Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
99f699ec by Salvatore Bonaccorso at 2026-03-14T09:45:36+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,23 +1,23 @@
CVE-2026-3839 (Unraid Authentication Request Path Traversal Authentication
Bypass Vul ...)
- TODO: check
+ NOT-FOR-US: Unraid
CVE-2026-3838 (Unraid Update Request Path Traversal Remote Code Execution
Vulnerabili ...)
- TODO: check
+ NOT-FOR-US: Unraid
CVE-2026-3562 (Philips Hue Bridge hk_hap Ed25519 Signature Verification
Authenticatio ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3561 (Philips Hue Bridge hk_hap characteristics Heap-based Buffer
Overflow R ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3560 (Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based
Buffer O ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3559 (Philips Hue Bridge HomeKit Accessory Protocol Static Nonce
Authenticat ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3558 (Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing
Mode A ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3557 (Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing
Heap-based ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3556 (Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer
Overflow Remot ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3555 (Philips Hue Bridge Zigbee Stack Custom Command Handler
Heap-based Buff ...)
- TODO: check
+ NOT-FOR-US: Philips Hue Bridge
CVE-2026-3227 (A command injection vulnerability was identified in TP-Link
TL-WR802N ...)
NOT-FOR-US: TPLink
CVE-2026-3082 (GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code
Execution ...)
@@ -25,35 +25,35 @@ CVE-2026-3082 (GStreamer JPEG Parser Heap-based Buffer
Overflow Remote Code Exec
CVE-2026-32772 (telnet in GNU inetutils through 2.7 allows servers to read
arbitrary e ...)
TODO: check
CVE-2026-32732 (Lean 4 VS Code Extension is a Visual Studio Code extension for
the Lea ...)
- TODO: check
+ NOT-FOR-US: Visual Code Extension
CVE-2026-32729 (Runtipi is a personal homeserver orchestrator. Prior to 4.8.1,
The Run ...)
- TODO: check
+ NOT-FOR-US: Runtipi
CVE-2026-32724 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32720 (The CTFer.io Monitoring component is in charge of the
collection, proc ...)
- TODO: check
+ NOT-FOR-US: CTFer.io Monitoring component
CVE-2026-32719 (AnythingLLM is an application that turns pieces of content
into contex ...)
- TODO: check
+ NOT-FOR-US: AnythingLLM
CVE-2026-32717 (AnythingLLM is an application that turns pieces of content
into contex ...)
- TODO: check
+ NOT-FOR-US: AnythingLLM
CVE-2026-32715 (AnythingLLM is an application that turns pieces of content
into contex ...)
- TODO: check
+ NOT-FOR-US: AnythingLLM
CVE-2026-32713 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32709 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32708 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32707 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32706 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32705 (PX4 autopilot is a flight control solution for drones. Prior
to 1.17.0 ...)
- TODO: check
+ NOT-FOR-US: PX4 autopilot
CVE-2026-32704 (SiYuan is a personal knowledge management system. Prior to
3.6.1, POST ...)
- TODO: check
+ NOT-FOR-US: SiYuan
CVE-2026-32702 (Cleanuparr is a tool for automating the cleanup of unwanted or
blocked ...)
- TODO: check
+ NOT-FOR-US: Cleanuparr
CVE-2026-32640 (SimpleEval is a library for adding evaluatable expressions
into python ...)
TODO: check
CVE-2026-32635 (Angular is a development platform for building mobile and
desktop web ...)
@@ -61,19 +61,19 @@ CVE-2026-32635 (Angular is a development platform for
building mobile and deskto
CVE-2026-32630 (file-type detects the file type of a file, stream, or data.
From 20.0. ...)
TODO: check
CVE-2026-32628 (AnythingLLM is an application that turns pieces of content
into contex ...)
- TODO: check
+ NOT-FOR-US: AnythingLLM
CVE-2026-32627 (cpp-httplib is a C++11 single-file header-only cross platform
HTTP/HTT ...)
TODO: check
CVE-2026-32626 (AnythingLLM is an application that turns pieces of content
into contex ...)
- TODO: check
+ NOT-FOR-US: AnythingLLM
CVE-2026-32621 (Apollo Federation is an architecture for declaratively
composing APIs ...)
- TODO: check
+ NOT-FOR-US: Apollo Federation
CVE-2026-32617 (AnythingLLM is an application that turns pieces of content
into contex ...)
- TODO: check
+ NOT-FOR-US: AnythingLLM
CVE-2026-32616 (Pigeon is a message board/notepad/social system/blog. Prior to
1.0.201 ...)
- TODO: check
+ NOT-FOR-US: kasuganosoras Pigeon
CVE-2026-32614 (Go ShangMi (Commercial Cryptography) Library (GMSM) is a
cryptographic ...)
- TODO: check
+ NOT-FOR-US: Go ShangMi
CVE-2026-2493 (IceWarp collaboration Directory Traversal Information
Disclosure Vulne ...)
TODO: check
CVE-2026-2491 (Socomec DIRIS A-40 HTTP API Authentication Bypass
Vulnerability. This ...)
@@ -94,15 +94,15 @@ CVE-2026-4111 (A flaw was identified in the RAR5 archive
decompression logic of
NOTE: Testcase:
https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4
NOTE: Fixed by:
https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168
CVE-2026-4092 (Path Traversal in Clasp impacting versions < 3.2.0 allows a
remote att ...)
- TODO: check
+ NOT-FOR-US: Google Clasp (not the same as src:clasp)
CVE-2026-4063 (The Social Icons Widget & Block by WPZOOM plugin for WordPress
is vuln ...)
