Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5fa93c82 by security tracker role at 2026-05-31T19:13:43+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,95 @@
+CVE-2026-8382 (The Advanced Custom Fields (ACF\xae) plugin for WordPress is
vulnerabl ...)
+ TODO: check
+CVE-2026-49490 (OpenCATS from version 0.9.1a contains an SQL injection
vulnerability i ...)
+ TODO: check
+CVE-2026-49489 (OpenCATS through 0.9.7.4 contains a sql injection
vulnerability in the ...)
+ TODO: check
+CVE-2026-10194 (A weakness has been identified in OFFIS DCMTK 3.7.0. This
affects the ...)
+ TODO: check
+CVE-2026-10193 (A security flaw has been discovered in OFCMS up to 1.1.3. The
impacted ...)
+ TODO: check
+CVE-2026-10192 (A vulnerability was identified in Tenda W12 3.0.0.7(4763). The
affecte ...)
+ TODO: check
+CVE-2026-10191 (A vulnerability was determined in Tenda W12 3.0.0.7(4763).
Impacted is ...)
+ TODO: check
+CVE-2026-10190 (A vulnerability was found in Tenda W12 3.0.0.7(4763). This
issue affec ...)
+ TODO: check
+CVE-2026-10189 (A vulnerability has been found in Tenda W12 3.0.0.7(4763).
This vulner ...)
+ TODO: check
+CVE-2026-10188 (A flaw has been found in Tenda W12 3.0.0.7(4763). This affects
the fun ...)
+ TODO: check
+CVE-2026-10187 (A vulnerability was detected in Totolink N300RH
6.1c.1353_B20190305. A ...)
+ TODO: check
+CVE-2026-10186 (A security vulnerability has been detected in code-projects
Online Hos ...)
+ TODO: check
+CVE-2026-10185 (A weakness has been identified in SourceCodester Hospitals
Patient Rec ...)
+ TODO: check
+CVE-2026-10184 (A security flaw has been discovered in SourceCodester
Hospitals Patien ...)
+ TODO: check
+CVE-2026-10183 (A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20.
This af ...)
+ TODO: check
+CVE-2026-10182 (A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20.
The imp ...)
+ TODO: check
+CVE-2026-10181 (A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. The
affected ...)
+ TODO: check
+CVE-2026-10180 (A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20.
Impacte ...)
+ TODO: check
+CVE-2026-10179 (A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This
issue affec ...)
+ TODO: check
+CVE-2026-10178 (A vulnerability was detected in code-projects Online Music
Site 1.0. T ...)
+ TODO: check
+CVE-2026-10177 (A security vulnerability has been detected in Aider-AI Aider
0.86.3. T ...)
+ TODO: check
+CVE-2026-10176 (A weakness has been identified in Aider-AI Aider 0.86.3.
Affected by t ...)
+ TODO: check
+CVE-2026-10175 (A security flaw has been discovered in Aider-AI Aider 0.86.3.
Affected ...)
+ TODO: check
+CVE-2026-10174 (A vulnerability was identified in Aider-AI Aider 0.86.3.
Affected is a ...)
+ TODO: check
+CVE-2026-10173 (A weakness has been identified in Orthanc Explorer 2 up to
1.12.0. The ...)
+ TODO: check
+CVE-2026-10172 (A security flaw has been discovered in Bdtask Multi-Store
Inventory Ma ...)
+ TODO: check
+CVE-2026-10171 (A vulnerability has been found in code-projects Online Music
Site 1.0. ...)
+ TODO: check
+CVE-2026-10170 (A flaw has been found in code-projects Visitor Management
System 1.0. ...)
+ TODO: check
+CVE-2026-10169 (A vulnerability was detected in OUSL-GROUP-BrinaryBrains
School Studen ...)
+ TODO: check
+CVE-2026-10168 (A security vulnerability has been detected in
OUSL-GROUP-BrinaryBrains ...)
+ TODO: check
+CVE-2026-10167 (A weakness has been identified in OUSL-GROUP-BrinaryBrains
School Stud ...)
+ TODO: check
+CVE-2026-10166 (A vulnerability was determined in Edimax BR-6478AC 1.23. The
affected ...)
+ TODO: check
+CVE-2026-10165 (A vulnerability was identified in Edimax BR-6478AC 1.23. The
impacted ...)
+ TODO: check
+CVE-2026-10164 (A vulnerability was found in Edimax BR-6478AC 1.23. Impacted
is the fu ...)
+ TODO: check
+CVE-2026-10163 (A vulnerability has been found in Edimax BR-6478AC 1.23. This
issue af ...)
+ TODO: check
+CVE-2026-10162 (A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This
vulnerabili ...)
