Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5dccbb1c by Salvatore Bonaccorso at 2026-03-25T19:22:57+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -546,7 +546,7 @@ CVE-2026-33215 (NATS-Server is a High-Performance server
for NATS.io, a cloud an
NOTE:
https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
NOTE: https://advisories.nats.io/CVE/secnote-2026-06.txt
CVE-2026-32326 (SHARP routers do not perform authentication for some web APIs.
The dev ...)
- TODO: check
+ NOT-FOR-US: SHARP routers
CVE-2026-2343 (The PeproDev Ultimate Invoice WordPress plugin through 2.2.5
has a bul ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2072 (Cross-Site Scripting vulnerability in Hitachi Infrastructure
Analytics ...)
@@ -670,7 +670,7 @@ CVE-2026-28817 (A race condition was addressed with
improved state handling. Thi
CVE-2026-28816 (A path handling issue was addressed with improved validation.
This iss ...)
NOT-FOR-US: Apple
CVE-2026-26306 (The installer for OM Workspace (Windows Edition) Ver 2.4 and
earlier i ...)
- TODO: check
+ NOT-FOR-US: OM Workspace (Windows Edition)
CVE-2026-24159 (NVIDIA NeMo Framework contains a vulnerability where an
attacker may c ...)
NOT-FOR-US: NVIDIA
CVE-2026-24158 (NVIDIA Triton Inference Server contains a vulnerability in the
HTTP en ...)
@@ -950,11 +950,11 @@ CVE-2026-30662 (ConcreteCMS v9.4.7 contains a Denial of
Service (DoS) vulnerabil
CVE-2026-30661 (iCMS v8.0.0 contains a Cross-Site Scripting (XSS)
vulnerability in the ...)
NOT-FOR-US: iCMS
CVE-2026-30655 (SQL injection in Solicitante::resetaSenha() in
esiclivre/esiclivre v0. ...)
- TODO: check
+ NOT-FOR-US: esiclivre/esiclivre
CVE-2026-30653 (An issue in Free5GC v.4.2.0 and before allows a remote
attacker to cau ...)
NOT-FOR-US: Free5GC
CVE-2026-2417 (A Missing Authentication for Critical Function vulnerability in
Pharos ...)
- TODO: check
+ NOT-FOR-US: Pharos Controls Mosaic Show Controller firmware
CVE-2026-29840 (JiZhiCMS v2.5.6 and before contains a Stored Cross-Site
Scripting (XSS ...)
NOT-FOR-US: JiZhiCMS
CVE-2026-29839 (DedeCMS v5.7.118 was discovered to contain a Cross-Site
Request Forger ...)
@@ -988,7 +988,7 @@ CVE-2026-22559 (An Improper Input Validation vulnerability
in UniFi Network Serv
CVE-2026-21783 (HCL Traveler is affected by sensitive information disclosure.
The appl ...)
NOT-FOR-US: HCL
CVE-2026-1995 (IDrive\u2019s id_service.exe process runs with elevated
privileges and ...)
- TODO: check
+ NOT-FOR-US: IDrive
CVE-2025-71275 (Zimbra Collaboration Suite (ZCS) PostJournal service version
8.8.15 co ...)
NOT-FOR-US: Zimbra
CVE-2025-64998 (Exposure of session signing secret in Checkmk <2.4.0p23,
<2.3.0p45 and ...)
@@ -1608,37 +1608,37 @@ CVE-2026-27646 (OpenClaw versions prior to 2026.3.7
contain a sandbox escape vul
CVE-2026-27183 (OpenClaw versions prior to 2026.3.7 contain a shell approval
gating by ...)
NOT-FOR-US: OpenClaw
CVE-2026-23882 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23488 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23487 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23486 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23485 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23484 (Blinko is an AI-powered card note-taking project. In versions
from 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23483 (Blinko is an AI-powered card note-taking project. In versions
from 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23482 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23481 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-23480 (Blinko is an AI-powered card note-taking project. Prior to
version 1.8 ...)
- TODO: check
+ NOT-FOR-US: Blinko
CVE-2026-22739 (Vulnerability in Spring Cloud when substituting the profile
parameter ...)
