Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
15ddebd3 by security tracker role at 2026-05-11T19:14:17+00:00
automatic NOT-FOR-US entries update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,7 @@
CVE-2026-8318 (A security flaw has been discovered in VectifyAI PageIndex up
to f50e5 ...)
TODO: check
CVE-2026-8305 (A vulnerability was detected in OpenClaw up to 2026.1.24. The
impacted ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-8292 (A security vulnerability has been detected in Open5GS up to
2.7.7. The ...)
TODO: check
CVE-2026-8291 (A weakness has been identified in Open5GS up to 2.7.7. Impacted
is the ...)
@@ -31,7 +31,7 @@ CVE-2026-7813 (Authorization vulnerability in pgAdmin 4
server mode affecting Se
CVE-2026-7790 (Uncontrolled Resource Consumption vulnerability in ninenines
cowlib (c ...)
TODO: check
CVE-2026-7308 (An authenticated user with upload permission to a hosted
repository ca ...)
- TODO: check
+ NOT-FOR-US: Sonatype
CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use
insufficient entro ...)
TODO: check
CVE-2026-6956 (ATutor is vulnerable to Reflected XSS in/install/install.php
endpoint. ...)
@@ -51,37 +51,37 @@ CVE-2026-45223 (Crabbox before 0.9.0 contains an
authentication bypass vulnerabi
CVE-2026-45222 (Summarize versions through 0.14.1, fixed in commit 0cfb0fb,
creates th ...)
TODO: check
CVE-2026-45006 (OpenClaw before 2026.4.23 contains an improper access control
vulnerab ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45005 (OpenClaw before 2026.4.23 caches resolved webhook route
secrets backed ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45004 (OpenClaw before 2026.4.23 contains an arbitrary code execution
vulnera ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45003 (OpenClaw before 2026.4.22 allows workspace dotenv files to
override co ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45002 (OpenClaw before 2026.4.20 contains a hook session-key bypass
vulnerabi ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45001 (OpenClaw before 2026.4.20 contains a guard bypass
vulnerability in the ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45000 (OpenClaw before 2026.4.20 contains a server-side request
forgery vulne ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44999 (OpenClaw before 2026.4.20 fails to properly preserve untrusted
labels ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44998 (OpenClaw before 2026.4.20 contains a tool policy bypass
vulnerability ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44997 (OpenClaw before 2026.4.22 contains a security envelope
constraint bypa ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44996 (OpenClaw before 2026.4.15 contains an arbitrary local file
read vulner ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44995 (OpenClaw before 2026.4.20 contains an improper environment
variable va ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44994 (OpenClaw before 2026.4.22 contains an authentication bypass
vulnerabil ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44993 (OpenClaw before 2026.4.20 contains a message classification
vulnerabil ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44992 (OpenClaw versions 2026.4.5 before 2026.4.20 contain an
environment var ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44991 (OpenClaw before 2026.4.21 contains an authorization bypass
vulnerabili ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44777 (jq is a command-line JSON processor. In 1.8.2rc1 and earlier,
the ordi ...)
TODO: check
CVE-2026-44738 (Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the
Twig sandb ...)
@@ -95,7 +95,7 @@ CVE-2026-44658 (Zen is a firefox-based browser. Prior to
1.19.12b, RSS feed URLs
CVE-2026-44643 (Angular Expressions provides expressions for the Angular.JS
web framew ...)
TODO: check
CVE-2026-44413 (In JetBrains TeamCity before 2026.1 2025.11.5 authenticated
users coul ...)
- TODO: check
+ NOT-FOR-US: JetBrains
CVE-2026-44226 (pyLoad is a free and open-source download manager written in
Python. P ...)
TODO: check
CVE-2026-44201 (Wagtail is an open source content management system built on
Django. P ...)
@@ -129,7 +129,7 @@ CVE-2026-43639 (Bitwarden Server prior to v2026.4.0
contains a missing authoriza
CVE-2026-43638 (Bitwarden Server prior to v2026.4.1 contains a missing
authorization v ...)
TODO: check
CVE-2026-42871 (WeGIA is a web manager for charitable institutions. In
versions prior ...)
- TODO: check
+ NOT-FOR-US: WeGIA
CVE-2026-42866 (Tookie is a advanced OSINT information gathering tool. Prior
to 4.1fix ...)
