Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2edf328c by Salvatore Bonaccorso at 2026-05-21T21:40:52+02:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -96,15 +96,15 @@ CVE-2026-48207 (Deserialization of untrusted data in Apache
Fory PyFory. PyFory'
CVE-2026-45760 ((Externally Controlled Reference to a Resource in Another
Sphere), (Au ...)
TODO: check
CVE-2026-45255 (When bsdinstall or bsdconfig are prompted to scan for nearby
Wi-Fi net ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45254 (In the case of the cap_net service, when a key present in the
old limi ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45253 (ptrace(PT_SC_REMOTE) failed to properly validate parameters
for the sy ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45252 (When a fusefs file system implements extended attributes, the
kernel m ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45251 (A file descriptor can be closed while a thread is blocked in a
poll(2) ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45208 (A time-of-check time-of-use vulnerability in the Apex One/SEP
agent co ...)
NOT-FOR-US: Trend Micro
CVE-2026-45207 (An origin validation vulnerability in the Apex One/SEP agent
could all ...)
@@ -116,7 +116,7 @@ CVE-2026-39593 (Missing Authorization vulnerability in
VillaTheme HAPPY allows E
CVE-2026-39531 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-39461 (libcasper(3) communicates with helper processes via UNIX
domain socket ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-36189 (Buffer Overflow vulnerability in Uncrustify Project Affected
v.Uncrust ...)
TODO: check
CVE-2026-34930 (An origin validation vulnerability in the Apex One/SEP agent
could all ...)
@@ -132,19 +132,19 @@ CVE-2026-34926 (A directory traversal vulnerability in
the Apex One (on-premise)
CVE-2026-2740 (Zohocorp ManageEngine ADSelfService Plus version before 6525,
DataSecu ...)
NOT-FOR-US: Zoho
CVE-2026-28764 (MediaArea MediaInfoLib LXF element parsing heap-based buffer
overflow ...)
- TODO: check
+ NOT-FOR-US: MediaInfoLib
CVE-2026-27393 (Missing Authorization vulnerability in Tobias CF7 WOW Styler
allows Ex ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-27349 (Exposure of Sensitive System Information to an Unauthorized
Control Sp ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-22880 (Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4
11.1.3 11.3. ...)
- TODO: check
+ NOT-FOR-US: Mattermost Mobile Apps
CVE-2026-1816 (Improper restriction of excessive authentication attempts
vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: Mobile Application
CVE-2026-1815 (Insufficient session expiration vulnerability in Turkiye
Electricity T ...)
- TODO: check
+ NOT-FOR-US: Mobile Application
CVE-2026-0393 (The affected product may expose credentials remotely between
low privi ...)
- TODO: check
+ NOT-FOR-US: CODESYS
CVE-2025-71217 (An origin validation error vulnerability in the Trend Micro
Apex One ( ...)
NOT-FOR-US: Trend Micro
CVE-2025-71216 (A time-of-check time-of-use vulnerability in the Trend Micro
Apex One ...)
@@ -162,9 +162,9 @@ CVE-2025-71211 (A vulnerability in the Trend Micro Apex One
management console c
CVE-2025-71210 (A vulnerability in the Trend Micro Apex One management console
could a ...)
NOT-FOR-US: Trend Micro
CVE-2025-13479 (Authorization bypass through User-Controlled key vulnerability
in PosC ...)
- TODO: check
+ NOT-FOR-US: QR Menu
CVE-2025-13477 (Exposure of private personal information to an unauthorized
actor, Ins ...)
- TODO: check
+ NOT-FOR-US: WifiBurada
CVE-2026-46473 (Authen::TOTP versions before 0.1.1 for Perl generate secrets
using ran ...)
NOT-FOR-US: Authen::TOTP Perl module
CVE-2026-43498 (In the Linux kernel, the following vulnerability has been
resolved: a ...)
@@ -459,45 +459,45 @@ CVE-2026-47099 (TeleJSON prior to 6.0.0 contains a
DOM-based cross-site scriptin
CVE-2026-45444 (Unrestricted Upload of File with Dangerous Type vulnerability
in WP Sw ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-40165 (authentik is an open-source identity provider. Versions
2025.12.4 and ...)
- TODO: check
+ NOT-FOR-US: authentik
CVE-2026-40102 (Plane is an open-source project management tool. In versions
1.3.0 and ...)
- TODO: check
+ NOT-FOR-US: Plane
CVE-2026-40094 (nimiq-blockchain provides persistent block storage for Nimiq's
Rust im ...)
- TODO: check
+ NOT-FOR-US: nimiq-blockchain
CVE-2026-40092 (nimiq-blockchain provides persistent block storage for Nimiq's
Rust im ...)
- TODO: check
+ NOT-FOR-US: nimiq-blockchain
CVE-2026-39960 (Mantis Bug Tracker (MantisBT) is an open source issue tracker.
Version ...)
TODO: check
CVE-2026-39850 (Yii 2 is a PHP application framework. Versions 2.0.54 and
prior contai ...)