TODO: check
CVE-2026-22173
REJECTED
CVE-2025-60949 (Census CSWeb 8.0.1 allows "app/config" to be reachable via
HTTP in som ...)
- TODO: check
+ NOT-FOR-US: Census CSWeb
CVE-2025-60948 (Census CSWeb 8.0.1 allows stored cross-site scripting in user
supplied ...)
- TODO: check
+ NOT-FOR-US: Census CSWeb
CVE-2025-60947 (Census CSWeb 8.0.1 allows arbitrary file upload. A remote,
authenticat ...)
- TODO: check
+ NOT-FOR-US: Census CSWeb
CVE-2025-60946 (Census CSWeb 8.0.1 allows arbitrary file path input. A remote,
authent ...)
- TODO: check
+ NOT-FOR-US: Census CSWeb
CVE-2025-41660 (A low-privileged remote attacker may be able to replace the
boot appli ...)
NOT-FOR-US: CODESYS
CVE-2026-4680 (Use after free in FedCM in Google Chrome prior to
146.0.7680.165 allow ...)
@@ -1828,9 +1828,9 @@ CVE-2026-30886 (New API is a large language mode (LLM)
gateway and artificial in
CVE-2026-30849 (Mantis Bug Tracker (MantisBT) is an open source issue tracker.
Version ...)
- mantis <removed>
CVE-2026-30007 (XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a
crafted .t ...)
- TODO: check
+ NOT-FOR-US: XnSoft NConvert
CVE-2026-30006 (XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun
via a craf ...)
- TODO: check
+ NOT-FOR-US: XnSoft NConvert
CVE-2026-2298 (Improper Neutralization of Argument Delimiters in a Command
('Argument ...)
NOT-FOR-US: Salesforce
CVE-2026-28809 (XML External Entity (XXE) vulnerability in esaml (and its
forks) allow ...)
@@ -1844,17 +1844,17 @@ CVE-2026-26828 (A NULL pointer dereference in the
daap_reply_playlists function
CVE-2026-26209 (cbor2 provides encoding and decoding for the Concise Binary
Object Rep ...)
TODO: check
CVE-2026-24516 (A command injection vulnerability exists in DigitalOcean
Droplet Agent ...)
- TODO: check
+ NOT-FOR-US: DigitalOcean Droplet Agent
CVE-2026-1958 (Use of hard-coded credentials in Klinika XP and KlinikaXP
Insertino al ...)
- TODO: check
+ NOT-FOR-US: Klinika XP
CVE-2026-0898 (An arbitrary file-write vulnerability in Pega Browser Extension
(PBE) ...)
- TODO: check
+ NOT-FOR-US: Pega
CVE-2025-52204 (A Cross-Site Scripting (XSS) vulnerability exists in
Znuny::ITSM 6.5.x ...)
TODO: check
CVE-2025-41008 (SQL injection vulnerability in Sinturno. This vulnerability
allows an ...)
- TODO: check
+ NOT-FOR-US: Sinturno
CVE-2025-41007 (SQL Injection in Cuantis. This vulnerability allows an
attacker to ret ...)
- TODO: check
+ NOT-FOR-US: Cuantis
CVE-2025-15606 (A Denial-of-Service (DoS) vulnerability in the httpd component
of TP-L ...)
NOT-FOR-US: TPLink
CVE-2025-15605 (A hardcoded cryptographic key within the configuration
mechanism on TP ...)
@@ -2601,7 +2601,7 @@ CVE-2026-25086 (Under certain conditions, an attacker
could bind to the same por
CVE-2026-24060 (Service information is not encrypted when transmitted as
BACnet packet ...)
NOT-FOR-US: WebCTRL
CVE-2026-23536 (A security issue was discovered in the Feast Feature Server's
`/read-d ...)
- TODO: check
+ NOT-FOR-US: Feast
CVE-2026-22163 (Requires malware code to misuse the DDK kernel module IOCTL
interface. ...)
NOT-FOR-US: Imagination Technologies
CVE-2026-21732 (A web page that contains unusual GPU shader code is loaded
into the GP ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dccbb1c9b19b858cd14fddcbd5d0fe772d6321f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dccbb1c9b19b858cd14fddcbd5d0fe772d6321f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