+ TODO: check
+CVE-2026-10161 (A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20.
This affe ...)
+ TODO: check
+CVE-2026-10160 (A security vulnerability has been detected in TRENDnet
TEW-432BRP 3.10 ...)
+ TODO: check
+CVE-2026-10159 (A weakness has been identified in TRENDnet TEW-432BRP 3.10B20.
Affecte ...)
+ TODO: check
+CVE-2026-10158 (A security flaw has been discovered in TRENDnet TEW-432BRP
3.10B20. Af ...)
+ TODO: check
+CVE-2026-10157 (A vulnerability was identified in Open5GS up to 2.7.6. This
impacts an ...)
+ TODO: check
+CVE-2026-10156 (A vulnerability was determined in Open5GS up to 2.7.7. This
affects th ...)
+ TODO: check
+CVE-2026-10155 (A vulnerability was found in Bdtask Multi-Store Inventory
Management S ...)
+ TODO: check
+CVE-2026-10154 (A vulnerability has been found in Dolibarr ERP CRM
23.0.0/23.0.1/23.0. ...)
+ TODO: check
+CVE-2026-10153 (A flaw has been found in westboy CicadasCMS up to
2431154dac8d0735e04f ...)
+ TODO: check
+CVE-2026-10152 (A vulnerability was detected in TaleLin lin-cms-spring-boot up
to 0.2. ...)
+ TODO: check
CVE-2026-42359
- airflow <itp> (bug #819700)
CVE-2026-45360
@@ -3266,6 +3358,7 @@ CVE-2024-11399 (Files or directories accessible to
external parties vulnerabilit
CVE-2023-52945 (Uncontrolled search path element vulnerability in OpenSSL DLL
componen ...)
NOT-FOR-US: Synology
CVE-2026-48736
+ {DSA-6312-1}
- symfony 7.4.13+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-48736-iputils-private-subnets-omits-ipv6-transition-forms-ssrf-bypass-in-noprivatenetworkhttpclient
NOTE:
https://github.com/symfony/symfony/commit/85b831555be8ea1f43bf01078afe87bc4c92f65e
(v6.4.41)
@@ -3278,22 +3371,26 @@ CVE-2026-48747
NOTE:
https://symfony.com/blog/cve-2026-48747-mailomat-webhook-parser-reads-the-hmac-algorithm-from-the-request-signature-algorithm-downgrade
NOTE:
https://github.com/symfony/symfony/commit/bdfe9fe0d94d33dfaca0bc2fe0b00b54767b0c88
(v7.4.13)
CVE-2026-48760
+ {DSA-6312-1}
- symfony 7.4.13+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present)
[bullseye] - symfony <not-affected> (Vulnerable code not present)
NOTE:
https://symfony.com/blog/cve-2026-48760-htmlsanitizer-url-parser-underinclusive-percent-encoded-bidi-marks-and-unicode-whitespace-bypass
NOTE:
https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8
(v6.4.41)
CVE-2026-48761
+ {DSA-6312-1}
- symfony 7.4.13+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present)
[bullseye] - symfony <not-affected> (Vulnerable code not present)
NOTE:
https://symfony.com/blog/cve-2026-48761-htmlsanitizer-misses-url-attributes-on-object-applet-iframe-img-and-meta-refresh
NOTE:
https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0
(v6.4.41)
CVE-2026-48784
+ {DSA-6312-1}
- symfony 7.4.13+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-48784-urlgenerator-encoding-skips-every-other-chained-or-generated-url-collapses-off-route
NOTE:
https://github.com/symfony/symfony/commit/4b63c3a3f7af04ecd79c89a594b0b02a01990b1d
(v5.4.53)
CVE-2026-48489
+ {DSA-6312-1}
- symfony 7.4.13+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-48489-security-firewall-bypass-via-failure-forward-subrequest
NOTE:
https://github.com/symfony/symfony/commit/c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff
(v5.4.53)
@@ -4901,6 +4998,7 @@ CVE-2026-6287 (The ShopLentor - WooCommerce Builder for
Elementor & Gutenberg pl
CVE-2026-6268 (The EventPress WordPress theme before 22.2 does not sanitize or
escape ...)
NOT-FOR-US: WordPress plugin
CVE-2026-49017 (In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware
enters a ...)
