Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ecbf6ba2 by Moritz Muehlenhoff at 2026-05-05T12:40:45+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -34,7 +34,7 @@ CVE-2026-7780 (A weakness has been identified in Open5GS up
to 2.7.7. Affected b
CVE-2026-7779 (A security flaw has been discovered in Open5GS up to 2.7.7.
Affected i ...)
- open5gs <itp> (bug #1094791)
CVE-2026-7776 (Boundary Community Edition and Boundary Enterprise
(\u201cBoundary\u20 ...)
- TODO: check
+ NOT-FOR-US: Boundary
CVE-2026-7768 (@fastify/accepts-serializer cached serializer-selection results
keyed ...)
NOT-FOR-US: @fastify/accepts-serializer
CVE-2026-7750 (A vulnerability was detected in Totolink N300RH
3.2.4-B20220812. This ...)
@@ -78,7 +78,7 @@ CVE-2026-6499 (Incorrect Permission Assignment for Critical
Resource vulnerabili
CVE-2026-6418 (An issue was discovered in the Shared Account Synchronization
componen ...)
NOT-FOR-US: PaperCut
CVE-2026-6321 (fast-uri decoded percent-encoded path separators and dot
segments befo ...)
- TODO: check
+ NOT-FOR-US: Node fast-uri
CVE-2026-6266 (A flaw was found in the AAP gateway. The user auto-link
strategy, intr ...)
NOT-FOR-US: Red Hat AAP gateway
CVE-2026-6255 (The Simple Owl Shortcodes plugin for WordPress is vulnerable to
Stored ...)
@@ -201,7 +201,7 @@ CVE-2026-42140 (PlantUML Macro is a macro for rendering UML
diagrams from simple
CVE-2026-42138 (Dify is an open-source LLM app development platform. Prior to
version ...)
NOT-FOR-US: Dify
CVE-2026-42092 (titra is an open source time tracking project. In version
0.99.52, the ...)
- TODO: check
+ NOT-FOR-US: titra
CVE-2026-42091 (goshs is a SimpleHTTPServer written in Go. Prior to version
2.0.2, the ...)
NOT-FOR-US: goshs
CVE-2026-42090 (Notesnook is a note-taking app focused on user privacy & ease
of use. ...)
@@ -268,7 +268,7 @@ CVE-2026-3120 (Improper Control of Generation of Code
('Code Injection') vulnera
CVE-2026-38751 (OpenSTAManager version 2.10 and earlier contains an arbitrary
file upl ...)
TODO: check
CVE-2026-38669 (wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when
creating a ...)
- TODO: check
+ NOT-FOR-US: cCMS
CVE-2026-37461 (An out-of-bounds read in the ParseIP6Extended function
(/bgp/bgp.go) o ...)
TODO: check
CVE-2026-37459 (An integer underflow in FRRouting (FRR) stable/10.0 to
stable/10.6 all ...)
@@ -276,7 +276,7 @@ CVE-2026-37459 (An integer underflow in FRRouting (FRR)
stable/10.0 to stable/10
CVE-2026-37458 (Missing input validation in the MP_REACH_NLRI component of
FRRouting ( ...)
TODO: check
CVE-2026-36365 (An issue in Lymphatus caesium-image-compressor All versions up
to and ...)
- TODO: check
+ NOT-FOR-US: caesium-image-compressor
CVE-2026-35228 (Vulnerability in the Oracle MCP Server Helper Tool product of
Oracle O ...)
TODO: check
CVE-2026-34882
@@ -312,9 +312,9 @@ CVE-2026-33006 (A timing attack against mod_auth_digest in
Apache HTTP Server 2.
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html
NOTE:
https://github.com/apache/httpd/commit/4833b58c484c4eb8b429887b472bf4967cf88320
(2.4.67-rc1-candidate)
CVE-2026-32834 (Easy PayPal Events & Tickets plugin for WordPress version 1.3
and earl ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-31205 (Cross Site Scripting vulnerability in Pluck CMS before
v.4.7.21dev all ...)
- TODO: check
+ NOT-FOR-US: Pluck CMS
CVE-2026-2948 (The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons &
Ecosystem ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2868 (The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons &
Ecosystem ...)