TODO: check
CVE-2026-39405 (Frappe Learning Management System (LMS) is a learning system
that help ...)
- TODO: check
+ NOT-FOR-US: Frappe Learning Management System (LMS)
CVE-2026-39352 (Frappe is a full-stack web application framework. Versions
prior to 15 ...)
- TODO: check
+ NOT-FOR-US: Frappe
CVE-2026-39311 (Trilium Notes is a cross-platform, hierarchical note taking
applicatio ...)
- TODO: check
+ NOT-FOR-US: Trilium Notes
CVE-2026-39310 (Trilium Notes is a cross-platform, hierarchical note taking
applicatio ...)
- TODO: check
+ NOT-FOR-US: Trilium Notes
CVE-2026-35016 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35015 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35014 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35013 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35012 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35011 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35010 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35009 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35008 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35007 (Open ISES Tickets before 3.44.2 contains a reflected
cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-33137 (XWiki Platform is a generic wiki platform offering runtime
services fo ...)
NOT-FOR-US: XWiki
CVE-2026-2813 (ArcGIS Server contains an input validation weakness in the
login redir ...)
@@ -507,7 +507,7 @@ CVE-2026-2812 (ArcGIS Server contains an improper
authentication vulnerability i
CVE-2026-2734 (In mlflow/mlflow versions up to 3.9.0, the
`SearchModelVersions` REST ...)
NOT-FOR-US: mlflow
CVE-2026-26028 (CryptPad is an end-to-end encrypted collaborative office
suite. In ver ...)
- TODO: check
+ NOT-FOR-US: CryptPad
CVE-2026-24218 (NVIDIA DGX OS contains a vulnerability in the factory
provisioning pro ...)
NOT-FOR-US: NVIDIA
CVE-2026-24217 (NVIDIA BioNeMo Core for Linux contains a vulnerability where a
user co ...)
@@ -721,7 +721,7 @@ CVE-2026-24425 (Twig versions 2.16.x and 3.9.0 through
3.25.x contain a sandbox
- php-twig 3.26.0-1
NOTE:
https://symfony.com/blog/cve-2026-24425-possible-sandbox-bypass-when-using-a-source-policy
CVE-2026-22554 (MediaArea MediaInfoLib Channel Splitting heap-based buffer
overflow vu ...)
- TODO: check
+ NOT-FOR-US: MediaInfoLib
CVE-2026-22315 (Incorrect Privilege Assignment vulnerability in Mesalvo Meona
Client L ...)
NOT-FOR-US: Meona
CVE-2026-22314 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
@@ -755,7 +755,7 @@ CVE-2025-31973 (HCL BigFix Service Management (SM) is
susceptible to a Configur
CVE-2025-11954 (Cross-Site request forgery (CSRF) vulnerability in Sitemio
Information ...)
NOT-FOR-US: Sitemio
CVE-2023-7346 (Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address
derivat ...)
- TODO: check
+ NOT-FOR-US: Ledger Bitcoin app
CVE-2026-41073
- request-tracker5 5.0.10+dfsg-1
- request-tracker4 <unfixed>
@@ -1245,9 +1245,9 @@ CVE-2026-31070 (The LalanaChami Pharmacy Management
System (commit 5c3d028) allo
CVE-2026-31069 (BillaBear (all versions prior to Jan 2026) contains a SQL
Injection vu ...)
NOT-FOR-US: BillaBear
CVE-2026-30118 (scalar/astro v0.1.13 was discovered to contain a Server-Side
Request F ...)
- TODO: check
+ NOT-FOR-US: scalar/astro
CVE-2026-30117 (scalar/astro v0.1.13 was discovered to contain an arbitrary
file uploa ...)
- TODO: check
+ NOT-FOR-US: scalar/astro
CVE-2026-2955 (The AI Chatbot & Workflow Automation by AIWU plugin for
WordPress is v ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2611 (In MLflow version 3.9.0, the MLflow Assistant feature
introduced impro ...)
@@ -1289,25 +1289,25 @@ CVE-2026-24142 (NVIDIA TRT-LLM for any platform
contains a deserialization vulne
CVE-2025-70950 (An issue in gohttp commit 34ea51 allows attackers to execute a
directo ...)
TODO: check
CVE-2025-61081 (In BYD Atto3, an attacker can obtain an authentication key
through Bru ...)
- TODO: check
+ NOT-FOR-US: BYD Atto3
CVE-2025-57798 (Joplin is an open source note-taking and to-do application
that organi ...)
TODO: check
CVE-2025-51427 (An issue was discovered in ModelScope 1.25.0 allowing
attackers to exe ...)
- TODO: check
+ NOT-FOR-US: ModelScope
CVE-2025-40904 (A Stored HTML Injection vulnerability was discovered in the
Smart Poll ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40903 (A Stored HTML Injection vulnerability was discovered in the
Schedule R ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40902 (A Stored HTML Injection vulnerability was discovered in the
Users func ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40901 (A Stored HTML Injection vulnerability was discovered in the
Credential ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40900 (An Angular template injection vulnerability was discovered in
the Repo ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-33255 (NVIDIA TRT-LLM for any platform contains a vulnerability in
MPI server ...)