NOT-FOR-US: WordPress plugin
CVE-2026-3999 (A broken access control may allow an authenticated user to
perform a ...)
- TODO: check
+ NOT-FOR-US: Pointsharp
CVE-2026-3986 (The Calculated Fields Form plugin for WordPress is vulnerable
to Store ...)
NOT-FOR-US: WordPress plugin
CVE-2026-3873 (Use of Hard-coded Credentials vulnerability in Avantra allows
Accessin ...)
- TODO: check
+ NOT-FOR-US: Avantra
CVE-2026-32746 (telnetd in GNU inetutils through 2.7 allows an out-of-bounds
write in ...)
- inetutils <unfixed>
NOTE:
https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
@@ -111,7 +111,7 @@ CVE-2026-32745 (In JetBrains Datalore before 2026.1 session
hijacking was possib
CVE-2026-32600 (xml-security is a library that implements XML signatures and
encryptio ...)
TODO: check
CVE-2026-32594 (Parse Server is an open source backend that can be deployed to
any inf ...)
- TODO: check
+ NOT-FOR-US: Parse Server
CVE-2026-32543 (Missing Authorization vulnerability in CyberChimps Responsive
Blocks r ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-32487 (Missing Authorization vulnerability in raratheme Lawyer
Landing Page l ...)
@@ -385,9 +385,9 @@ CVE-2026-32314 (Yamux is a stream multiplexer over
reliable, ordered connections
CVE-2026-32313 (xmlseclibs is a library written in PHP for working with XML
Encryption ...)
TODO: check
CVE-2026-31949 (LibreChat is a ChatGPT clone with additional features. Prior
to 0.8.3- ...)
- TODO: check
+ NOT-FOR-US: LibreChat
CVE-2026-31944 (LibreChat is a ChatGPT clone with additional features. From
0.8.2 to 0 ...)
- TODO: check
+ NOT-FOR-US: LibreChat
CVE-2026-31922 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-31919 (Missing Authorization vulnerability in Josh Kohlbach Advanced
Coupons ...)
@@ -580,7 +580,7 @@ CVE-2026-32597 (PyJWT is a JSON Web Token implementation in
Python. Prior to 2.1
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
NOTE: Fixed by:
https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
(2.12.0)
CVE-2026-32322 (soroban-sdk is a Rust SDK for Soroban contracts. Prior to
22.0.11, 23. ...)
- TODO: check
+ NOT-FOR-US: soroban-sdk
CVE-2026-32320 (Ella Core is a 5G core designed for private networks. Prior to
1.5.1, ...)
NOT-FOR-US: Ella Core
CVE-2026-32319 (Ella Core is a 5G core designed for private networks. Prior to
1.5.1, ...)
@@ -590,11 +590,11 @@ CVE-2026-32308 (OneUptime is a solution for monitoring
and managing online servi
CVE-2026-32306 (OneUptime is a solution for monitoring and managing online
services. P ...)
NOT-FOR-US: OneUptime
CVE-2026-32304 (Locutus brings stdlibs of other programming languages to
JavaScript fo ...)
- TODO: check
+ NOT-FOR-US: Node Locutus
CVE-2026-32302 (OpenClaw is a personal AI assistant. Prior to 2026.3.11,
browser-origi ...)
NOT-FOR-US: OpenClaw
CVE-2026-32301 (Centrifugo is an open-source scalable real-time messaging
server. Prio ...)
- TODO: check
+ NOT-FOR-US: Centrifugo
CVE-2026-2890 (The Formidable Forms plugin for WordPress is vulnerable to a
payment i ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2581 (This is an uncontrolled resource consumption vulnerability
(CWE-400) t ...)
@@ -729,11 +729,11 @@ CVE-2026-32249 (Vim is an open source, command line text
editor. From 9.1.0011 t
CVE-2026-32248 (Parse Server is an open source backend that can be deployed to
any inf ...)
NOT-FOR-US: Parse Server
CVE-2026-32247 (Graphiti is a framework for building and querying temporal
context gra ...)
- TODO: check
+ NOT-FOR-US: Graphiti
CVE-2026-32246 (Tinyauth is an authentication and authorization server. Prior
to 5.0.3 ...)
- TODO: check
+ NOT-FOR-US: Tinyauth
CVE-2026-32245 (Tinyauth is an authentication and authorization server. Prior
to 5.0.3 ...)
- TODO: check
+ NOT-FOR-US: Tinyauth
CVE-2026-32242 (Parse Server is an open source backend that can be deployed to
any inf ...)
NOT-FOR-US: Parse Server
CVE-2026-32240 (Cap'n Proto is a data interchange format and capability-based
RPC syst ...)
@@ -771,7 +771,7 @@ CVE-2026-32137 (Dataease is an open source data
visualization analysis tool. Pri
CVE-2026-32129 (soroban-poseidon provides Poseidon and Poseidon2 cryptographic
hash fu ...)
TODO: check
CVE-2026-32116 (Magic Wormhole makes it possible to get arbitrary-sized files
and dire ...)
- TODO: check
+ NOT-FOR-US: Magic Wormhole
CVE-2026-32100 (Shopware is an open commerce platform. /api/_info/config route
exposes ...)
NOT-FOR-US: Shopware
CVE-2026-31890 (Inspektor Gadget is a set of tools and framework for data
collection a ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f699eca10e761091a33719a4f2030c954b9983
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f699eca10e761091a33719a4f2030c954b9983
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
