulnerability exists in XWEB Pro
version 1. ...)
@@ -351,7 +351,7 @@ CVE-2026-25085 (A vulnerability exists in Copeland XWEB Pro
version 1.12.1 and p
CVE-2026-25037 (An OS command injection vulnerability exists in XWEB Pro
version 1.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24731 (WebSocket endpoints lack proper authentication mechanisms,
enabling a ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-24695 (An OS command injection vulnerability exists in XWEB Pro
version ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24689 (An OS command injection vulnerability exists in XWEB Pro
version 1.1 ...)
@@ -361,23 +361,23 @@ CVE-2026-24663 (An OS command injection vulnerability
exists in XWEB Pro version
CVE-2026-24517 (An OS command injection vulnerability exists in XWEB Pro
version 1. ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24498 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: IpTIME
CVE-2026-24497 (Stack-based Buffer Overflow vulnerability in SimTech Systems,
Inc. Thi ...)
- TODO: check
+ NOT-FOR-US: SimTech Systems
CVE-2026-24452 (An OS command injection vulnerability exists in XWEB Pro
version 1.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24445 (The WebSocket Application Programming Interface lacks
restrictions on ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-23702 (An OS command injection vulnerability exists in XWEB Pro
version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-22890 (Charging station authentication identifiers are publicly
accessible vi ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-22878 (Charging station authentication identifiers are publicly
accessible vi ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-22877 (An arbitrary file-read vulnerability exists in XWEB Pro
version 1.12.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-22207 (OpenViking through version 0.1.18, prior to
commit0251c70,contains a b ...)
- TODO: check
+ NOT-FOR-US: OpenViking
CVE-2026-22206 (SPIP versions prior to 4.4.10 contain a SQL injection
vulnerability th ...)
- spip <unfixed>
NOTE:
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
@@ -393,27 +393,27 @@ CVE-2026-20910 (An OS command injection vulnerability
exists in XWEB Pro versio
CVE-2026-20902 (An OS command injection vulnerability exists in XWEB Pro
version 1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20895 (The WebSocket backend uses charging station identifiers to
uniquely a ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-20797 (A stack based buffer overflow exists in an API route of XWEB
Pro versi ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20792 (The WebSocket Application Programming Interface lacks
restrictions on ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-20791 (Charging station authentication identifiers are publicly
accessible vi ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-20781 (WebSocket endpoints lack proper authentication mechanisms,
enabling a ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-20764 (An OS command injection vulnerability exists in XWEB Pro
version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20742 (An OS command injection vulnerability exists in XWEB Pro
version 1.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20733 (Charging station authentication identifiers are publicly
accessible vi ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-1585 (An unquoted Windows service executable path vulnerability in IJ
Scan U ...)
NOT-FOR-US: Canon
CVE-2026-1558 (The WP Recipe Maker plugin for WordPress is vulnerable to an
Insecure ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1442 (Since the encryption algorithm used to protect firmware updates
is its ...)
- TODO: check
+ NOT-FOR-US: Unitree
CVE-2025-15567 (Insufficient protection mechanisms in the Health Module may
lead to pa ...)
TODO: check
CVE-2025-15509 (TheSmartRemote module has insufficient restrictions on loading
URLs, w ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6833516600672242540c684ca11a3b3bc64de942
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6833516600672242540c684ca11a3b3bc64de942
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