NOT-FOR-US: NVIDIA
CVE-2025-15645 (Ledger Nano X, Flex, and Stax devices contain a denial of
service vuln ...)
- TODO: check
+ NOT-FOR-US: Ledger Nano X, Flex, and Stax devices
CVE-2025-15369 (The Xpro Addons \u2014 140+ Widgets for Elementor plugin for
WordPress ...)
NOT-FOR-US: WordPress plugin
CVE-2025-14575 (An Uncontrolled Search Path Element vulnerability in the
OpenSSL TLS b ...)
@@ -1315,7 +1315,7 @@ CVE-2025-14575 (An Uncontrolled Search Path Element
vulnerability in the OpenSSL
CVE-2024-36343 (Improper input validation in the System Management Mode (SMM)
communic ...)
TODO: check
CVE-2023-7345 (Ledger Live with vulnerable versions of ledgerhq/hw-app-eth
prior to 6 ...)
- TODO: check
+ NOT-FOR-US: Ledger
CVE-2026-29518 (Rsync versions before 3.4.3 contain a time-of-check to
time-of-use (TO ...)
{DSA-6282-1 DLA-4591-1}
- rsync 3.4.3+ds1-1
@@ -1668,7 +1668,7 @@ CVE-2026-24792 (in OpenHarmony v6.0 and prior versions
allow a remote attacker a
CVE-2026-22810 (Joplin is an open source note-taking and to-do application
that organi ...)
- joplin <itp> (bug #931306)
CVE-2026-22069 (A local privilege escalation vulnerability exists in O+
Connect becaus ...)
- TODO: check
+ NOT-FOR-US: O+ Connect
CVE-2026-21789 (HCL Connections contains a broken access control vulnerability
that ma ...)
NOT-FOR-US: HCL
CVE-2025-65954 (SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS
server in t ...)
@@ -5634,7 +5634,7 @@ CVE-2025-35969 (Uncontrolled search path for some
Intel(R) Server Firmware Updat
CVE-2025-27723 (Use after free for some Linux kernel driver for the Intel(R)
Ethernet ...)
TODO: check
CVE-2025-12659 (The affected applications contains a memory corruption
vulnerability w ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2024-54017 (A vulnerability has been identified in SIPROTEC 5 6MD84
(CP300) (All v ...)
NOT-FOR-US: Siemens
CVE-2025-54518 (Improper isolation of shared resources within the CPU
operation cache ...)
@@ -6377,7 +6377,7 @@ CVE-2025-65415 (docuFORM Managed Print Service Client
11.11c is vulnerable to a
CVE-2025-63750
REJECTED
CVE-2025-61314 (A reflected cross-site scripted (XSS) vulnerability in the
dfm-menu_or ...)
- TODO: check
+ NOT-FOR-US: docuForm
CVE-2025-61313 (A reflected cross-site scripted (XSS) vulnerability in the
dfm-menu_ma ...)
NOT-FOR-US: docuForm
CVE-2025-61312 (A reflected cross-site scripted (XSS) vulnerability in the
acc-menu_pr ...)
@@ -335965,7 +335965,7 @@ CVE-2023-30061 (D-Link DIR-879 v105A1 is vulnerable
to Authentication Bypass via
CVE-2023-30060
RESERVED
CVE-2023-30059 (An insecure direct object reference in MK-Auth 23.01K4.9
allows attack ...)
- TODO: check
+ NOT-FOR-US: MK-Auth
CVE-2023-30058 (novel-plus 3.6.2 is vulnerable to SQL Injection.)
NOT-FOR-US: novel-plus
CVE-2023-30057 (Multiple stored cross-site scripting (XSS) vulnerabilities in
FICO Ori ...)
@@ -343739,7 +343739,7 @@ CVE-2023-27755 (go-bbs v1 was discovered to contain
an arbitrary file download v
CVE-2023-27754 (vox2mesh 1.0 has stack-overflow in main.cpp, this is
stack-overflow ca ...)
NOT-FOR-US: vox2mesh
CVE-2023-27753 (An arbitrary file upload vulnerability in MK-Auth 23.01K4.9
allows att ...)
- TODO: check
+ NOT-FOR-US: MK-Auth
CVE-2023-27752
REJECTED
CVE-2023-27751
@@ -354238,7 +354238,7 @@ CVE-2023-24217 (AgileBio Electronic Lab Notebook
v4.234 was discovered to contai
CVE-2023-24216
RESERVED
CVE-2023-24215 (Incorrect access control in the /uci/get/ endpoint of NOVUS
AirGate 4G ...)
- TODO: check
+ NOT-FOR-US: NOVUS AirGate 4G firmware
CVE-2023-24214
RESERVED
CVE-2023-24213
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2edf328c3130150e99790e8d92483838ee664dd9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2edf328c3130150e99790e8d92483838ee664dd9
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
