Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
51f45e7d by Salvatore Bonaccorso at 2026-06-04T23:52:10+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -27,35 +27,35 @@ CVE-2026-7774 (tarfile.data_filter could be bypassed using
crafted link entries,
NOTE:
https://github.com/python/cpython/commit/0478bd83d82b255e0f29f613367a59d261e7eaa2
(3.13 branch)
NOTE:
https://github.com/python/cpython/commit/0d28f5e46e151718972dfabd91205444d0037b6d
(3.12 branch)
CVE-2026-7764 (An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi
kernel ...)
- TODO: check
+ NOT-FOR-US: Morse Micro HaLowLink 2 software
CVE-2026-5228 (Improper Access Control, Missing Authorization vulnerability in
Kurt S ...)
- TODO: check
+ NOT-FOR-US: Kurt oftware Studio WriteUp Mobile App
CVE-2026-50226 (Fixed AES-128-CBC keys inside the AcerConnect OTA application
let atta ...)
- TODO: check
+ NOT-FOR-US: AcerConnect OTA application
CVE-2026-50225 (The registration path/v1/account/registerprovides no bot
mitigation me ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50224 (The web administration panel binds broadly to the public IPv6
address ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50214 (The/v1/Planservice relies entirely on a shared global API
token for fu ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50213 (The account validation endpoint/v1/User/validatereturns
comprehensive ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50212 (Weak validation logic within device dissociation API routines
allows a ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50211 (Leftover engineering diagnostics and factory-level diagnostic
software ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50210 (The device encrypts data using AES-CBC with static zero-filled
Initial ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50209 (Broadcast events allow malicious software to rewrite the
device's defa ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50208 (High-riskTrustAllCertsroutines disable standard TLS
certificate valida ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50207 (The system Binder boundary accepts unverified pass-through AT
commands ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50206 (Incoming VPN network profile settings fail to process special
characte ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50205 (System log files output unencrypted SMTP server authentication
passwor ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50076 (Deserialization of Untrusted Data in the Java replace-resolve
path in ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-50033 (Local privilege escalation due to DLL hijacking vulnerability.
The fol ...)
@@ -63,37 +63,37 @@ CVE-2026-50033 (Local privilege escalation due to DLL
hijacking vulnerability. T
CVE-2026-4881 (In affected versions of Octopus Server, permissions were not
checked c ...)
NOT-FOR-US: Octopus Deploy
CVE-2026-4104 (Authorization bypass through User-Controlled SQL primary key
vulnerabi ...)
- TODO: check
+ NOT-FOR-US: TeknoPass
CVE-2026-49771 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-49510 (Integer overflow or wraparound vulnerability in Samsung Open
Source rl ...)
TODO: check
CVE-2026-49204 (Leftover debug modules contain fixed credentials for internal
AWS Cogn ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49203 (Crucial management API endpoints for cellular eSIM allocation
do not v ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49202 (Internal multimedia session archives are accessible without
authentica ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49194 (The debugging routineSCREEN_CLICK(5053)enables a connection to
skip th ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49193 (Overly permissive configuration settings on cloud storage
containers e ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49192 (The summary service endpoint suffers from an IDOR
vulnerability where ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49191 (The production build of the M3WebServer hard-codes its backend
API key ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49190 (The system fails to evaluate instructional permissions over
multiple i ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49189 (Unchecked public access permissions on a core Broadcast
Receiver allow ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49188 (Theai_cmdutility executes with full root permissions. It pipes
socket ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49187 (The hard-coded APK resource files never expire, and the shared
scepter ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49186 (The local MQTT broker does not enforce topic-level Access
Control List ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49185 (The FieldX MDM adb messaging topic passes unverified payloads
directly ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49077 (Exposure of Sensitive System Information to an Unauthorized
Control Sp ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-48480 (The netty incubator codec.bhttp is a java language binary http
parser. ...)
@@ -101,9 +101,9 @@ CVE-2026-48480 (The netty incubator codec.bhttp is a java
language binary http p
CVE-2026-48040 (The netty incubator codec.bhttp is a java language binary http
parser. ...)
TODO: check
CVE-2026-47707 (Strawberry GraphQL is a library for creating GraphQL APIs. In
versions ...)
- TODO: check
+ NOT-FOR-US: Strawberry GraphQL
CVE-2026-47706 (Strawberry GraphQL is a library for creating GraphQL APIs. In
versions ...)
- TODO: check
+ NOT-FOR-US: Strawberry GraphQL
CVE-2026-47320 (Access of uninitialized pointer, Uncontrolled Recursion
vulnerability ...)
TODO: check
CVE-2026-47319 (Memory allocation with excessive size value vulnerability in
Samsung O ...)
@@ -113,13 +113,13 @@ CVE-2026-47318 (Stack-based buffer overflow vulnerability
in Samsung Open Source
CVE-2026-47306 (Uncontrolled Recursion vulnerability in Samsung Open Source
rlottie al ...)
TODO: check
CVE-2026-45739 (Strawberry GraphQL is a library for creating GraphQL APIs. In
versions ...)