@@ -333,21 +333,21 @@ CVE-2026-29169 (A NULL pointer dereference in
mod_dav_lock in Apache HTTP Server
CVE-2026-29004 (BusyBox before commit 42202bf contains a heap buffer overflow
vulnerab ...)
TODO: check
CVE-2026-26956 (vm2 is an open source vm/sandbox for Node.js. In version
3.10.4, vm2 i ...)
- TODO: check
+ NOT-FOR-US: vm2
CVE-2026-26332 (vm2 is an open source vm/sandbox for Node.js. Prior to version
3.11.0, ...)
- TODO: check
+ NOT-FOR-US: vm2
CVE-2026-25863 (Conditional Fields for Contact Form 7 WordPress plugin through
version ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-25293 (Buffer overflow due to incorrect authorization in PLC FW)
NOT-FOR-US: Qualcomm
CVE-2026-25266 (Memory corruption while processing IOCTL command when device
is in pow ...)
NOT-FOR-US: Qualcomm
CVE-2026-24781 (vm2 is an open source vm/sandbox for Node.js. Prior to version
3.11.0, ...)
- TODO: check
+ NOT-FOR-US: vm2
CVE-2026-24120 (vm2 is an open source vm/sandbox for Node.js. Prior to version
3.10.5, ...)
- TODO: check
+ NOT-FOR-US: vm2
CVE-2026-24118 (vm2 is an open source vm/sandbox for Node.js. Prior to version
3.11.0, ...)
- TODO: check
+ NOT-FOR-US: vm2
CVE-2026-24082 (Memory Corruption when copying data from a freed source while
executin ...)
NOT-FOR-US: Qualcomm
CVE-2026-24072 (An escalation of privilege bug in various modules in Apache
HTTP 2.4.6 ...)
@@ -371,9 +371,9 @@ CVE-2025-70071 (An issue in Assimp v.6.0.2 allows a remote
attacker to cause a d
- assimp <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2465675
CVE-2025-67796 (IKUS Rdiffweb before 2.10.5 has an improper authorization flaw
that al ...)
- TODO: check
+ - rdiffweb <itp> (bug #969974)
CVE-2025-58074 (A privilege escalation vulnerability exists during the
installation of ...)
- TODO: check
+ NOT-FOR-US: Norton
CVE-2025-47408 (Memory corruption when another driver calls an IOCTL with
invalid inpu ...)
NOT-FOR-US: Qualcomm
CVE-2025-47407 (Memory corruption while creating a process on the digital
signal proce ...)
@@ -389,11 +389,11 @@ CVE-2025-47403 (Transient DOS when processing a malformed
Fast Transition respon
CVE-2025-47401 (Transient DOS when processing target power rate tables during
channel ...)
NOT-FOR-US: Qualcomm
CVE-2025-14320 (Improper neutralization of input during web page generation
('cross-si ...)
- TODO: check
+ NOT-FOR-US: Tegsoft
CVE-2025-13618 (The Mentoring plugin for WordPress is vulnerable to privilege
escalati ...)
NOT-FOR-US: WordPress plugin
CVE-2025-13605 (3onedata modbus gateway device modelGW1101-1D(RS-485)-TB-P
(hardware v ...)
- TODO: check
+ NOT-FOR-US: 3onedata modbus gateway
CVE-2026-43870
[experimental] - thrift 0.23.0-1
- thrift <unfixed> (unimportant)
@@ -546,9 +546,9 @@ CVE-2026-42365 (A guessable session cookie vulnerability
exists in the Web Inter
CVE-2026-42364 (An os command injection vulnerability exists in the
DdnsSetting.cgi fu ...)
NOT-FOR-US: GeoVision
CVE-2026-29200 (A critical IDOR vulnerability has been discovered in Comet
Backup affe ...)
- TODO: check
+ NOT-FOR-US: Comet Backup
CVE-2026-29199 (phpBB before 3.3.16 is vulnerable to Host Header Injection
that can le ...)
- TODO: check
+ NOT-FOR-US: phpBB
CVE-2026-20451 (In slbc, there is a possible out of bounds write due to type
confusion ...)
NOT-FOR-US: MediaTek
CVE-2026-20450 (In Modem, there is a possible system crash due to incorrect
error hand ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecbf6ba26fe1367070a76328581101c2e11dc7a0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecbf6ba26fe1367070a76328581101c2e11dc7a0
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