+ {DSA-6314-1}
- swift 2.37.1-4 (bug #1138170)
[bookworm] - swift <not-affected> (Support for aws-chunked introduced
in 2.35.1)
[bullseye] - swift <not-affected> (Support for aws-chunked introduced
in 2.35.1)
@@ -6950,37 +7048,37 @@ CVE-2026-42538
CVE-2026-42329
NOT-FOR-US: DFIR-IRIS
CVE-2026-42326
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7wff-wpr6-vmhm
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/06301590988fc62e17b4ae6e937d411cc1089ef1
(7.1.2-22)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/4bbc9cf334ec0c136d4aa8c28afab17120cc954c
(6.9.13-47)
CVE-2026-45031
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cwpj-h54c-xjpx
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/a96763d717e27d6d136aa734d1cf4b33a91555d0
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/de0f3f1ee15c783d139135e93cff212ee37e89af
(6.9.13-48)
CVE-2026-45359
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhrh-72hq-w8m7
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/9f18e2890088705c9a3dc867a7f2e31be50b8f41
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/c590530d406e7628e6f1a8d0e7429b592bfadce8
(6.9.13-49)
CVE-2026-45358
- {DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr6r-hmj8-pr7r
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/2cf3b5750bd7c96fbb92c3f02823ecd63f8dd232
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/1b962d30cc7ad94d18c5f24c8dbc6d48f534b99d
(6.9.13-48)
CVE-2026-45624
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pfvh-m9xv-8966
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/a66ab7bc559f041b1434606496b5b4b0906ff9a2
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/7736b7c458d0c694e26023ad4bd3436fc2f951ff
(6.9.13-48)
CVE-2026-45664
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/10a1a2285659fe1f8978f338319727dfda19500d
(7.1.2-23)
@@ -6988,25 +7086,25 @@ CVE-2026-45664
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/3d57d37907857d19b026760c47f1ac9c8c091c0d
(6.9.13-48)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/11ac03e5485a94a8c1ef06e79e8d77ded1d18d46
(6.9.13-48)
CVE-2026-46692
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p93h-f2jc-477j
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/75bcc76eac8b26ce0d6900117c9b308b0aed5719
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/6efd2e9277e6e6f5a8171d6c67bc93f1ff1f3eb8
(6.9.13-48)
CVE-2026-46521
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/188fcf538f58a60109ebd008e2c40d29cf3966d7
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/61adf32771284186f2fbaea220062226123ac394
(6.9.13-48)
CVE-2026-46520
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/3aa35741316909f9e384d13cee197334dc3296d7
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/4095aa6144646ec6f04d254f050d7cbb04af293f
(6.9.13-48)
CVE-2026-46693
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/adb4b8d7e1e4014892b71837842326c96c2a625b
(7.1.2-23)
@@ -7015,19 +7113,19 @@ CVE-2026-46693
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/6b1e965f94eaf73f9ed459f86d87254e72c87156
(6.9.13-48)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/0cde9421b635a66a42a6f23f995fbd9a325965cb
(6.9.13-48)
CVE-2026-46522
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/e8431d4a282013851cb698fdf29b1d7ad80ad7cb
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/466237e1116b46abde8af0f1794b42f1110e04b5
(6.9.13-48)
CVE-2026-46523
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5r4x-w6p5-222q
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/4d92249c84536a20e9723376ec016b4950dcb454
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/5ad5fdcc45871bdeeca414a883acb880532accce
(6.9.13-48)
CVE-2026-46559
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/ff2f155f2874737380a80195c5849a2f06cb6ff7
(7.1.2-23)
@@ -7041,13 +7139,13 @@ CVE-2026-46557
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/06fb1aa7589f4eec363b33c2bbda5986a92bb259
(7.1.2-23)
NOTE: ImageMagick6 not affected:
https://github.com/ImageMagick/ImageMagick6/issues/430
CVE-2026-47166
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6gxq-f64p-5w6f
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/bb79e91155127dd6c3c18a01c8761e9c2ea82d70
(7.1.2-23)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/2ca87784a434899067b8408e5f8a7f0165a8f884
(6.9.13-48)
CVE-2026-47165
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.23+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2rgj-gx5x-f62w
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/bb79e91155127dd6c3c18a01c8761e9c2ea82d70
(7.1.2-23)
@@ -7307,33 +7405,41 @@ CVE-2026-9759 (ROHC protocol dissector crash in
Wireshark 4.6.0 to 4.6.5 and 4.4
NOTE: https://www.wireshark.org/security/wnpa-sec-2026-51.html
NOTE: https://gitlab.com/wireshark/wireshark/-/work_items/21243
CVE-2026-46626
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-46626-symfonyruntime-cve-2024-50340-patch-bypass-via-parse-str-sapi-argv-mismatch
CVE-2026-45070
