Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2d4facbd by security tracker role at 2026-05-19T07:13:08+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,101 @@
+CVE-2026-8851 (SOGo 5.12.7 contains a SQL injection vulnerability in the
Access Contr ...)
+ TODO: check
+CVE-2026-8838 (Unsafe use of Python's eval() on server-received data in the
vector_in ...)
+ TODO: check
+CVE-2026-8830 (A flaw was found in Keycloak. An authenticated user can bypass
configu ...)
+ TODO: check
+CVE-2026-8814 (Versions of the package exifreader before 4.39.0 are vulnerable
to Imp ...)
+ TODO: check
+CVE-2026-8813 (This affects versions of the package exifreader before 4.39.0.
A craft ...)
+ TODO: check
+CVE-2026-4137 (In mlflow/mlflow versions prior to 3.11.0, the
`get_or_create_nfs_tmp_ ...)
+ TODO: check
+CVE-2026-47311 (Heap-based buffer overflow vulnerability in Samsung Open
Source Escarg ...)
+ TODO: check
+CVE-2026-47310 (Use after free vulnerability in Samsung Open Source Escargot
allows Po ...)
+ TODO: check
+CVE-2026-47309 (Uncontrolled Recursion vulnerability in Samsung Open Source
Escargot a ...)
+ TODO: check
+CVE-2026-47308 (NULL pointer dereference vulnerability in Samsung Open Source
Walrus a ...)
+ TODO: check
+CVE-2026-47307 (NULL pointer dereference vulnerability in Samsung Open Source
Walrus a ...)
+ TODO: check
+CVE-2026-47092 (Claude HUD through 0.0.12, patched in commit 234d9aa, contains
a comma ...)
+ TODO: check
+CVE-2026-47091 (Claude HUD through 0.0.12, patched in commit 234d9aa, contains
a path ...)
+ TODO: check
+CVE-2026-47090 (Claude HUD through 0.0.12, patched in commit 234d9aa,
constructs OSC 8 ...)
+ TODO: check
+CVE-2026-45246 (Summarize prior to 0.15.1 contains an insecure file permission
vulnera ...)
+ TODO: check
+CVE-2026-45245 (Summarize prior to 0.15.1 contains a vulnerability in the
hover summar ...)
+ TODO: check
+CVE-2026-45244 (Summarize prior to 0.15.1 contains a missing authorization
vulnerabili ...)
+ TODO: check
+CVE-2026-33565 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause DO ...)
+ TODO: check
+CVE-2026-33514 (Discourse is an open-source discussion platform. In versions
prior to ...)
+ TODO: check
+CVE-2026-33234 (AutoGPT is a workflow automation platform for creating,
deploying, and ...)
+ TODO: check
+CVE-2026-33233 (AutoGPT is a workflow automation platform for creating,
deploying, and ...)
+ TODO: check
+CVE-2026-33232 (AutoGPT is a workflow automation platform for creating,
deploying, and ...)
+ TODO: check
+CVE-2026-33052 (Mantis Bug Tracker (MantisBT) is an open source issue tracker.
Version ...)
+ TODO: check
+CVE-2026-32994 (The /api/v1/autotranslate.translateMessage endpoint in
versions <8.5.0 ...)
+ TODO: check
+CVE-2026-32323 (Mullvad VPN is a VPN client app for desktop and mobile. When
using mac ...)
+ TODO: check
+CVE-2026-32312 (GLPI is a free asset and IT management software package. In
versions 1 ...)
+ TODO: check
+CVE-2026-32244 (Discourse is an open-source discussion platform. In versions
prior to ...)
+ TODO: check
+CVE-2026-30950 (AutoGPT is a workflow automation platform for creating,
deploying, and ...)
+ TODO: check
+CVE-2026-28751 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause DO ...)
+ TODO: check
+CVE-2026-28733 (in OpenHarmony v6.0 and prior versions allow a local attacker
arbitrar ...)
+ TODO: check
+CVE-2026-27964 (FacturaScripts is an open source accounting and invoicing
software. Ve ...)
+ TODO: check
+CVE-2026-27892 (FacturaScripts is an open source accounting and invoicing
software. In ...)
+ TODO: check
+CVE-2026-27891 (FacturaScripts is an open source accounting and invoicing
software. Ve ...)
+ TODO: check
+CVE-2026-27781 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause DO ...)
+ TODO: check
+CVE-2026-27766 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause in ...)
+ TODO: check
+CVE-2026-27737 (BigBlueButton is an open-source virtual classroom. In versions
prior t ...)
+ TODO: check
+CVE-2026-27648 (in OpenHarmony v6.0 and prior versions allow a remote attacker
arbitra ...)
