[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) Thu, 14 May 2026 12:03:55 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
99118ac4 by Salvatore Bonaccorso at 2026-05-14T21:03:01+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -164,7 +164,7 @@ CVE-2026-46445 (SOGo before 5.12.7, when PostgreSQL is 
used, allows SQL injectio
        - sogo 5.12.7-1
        NOTE: 
https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 
(SOGo-5.12.7)
 CVE-2026-46419 (Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 
before 2. ...)
-       TODO: check
+       NOT-FOR-US: Yubico webauthn-server-core
 CVE-2026-45740 (protobufjs compiles protobuf definitions into JavaScript (JS) 
function ...)
        - node-protobufjs <itp> (bug #977564)
 CVE-2026-45714 (CubeCart is an ecommerce software solution. Prior to 6.7.0, an 
Authent ...)
@@ -378,7 +378,7 @@ CVE-2026-42781 (When embedded Packet Velocity Acceleration 
(ePVA) acceleration i
 CVE-2026-42780 (A directory traversal vulnerability exists in BIG-IP SSL 
Orchestrator  ...)
        NOT-FOR-US: F5
 CVE-2026-42602 (azureauthextension is the Azure Authenticator Extension. From 
0.124.0  ...)
-       TODO: check
+       NOT-FOR-US: Azure Authenticator ExtensionAzure Authenticator Extension
 CVE-2026-42587 (Netty is an asynchronous, event-driven network application 
framework.  ...)
        TODO: check
 CVE-2026-42586 (Netty is an asynchronous, event-driven network application 
framework.  ...)
@@ -406,23 +406,23 @@ CVE-2026-42561 (Python-Multipart is a streaming multipart 
parser for Python. Pri
 CVE-2026-42557 (jupyterlab is an extensible environment for interactive and 
reproducib ...)
        TODO: check
 CVE-2026-42552 (Flight is an extensible micro-framework for PHP. Prior to 
3.18.1, the  ...)
-       TODO: check
+       NOT-FOR-US: Flight
 CVE-2026-42551 (Flight is an extensible micro-framework for PHP. Prior to 
3.18.1, Requ ...)
-       TODO: check
+       NOT-FOR-US: Flight
 CVE-2026-42550 (Flight is an extensible micro-framework for PHP. Prior to 
3.18.1, Simp ...)
-       TODO: check
+       NOT-FOR-US: Flight
 CVE-2026-42549 (Flight is an extensible micro-framework for PHP. Prior to 
3.18.1, the  ...)
-       TODO: check
+       NOT-FOR-US: Flight
 CVE-2026-42548 (Flight is an extensible micro-framework for PHP. Prior to 
3.18.1, Flig ...)
-       TODO: check
+       NOT-FOR-US: Flight
 CVE-2026-42463 (SQLBot is an intelligent Text-to-SQL system based on large 
language mo ...)
-       TODO: check
+       NOT-FOR-US: SQLBot
 CVE-2026-42409 (When an HTTP/2 profile and an iRule containing the 
HTTP::redirector HT ...)
        TODO: check
 CVE-2026-42408 (When BIG-IP DNS is provisioned, a vulnerability exists in an 
undisclos ...)
        NOT-FOR-US: F5
 CVE-2026-42406 (A vulnerability exists in BIG-IP and BIG-IQ systems where a 
highly pri ...)
-       TODO: check
+       NOT-FOR-US: F5
 CVE-2026-42290 (protobufjs-cli is the command line add-on for protobuf.js. 
Prior to 1. ...)
        TODO: check
 CVE-2026-42266 (jupyterlab is an extensible environment for interactive and 
reproducib ...)
@@ -1095,21 +1095,21 @@ CVE-2026-42854 (arduino-esp32 is an Arduino core for 
the ESP32, ESP32-S2, ESP32-
 CVE-2026-42844 (Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a 
low-privile ...)
        NOT-FOR-US: Grav CMS
 CVE-2026-42545 (Granian is a Rust HTTP server for Python applications. From 
0.2.0 to 2 ...)
-       TODO: check
+       NOT-FOR-US: Granian
 CVE-2026-42544 (Granian is a Rust HTTP server for Python applications. From 
1.2.0 to 2 ...)
-       TODO: check
+       NOT-FOR-US: Granian
 CVE-2026-42446 (NanaZip is an open source file archive. From 5.0.1252.0 to 
before 6.0. ...)
-       TODO: check
+       NOT-FOR-US: NanaZip
 CVE-2026-42445 (NanaZip is an open source file archive. From 5.0.1252.0 to 
before 6.0. ...)
-       TODO: check
+       NOT-FOR-US: NanaZip
 CVE-2026-42444 (NanaZip is an open source file archive. From 5.0.1252.0 to 
before 6.0. ...)
-       TODO: check
+       NOT-FOR-US: NanaZip
 CVE-2026-42443 (NanaZip is an open source file archive. From 5.0.1252.0 to 
before 6.0. ...)
-       TODO: check
+       NOT-FOR-US: NanaZip
 CVE-2026-42442 (NanaZip is an open source file archive. From 5.0.1252.0 to 
before 6.0. ...)