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45070-email-header-injection-via-non-token-characters-in-mime-parameter-names
CVE-2026-45065
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45065-urlgenerator-route-requirement-bypass-via-unanchored-regex-alternation-off-site-host-url-injection
CVE-2026-45071
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45071-xxe-local-file-disclosure-in-domcrawler-addxmlcontent-via-validateonparse-true
CVE-2026-45066
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.1)
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.1)
NOTE:
https://symfony.com/blog/cve-2026-45066-htmlsanitizer-allowlinkhosts-allowmediahosts-bypass-via-url-parser-differentials-and-area-misclassification
CVE-2026-45069
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.3)
NOTE:
https://symfony.com/blog/cve-2026-45069-oidctokenhandler-accepts-jwts-missing-aud-iss-exp-claims
CVE-2026-45063
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45063-identity-spoofing-via-unanchored-dn-regex-in-x509authenticator
CVE-2026-45067
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45067-email-header-smtp-command-injection-via-crlf-in-symfony-component-mime-address
CVE-2026-45068
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45068-argument-injection-in-sendmailtransport-via-dash-prefixed-recipient-address
CVE-2026-45756
@@ -7349,11 +7455,13 @@ CVE-2026-45755
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 7.2)
NOTE:
https://symfony.com/blog/cve-2026-45755-mailtrap-mailer-webhook-parser-never-verifies-the-x-mt-signature-hmac-unauthenticated-webhook-event-injection
CVE-2026-45064
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.1)
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.1)
NOTE:
https://symfony.com/blog/cve-2026-45064-htmlsanitizer-url-attributes-pass-through-bidi-override-characters-visual-href-spoofing
CVE-2026-45077
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45077-unauthenticated-php-object-deserialization-in-monologbridge-server-log-listener
CVE-2026-45075
@@ -7363,20 +7471,25 @@ CVE-2026-45075
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 7.4)
NOTE:
https://symfony.com/blog/cve-2026-45075-head-request-bypasses-methods-get-filter-in-isgranted-issignaturevalid-iscsrftokenvalid
CVE-2026-45133
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45133-yaml-parser-stack-exhaustion-via-unbounded-recursion-in-nested-blocks-sequences-and-mappings
CVE-2026-45072
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present)
[bullseye] - symfony <not-affected> (Vulnerable code not present)
NOTE:
https://symfony.com/blog/cve-2026-45072-stored-xss-in-webprofiler-codeextension-fileexcerpt-unescaped-non-php-file-rendering
CVE-2026-45073
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45073-sql-injection-in-pdoadapter-doclear-via-unsanitized-prefix
CVE-2026-45304
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45304-yaml-parser-exponential-memory-allocation-via-recursive-collection-alias-expansion-billion-laughs
CVE-2026-45305
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE:
https://symfony.com/blog/cve-2026-45305-yaml-parser-redos-via-catastrophic-backtracking-in-parser-cleanup-regex
CVE-2026-45074
@@ -7386,6 +7499,7 @@ CVE-2026-45074
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 7.1)
NOTE:
https://symfony.com/blog/cve-2026-45074-cas2handler-derives-cas-service-url-from-client-host-header-cross-service-ticket-replay
CVE-2026-45754
+ {DSA-6312-1}
- symfony 7.4.12+dfsg-1
[bookworm] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.4)
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 6.4)
@@ -11966,6 +12080,7 @@ CVE-2026-42048 (Langflow is a tool for building and
deploying AI-powered agents
CVE-2026-42045 (LobeHub is a work-and-lifestyle space to find, build, and
collaborate ...)
NOT-FOR-US: LobeHub
CVE-2026-42006 (An attacker can cause uncontrolled memory usage with excessive
bracing ...)
+ {DSA-6313-1}
- dovecot 1:2.4.4+dfsg1-1 (bug #1136444)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/6
NOTE: Fixed by:
https://github.com/dovecot/core/commit/da1438c76b797f055d4ad7f0eaa17e5e29ca31ee
(2.4.4)
@@ -12126,12 +12241,14 @@ CVE-2026-40357 (Deserialization of untrusted data in
Microsoft Office SharePoint
CVE-2026-40300 (Zulip is an open-source team collaboration tool. Prior to
12.0, With m ...)
- zulip-server <itp> (bug #800052)
CVE-2026-40020 (Attacker can use the IMAP SETACL command to inject the anyone
permissi ...)
+ {DSA-6313-1}
- dovecot 1:2.4.4+dfsg1-1 (bug #1136444)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/6
NOTE: Fixed by:
https://github.com/dovecot/core/commit/b7daa4104ff064c1fb549540cc9d96c2d9e2509c
(2.4.4)
NOTE: Fixed by:
https://github.com/dovecot/core/commit/20b48c3db5fed7ccaa8e0a4c10ca54f6dc36a63d
(2.4.4)
NOTE: Fixed by:
https://github.com/dovecot/core/commit/1cf6ad1a119e5dace816e401e73ba6cc11d1472e
(2.4.4)
CVE-2026-40016 (Attacker can upload a malicious Sieve script over ManageSieve
service ...)
