[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) Sat, 21 Mar 2026 02:19:12 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
1537d15a by Salvatore Bonaccorso at 2026-03-21T10:18:36+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -157,9 +157,9 @@ CVE-2026-33210 (Ruby JSON is a JSON implementation for 
Ruby. From version 2.14.0
        NOTE: 
https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
        NOTE: Fixed by: 
https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74 
(v2.19.2)
 CVE-2026-33209 (Avo is a framework to create admin panels for Ruby on Rails 
apps. Prio ...)
-       TODO: check
+       NOT-FOR-US: Avo
 CVE-2026-33204 (SimpleJWT is a simple JSON web token library written in PHP. 
Prior to  ...)
-       TODO: check
+       NOT-FOR-US: SimpleJWT PHP library
 CVE-2026-33203 (SiYuan is a personal knowledge management system. Prior to 
version 3.6 ...)
        NOT-FOR-US: SiYuan
 CVE-2026-33194 (SiYuan is a personal knowledge management system. Prior to 
version 3.6 ...)
@@ -177,13 +177,13 @@ CVE-2026-33172 (Statamic is a Laravel and Git powered 
content management system
 CVE-2026-33171 (Statamic is a Laravel and Git powered content management 
system (CMS). ...)
        NOT-FOR-US: Statamic CMS
 CVE-2026-33166 (Allure 2 is the version 2.x branch of Allure Report, a 
multi-language  ...)
-       TODO: check
+       NOT-FOR-US: Allure
 CVE-2026-33165 (libde265 is an open source implementation of the h.265 video 
codec. Pr ...)
        TODO: check
 CVE-2026-33164 (libde265 is an open source implementation of the h.265 video 
codec. Pr ...)
        TODO: check
 CVE-2026-33156 (ScreenToGif is a screen recording tool. In versions from 
2.42.1 and pr ...)
-       TODO: check
+       NOT-FOR-US: ScreenToGif
 CVE-2026-33155 (DeepDiff is a project focused on Deep Difference and search of 
any Pyt ...)
        TODO: check
 CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior 
to versi ...)
@@ -193,7 +193,7 @@ CVE-2026-33151 (Socket.IO is an open source, real-time, 
bidirectional, event-bas
 CVE-2026-33150 (libfuse is the reference implementation of the Linux FUSE. 
From versio ...)
        TODO: check
 CVE-2026-33147 (GMT is an open source collection of command-line tools for 
manipulatin ...)
-       TODO: check
+       NOT-FOR-US: GMT
 CVE-2026-33144 (GPAC is an open-source multimedia framework. Prior to commit 
86b0e36,  ...)
        - gpac <removed>
        NOTE: 
https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg
@@ -219,9 +219,9 @@ CVE-2026-32810 (Halloy is an IRC application written in 
Rust. In versions on \*n
 CVE-2026-32733 (Halloy is an IRC application written in Rust. Prior to commit 
0f77b2cf ...)
        TODO: check
 CVE-2026-32666 (WebCTRL systems that communicate over BACnet inherit the 
protocol's la ...)
-       TODO: check
+       NOT-FOR-US: WebCTRL
 CVE-2026-32663 (The WebSocket backend uses charging station identifiers to 
uniquely as ...)
-       TODO: check
+       NOT-FOR-US: WebCTRL
 CVE-2026-32067 (OpenClaw versions prior to 2026.2.26 contains an authorization 
bypass  ...)
        NOT-FOR-US: OpenClaw
 CVE-2026-32065 (OpenClaw versions prior to 2026.2.25 contain an 
approval-integrity byp ...)
@@ -261,11 +261,11 @@ CVE-2026-32043 (OpenClaw versions prior to 2026.2.25 
contain a time-of-check-tim
 CVE-2026-32042 (OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a 
privilege esc ...)
        NOT-FOR-US: OpenClaw
 CVE-2026-31926 (Charging station authentication identifiers are publicly 
accessible vi ...)
-       TODO: check
+       NOT-FOR-US: WebCTRL
 CVE-2026-31904 (The WebSocket Application Programming Interface lacks 
restrictions on  ...)
-       TODO: check
+       NOT-FOR-US: CTEK Chargeportal
 CVE-2026-31903 (The WebSocket Application Programming Interface lacks 
restrictions on  ...)
-       TODO: check
+       NOT-FOR-US: WebCTRL
 CVE-2026-2941 (The Linksy Search and Replace plugin for WordPress is 
vulnerable to un ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-2837 (The Ricerca \u2013 advanced search plugin for WordPress is 
vulnerable  ...)
@@ -311,7 +311,7 @@ CVE-2026-2277 (The rexCrawler plugin for WordPress is 
vulnerable to Reflected Cr
 CVE-2026-2121 (The Weaver Show Posts plugin for WordPress is vulnerable to 
Stored Cro ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-29796 (WebSocket endpoints lack proper authentication mechanisms, 
enabling at ...)
-       TODO: check
+       NOT-FOR-US: WebCTRL
 CVE-2026-28204 (Charging station authentication identifiers are publicly 
accessible vi ...)
        TODO: check
 CVE-2026-27649 (The WebSocket backend uses charging station identifiers to 
uniquely as ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1537d15ae5bd8bbebfb0cb427fc2ac33132f175f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1537d15ae5bd8bbebfb0cb427fc2ac33132f175f
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

Reply via email to