-       TODO: check
+       NOT-FOR-US: NanaZip
 CVE-2026-42355 (NanaZip is an open source file archive. From 5.0.1252.0 to 
before 6.0. ...)
-       TODO: check
+       NOT-FOR-US: NanaZip
 CVE-2026-42338 (ip-address is a library for parsing and manipulating IPv4 and 
IPv6 add ...)
        TODO: check
 CVE-2026-42289 (ChurchCRM is an open-source church management system. Prior to 
7.3.2,  ...)
@@ -1369,7 +1369,7 @@ CVE-2026-6690 (The LifePress plugin for WordPress is 
vulnerable to Stored Cross-
 CVE-2026-6663 (The GWD Connect plugin for WordPress is vulnerable to missing 
authoriz ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-6402 (webpack-dev-server versions up to and including 5.2.3 are 
vulnerable t ...)
-       TODO: check
+       NOT-FOR-US: webpack-dev-server
 CVE-2026-6256 (The Credits Shortcode plugin for WordPress is vulnerable to 
Stored Cro ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-6247 (The scratchblocks for WP plugin for WordPress is vulnerable to 
Stored  ...)
@@ -1387,7 +1387,7 @@ CVE-2026-5340 (The Fancy Image Show plugin for WordPress 
is vulnerable to Stored
 CVE-2026-5146 (Improper access control in the notification management 
endpoints in De ...)
        NOT-FOR-US: Devolutions
 CVE-2026-5061 (The consul-template library before version 0.42.0 is vulnerable 
to a s ...)
-       TODO: check
+       NOT-FOR-US: consul-template
 CVE-2026-5029 (A remote code execution vulnerability exists inCode Runner MCP 
Server  ...)
        NOT-FOR-US: Code Runner MCP Server
 CVE-2026-5028 (The Eight Day Week Print Workflow plugin for WordPress is 
vulnerable t ...)
@@ -1533,7 +1533,7 @@ CVE-2026-42742 (Improper Neutralization of Special 
Elements used in an SQL Comma
 CVE-2026-42741 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-42541 (Kubewarden is a policy engine for Kubernetes. Prior to , An 
attacker w ...)
-       TODO: check
+       NOT-FOR-US: Kubewarden
 CVE-2026-42498 (Exposure of HTTP Authentication Header to unexpected hosts 
during WebS ...)
        - tomcat11 11.0.22-1
        - tomcat10 <unfixed>
@@ -1544,7 +1544,7 @@ CVE-2026-42498 (Exposure of HTTP Authentication Header to 
unexpected hosts durin
        NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/169d725788ea6aec217ecac70fe4161c837ba423
 (9.0.118)
        NOTE: https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb
 CVE-2026-42348 (OpenTelemetry.OpAmp.Client is the OpAMP client for 
OpenTelemetry .NET. ...)
-       TODO: check
+       NOT-FOR-US: OpenTelemetry.OpAmp.Client
 CVE-2026-42303 (Fides is an open-source privacy engineering platform. From 
2.75.0 to b ...)
        TODO: check
 CVE-2026-42300 (DevGuard provides vulnerability management for the full 
software suppl ...)
@@ -2267,11 +2267,11 @@ CVE-2026-42869 (SOCFortress CoPilot focuses on 
providing a single pane of glass
 CVE-2026-42600 (MinIO is a high-performance object storage system. From 
RELEASE.2022-0 ...)
        TODO: check
 CVE-2026-42565 (@workos/authkit-session is a toolkit for building WorkOS 
AuthKit frame ...)
-       TODO: check
+       NOT-FOR-US: workos/authkit-session
 CVE-2026-42564 (jotty\xb7page is a self-hosted app for your checklists and 
notes. Prio ...)
-       TODO: check
+       NOT-FOR-US: jotty page
 CVE-2026-42554 (Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, 
Cross-Sit ...)
-       TODO: check
+       NOT-FOR-US: Fiber
 CVE-2026-42188 (Geyser is a bridge between Minecraft: Bedrock Edition and 
Minecraft: J ...)
        TODO: check
 CVE-2026-42046 (libcaca is a colour ASCII art library. In 0.99.beta20 and 
earlier, an  ...)
@@ -2700,9 +2700,9 @@ CVE-2026-42608 (Grav is a file-based Web platform. Prior 
to 2.0.0-beta.2, there
 CVE-2026-42607 (Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an 
authentic ...)
        NOT-FOR-US: Grav CMS
 CVE-2026-42603 (OWASP BLT is a QA testing and vulnerability disclosure 
platform that e ...)
-       TODO: check
+       NOT-FOR-US: OWASP BLT
 CVE-2026-42349 (Clerk JavaScript is the official JavaScript repository for 
Clerk authe ...)
-       TODO: check
+       NOT-FOR-US: Clerk
 CVE-2026-42316 (kafka-sink-azure-kusto Kafka Connect plugin is the official 
Microsoft  ...)
        TODO: check
 CVE-2026-42315 (pyLoad is a free and open-source download manager written in 
Python. P ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99118ac4c30c61306a87f89e36d01910c97053eb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99118ac4c30c61306a87f89e36d01910c97053eb
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

Reply via email to