+ {DSA-6313-1}
- dovecot 1:2.4.4+dfsg1-1 (bug #1136444)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/6
NOTE: Fixed by:
https://github.com/dovecot/pigeonhole/commit/5b0ed9d1034c023d3daf218b6b8656f0cdd383dc
(2.4.4)
@@ -12280,6 +12397,7 @@ CVE-2026-33833 (Improper neutralization of special
elements in output used by a
CVE-2026-33821 (Improper privilege management in Microsoft Dynamics 365
Customer Insig ...)
NOT-FOR-US: Microsoft
CVE-2026-33603 (Attacker can use a specially crafted base64 exchange between
Dovecot a ...)
+ {DSA-6313-1}
- dovecot 1:2.4.4+dfsg1-1 (bug #1136444)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/6
NOTE: Fixed by:
https://github.com/dovecot/core/commit/c1c53885bda550632b944dd305013cd010e0e058
(2.4.4)
@@ -15561,9 +15679,11 @@ CVE-2026-41498 (Kimai is an open-source time tracking
application. Prior to vers
CVE-2026-41105 (Server-side request forgery (ssrf) in Azure Notification
Service allow ...)
NOT-FOR-US: Microsoft
CVE-2026-40214 (In OpenStack Cyborg before 16.0.1, the Accelerator Request
(ARQ) API d ...)
+ {DSA-6315-1}
- cyborg 16.0.0+git+2026.04.26.b8edfa06f1-1 (bug #1136006)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/07/6
CVE-2026-40213 (OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@')
as the ...)
+ {DSA-6315-1}
- cyborg 16.0.0+git+2026.04.26.b8edfa06f1-1 (bug #1136006)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/07/6
CVE-2026-3508 (An Out-of-bounds Read vulnerability in the IOCTL handler in
ASUS Syste ...)
@@ -19526,7 +19646,7 @@ CVE-2025-14726 (The Widgets for Social Photo Feed
plugin for WordPress is vulner
CVE-2025-12993
REJECTED
CVE-2026-42050 (ImageMagick is free and open-source software used for editing
and mani ...)
- {DSA-6310-1 DSA-6298-1}
+ {DSA-6310-1 DSA-6298-1 DLA-4609-1}
- imagemagick 8:7.1.2.21+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7mxf-ff4f-jj7p
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/25980041f145afc621233a1c050291231b627c48
(7.1.2-20)
@@ -29932,7 +30052,7 @@ CVE-2026-33902 (ImageMagick is free and open-source
software used for editing an
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba
(7.1.2-19)
CVE-2026-33901 (ImageMagick is free and open-source software used for editing
and mani ...)
- {DSA-6245-1 DSA-6240-1 DLA-4559-1}
+ {DSA-6245-1 DSA-6240-1 DLA-4609-1 DLA-4559-1}
- imagemagick 8:7.1.2.19+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/4c72003e9e54a4ebaa938d239e75f5d285527ebe
(7.1.2-19)
@@ -105357,6 +105477,7 @@ CVE-2025-34282 (ThingsBoard versions < 4.2.1 contain
a server-side request forge
CVE-2025-34281 (ThingsBoard in versions prior to v4.2.1 allows an
authenticated user t ...)
NOT-FOR-US: ThingsBoard
CVE-2025-26625 (Git LFS is a Git extension for versioning large files. In Git
LFS vers ...)
+ {DLA-4610-1}
- git-lfs 3.7.1-1 (bug #1118339)
[trixie] - git-lfs 3.6.1-1+deb13u1
[bookworm] - git-lfs <no-dsa> (Minor issue)
@@ -218448,7 +218569,7 @@ CVE-2024-50341 (symfony/security-bundle is a module
for the Symphony PHP framewo
NOTE:
https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v
NOTE: Fixed by:
https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105
(v6.4.10, v7.0.10, v7.1.3)
CVE-2024-50340 (symfony/runtime is a module for the Symphony PHP framework
which enabl ...)
- {DSA-5809-1}
+ {DSA-6312-1 DSA-5809-1}
- symfony 6.4.14+dfsg-1
[bullseye] - symfony <not-affected> (Vulnerable code not present,
introduced in 5.3)
NOTE:
https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fa93c8231eb3a4144bfad52b109f76fe4aa5f30
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fa93c8231eb3a4144bfad52b109f76fe4aa5f30
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
