Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: af9ba524 by Salvatore Bonaccorso at 2026-05-24T13:50:52+02:00 Add new set of roundcube issues - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,35 @@ +CVE-2026-XXXX [Code injection vulnerability via code evaluation support in LDAP autovalues option.] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a +CVE-2026-XXXX [Pre-auth arbitrary file delete via redis/memcache session poisoning bypass] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa +CVE-2026-XXXX [Bypass of remote image blocking via CSS var().] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a +CVE-2026-XXXX [Local/private URL fetch bypass when remote resources were not allowed] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556 +CVE-2026-XXXX [SSRF bypass via specific local address URLs.] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1 +CVE-2026-XXXX [Pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass.] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b +CVE-2026-XXXX [CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">.] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27 +CVE-2026-XXXX [Stored XSS/HTML/CSS injection in subject field of the draft restore dialog] + - roundcube <unfixed> (bug #1137507) + NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 + NOTE: https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a CVE-2026-9359 (A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affected by ...) NOT-FOR-US: Edimax CVE-2026-9358 (A vulnerability was determined in postcss up to 7.1.1. Affected is the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af9ba5249c62d66f3f3039bcd179a09eb01f6cb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af9ba5249c62d66f3f3039bcd179a09eb01f6cb2 You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