TODO: check
CVE-2026-42865 (Inbox Zero is an AI personal assistant for email. Prior to
2.29.3, the ...)
@@ -195,7 +195,7 @@ CVE-2026-41250 (Taiga is a project management platform for
startups and agile de
CVE-2026-41018 (The Elasticsearch logging provider, when configured with a
`host` URL ...)
TODO: check
CVE-2026-40636 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale
version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2026-40612 (jq is a command-line JSON processor. In 1.8.1 and earlier,
jv_contains ...)
TODO: check
CVE-2026-3609 (Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege
Escalation Vu ...)
@@ -205,7 +205,7 @@ CVE-2026-3320 (Reflected Cross-Site Scripting (XSS) in the
latest demo version o
CVE-2026-3319 (Reflected Cross-Site Scripting (XSS) in the latest demo version
of the ...)
TODO: check
CVE-2026-3048 (An authenticated administrator who configures or tests LDAP
connectivi ...)
- TODO: check
+ NOT-FOR-US: Sonatype
CVE-2026-38569 (HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in
candidate ...)
TODO: check
CVE-2026-38568 (HireFlow v1.2 is vulnerable to Incorrect Access Control. The
applicati ...)
@@ -215,13 +215,13 @@ CVE-2026-38567 (HireFlow v1.2 is vulnerable to SQL
injection in the /login and /
CVE-2026-38566 (HireFlow v1.2 does not implement CSRF token validation on any
state-ch ...)
TODO: check
CVE-2026-36983 (D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in
the fun ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2026-36962 (SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an
unauthenticated a ...)
TODO: check
CVE-2026-36906 (Cross Site Scripting vulnerability in iotgateway v.3.0.1
allows a remo ...)
TODO: check
CVE-2026-35157 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale
version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2026-33362 (In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build
220), Arent ...)
TODO: check
CVE-2026-33361 (In Meari IoT SDK image handling (libmrplayer.so) as observed
in CloudE ...)
@@ -233,7 +233,7 @@ CVE-2026-33357 (In Meari client applications embedding
"com.meari.sdk" (includin
CVE-2026-33356 (In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x,
any authe ...)
TODO: check
CVE-2026-32658 (Dell Automation Platform versions prior to 2.0.0.0, contains a
missing ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2026-31254 (The flash-attention project thru commit
e724e2588cbe754beb97cf7c011b5e ...)
TODO: check
CVE-2026-31253 (The flash-attention training framework thru commit
e724e2588cbe754beb9 ...)
@@ -255,15 +255,15 @@ CVE-2026-31246 (GPT-Pilot thru commit
0819827ce20346ef5f25b3fe29293cb448840565 (
CVE-2026-30635 (Command injection vulnerability in automagik-genie 2.5.27 MCP
Server a ...)
TODO: check
CVE-2026-2393 (A Server-Side Request Forgery (SSRF) vulnerability exists in
MLflow ve ...)
- TODO: check
+ NOT-FOR-US: mlflow
CVE-2026-26946 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale
version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2025-9973 (Due to not validating the organization context when executing
adaptive ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-8325 (The software fails to enforce role-based access controls for
certain G ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-8154 (In Webhook API invocations, the component accepts user-supplied
input ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-65418 (docuFORM Managed Print Service Client 11.11c is vulnerable to
a direct ...)
TODO: check
CVE-2025-65417 (docuFORM Managed Print Service Client 11.11c is vulnerable to
a reflec ...)
@@ -295,13 +295,13 @@ CVE-2025-61306 (A reflected cross-site scripted (XSS)
vulnerability in the dfm-m
CVE-2025-61305 (A reflected cross-site scripted (XSS) vulnerability in the
dfm-menu_fi ...)
TODO: check
CVE-2025-43992 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale
version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2025-10908 (Due to a lack of user account state validation during
authentication, ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-10470 (The Magic Link authentication flow accepts multiple invalid
authentica ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2024-0391 (The check user account lock states feature within the email OTP
flow f ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2026-42304
- twisted 26.4.0-1
CVE-2026-2291 (dnsmasqs extract_name() function can be abused to cause a heap
buffer ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ddebd316c8b831ac15857631b1cfce9083d11a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ddebd316c8b831ac15857631b1cfce9083d11a
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