+ TODO: check
+CVE-2026-27130 (Dokploy is a free, self-hostable Platform as a Service (PaaS).
Version ...)
+ TODO: check
+CVE-2026-26978 (FreePBX is an open source IP PBX. In versions below 16.0.71
and 17.0.6 ...)
+ TODO: check
+CVE-2026-25850 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause in ...)
+ TODO: check
+CVE-2026-25781 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause DO ...)
+ TODO: check
+CVE-2026-25244 (WebdriverIO is a test automation framework for unit, e2e and
component ...)
+ TODO: check
+CVE-2026-25110 (in OpenHarmony v6.0 and prior versions allow a local attacker
cause DO ...)
+ TODO: check
+CVE-2026-24792 (in OpenHarmony v6.0 and prior versions allow a remote attacker
arbitra ...)
+ TODO: check
+CVE-2026-22810 (Joplin is an open source note-taking and to-do application
that organi ...)
+ TODO: check
+CVE-2026-22069 (A local privilege escalation vulnerability exists in O+
Connect becaus ...)
+ TODO: check
+CVE-2026-21789 (HCL Connections contains a broken access control vulnerability
that ma ...)
+ TODO: check
+CVE-2025-65954 (SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS
server in t ...)
+ TODO: check
+CVE-2025-15609 (The Fortis for WooCommerce WordPress plugin before 1.3.1 may
leak sens ...)
+ TODO: check
CVE-2026-45137
NOT-FOR-US: Rust anchor-lang
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0144.html
@@ -6669,7 +6767,7 @@ CVE-2026-7263 (In PHP versions 8.4.* before 8.4.21 and
8.5.* before 8.5.6, DOMNo
- php7.4 <not-affected> (Only affects 8.4 and later)
NOTE:
https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733
NOTE:
https://github.com/php/php-src/commit/d43c523c48960e9ca0bf9c747e9bad8e5121edff
-CVE-2026-8149 (A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA
BC-FIPS on ...)
+CVE-2026-8149 (A vulnerability in Legion of the Bouncy Castle Inc. BC-LTS on
Linux, X ...)
NOT-FOR-US: FIPS provider for Bouncycastle, not part of the Debian
package for Bouncycastle
CVE-2026-8148 (NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a
local atta ...)
NOT-FOR-US: NAVER MYBOX Explorer for Windows
@@ -19740,7 +19838,7 @@ CVE-2025-15610 (The .NET Remoting framework used by
OpenText Fax (RightFax) incl
NOT-FOR-US: OpenText
CVE-2025-14868 (The Career Section plugin for WordPress is vulnerable to
Cross-Site Re ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-14813 (Use of a Broken or Risky Cryptographic Algorithm vulnerability
in Legi ...)
+CVE-2025-14813 (: Use of a Broken or Risky Cryptographic Algorithm
vulnerability in Le ...)
NOT-FOR-US: Sparx
CVE-2025-13364 (The WP Maps \u2013 Store Locator,Google
Maps,OpenStreetMap,Mapbox,List ...)
NOT-FOR-US: WordPress plugin
@@ -38313,6 +38411,7 @@ CVE-2026-26954 (SandboxJS is a JavaScript sandboxing
library. Prior to 0.8.34, i
CVE-2026-24097 (Improper permission enforcement in Checkmk versions 2.4.0
before 2.4.0 ...)
- check-mk <removed>
CVE-2026-23943 (Improper Handling of Highly Compressed Data (Compression Bomb)
vulnera ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
@@ -38321,6 +38420,7 @@ CVE-2026-23943 (Improper Handling of Highly Compressed
Data (Compression Bomb) v
NOTE: Fixed by:
https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3
(OTP-27.3.4.9)
NOTE: Fixed by:
https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4
(OTP-26.2.5.18)
CVE-2026-23942 (Improper Limitation of a Pathname to a Restricted Directory
('Path Tra ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
@@ -38329,6 +38429,7 @@ CVE-2026-23942 (Improper Limitation of a Pathname to a
Restricted Directory ('Pa
NOTE: Fixed by:
https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28
(OTP-27.3.4.9)
NOTE: Fixed by:
https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759
(OTP-26.2.5.18)
CVE-2026-23941 (Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling' ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
@@ -47690,6 +47791,7 @@ CVE-2026-22341 (Authentication Bypass Using an
Alternate Path or Channel vulnera
CVE-2026-21627 (The vulnerability was rooted in how the Tassos Framework
plugin handle ...)
NOT-FOR-US: Joomla
CVE-2026-21620 (Relative Path Traversal, Improper Isolation or
Compartmentalization vu ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.8+dfsg-1 (bug #1128651)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d4facbde943560f181ae3c33473476ec412d85b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d4facbde943560f181ae3c33473476ec412d85b
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