- TODO: check
+ NOT-FOR-US: Strawberry GraphQL
CVE-2026-45433 (This vulnerability exists in GX Earth 2022 ONT models due to
the prese ...)
- TODO: check
+ NOT-FOR-US: GX Earth 2022 ONT models
CVE-2026-45432 (This vulnerability exists in GX Earth ONT models due to the
transmissi ...)
- TODO: check
+ NOT-FOR-US: GX Earth ONT models
CVE-2026-45431 (This vulnerability exists in GX Earth ONT models due to
improper handl ...)
- TODO: check
+ NOT-FOR-US: GX Earth ONT models
CVE-2026-45287 (OpenTelemetry-Go is the Go implementation of OpenTelemetry.
Prior to v ...)
TODO: check
CVE-2026-44682 (Local privilege escalation due to DLL hijacking vulnerability.
The fol ...)
@@ -127,23 +127,23 @@ CVE-2026-44682 (Local privilege escalation due to DLL
hijacking vulnerability. T
CVE-2026-44609 (Local privilege escalation due to EXE hijacking vulnerability.
The fol ...)
NOT-FOR-US: Acronis
CVE-2026-43986 (Tautulli is a Python based monitoring and tracking tool for
Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-43985 (Tautulli is a Python based monitoring and tracking tool for
Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-43984 (Tautulli is a Python based monitoring and tracking tool for
Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-43926 (FOSSBilling is a free, open-source billing and client
management syste ...)
- TODO: check
+ NOT-FOR-US: FOSSBilling
CVE-2026-43924 (FOSSBilling is a free, open-source billing and client
management syste ...)
- TODO: check
+ NOT-FOR-US: FOSSBilling
CVE-2026-42061 (Local privilege escalation due to excessive permissions
assigned to ch ...)
NOT-FOR-US: Acronis
CVE-2026-41860 (CWE-326 in BOSH allows a local attacker to steal Basic-auth
credential ...)
- TODO: check
+ NOT-FOR-US: BOSH
CVE-2026-41859 (A network man-in-the-middle between nats-sync and the BOSH
director ca ...)
- TODO: check
+ NOT-FOR-US: BOSH
CVE-2026-41858 (Weak Randomness / Insecure Cryptographic Primitive (CWE-338)
in Get-Ra ...)
- TODO: check
+ NOT-FOR-US: BOSH
CVE-2026-41237 (Froxlor is open source server administration software. In
version 2.3. ...)
TODO: check
CVE-2026-41236 (Froxlor is open source server administration software. Version
2.3.6 c ...)
@@ -157,7 +157,7 @@ CVE-2026-41207 (The netty incubator codec.bhttp is a java
language binary http p
CVE-2026-41178 (OpenTelemetry-Go is the Go implementation of OpenTelemetry.
Versions 1 ...)
TODO: check
CVE-2026-41065 (Tautulli is a Python based monitoring and tracking tool for
Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-41011 (PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1"
where tgz = ...)
TODO: check
CVE-2026-41010 (ReleaseJob#unpack builds job_dir = File.join(@release_dir,
'jobs', nam ...)
@@ -437,7 +437,7 @@ CVE-2026-6657 (A vulnerability in jupyter-server versions
1.12.0 through 2.17.0
CVE-2026-5241 (A vulnerability in the LightGlue model loading path of
huggingface/tra ...)
NOT-FOR-US: huggingface/transformers
CVE-2026-5078 (Impact: The morgan logging middleware's :remote-user token
extracts th ...)
- TODO: check
+ NOT-FOR-US: morgan logging middleware
CVE-2026-4035 (A vulnerability in mlflow/mlflow versions prior to 3.11.0
allows for t ...)
NOT-FOR-US: mlflow
CVE-2026-47325 (ProjectsAndPrograms school-management-systemuses predictable
credentia ...)
@@ -478,7 +478,7 @@ CVE-2026-42317 (GLPI is a free asset and IT management
software package. Startin
- glpi <removed>
NOTE:
https://github.com/glpi-project/glpi/security/advisories/GHSA-jf72-cvjh-px5w
CVE-2026-41032 (It is possible for an unauthenticated adjacent attacker to
download lo ...)
- TODO: check
+ NOT-FOR-US: Phoenix Contact
CVE-2026-40290 (OP-TEE is a Trusted Execution Environment (TEE) designed as
companion ...)
- optee-os <unfixed>
NOTE:
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-332c-xr93-849m
@@ -8258,7 +8258,7 @@ CVE-2026-9497 (A flaw has been found in changmingxie
tcc-transaction up to 2.1.0
CVE-2026-9496 (Versions of the package pacote from 11.2.7 are vulnerable to
Denial of ...)
TODO: check
CVE-2026-9495 (Versions of the package @koa/router from 14.0.0 and before
15.0.0 are ...)
- TODO: check
+ NOT-FOR-US: koa/router
CVE-2026-9486 (A security flaw has been discovered in SourceCodester Student
Grades M ...)
NOT-FOR-US: SourceCodester
CVE-2026-9485 (A vulnerability was identified in SourceCodester Student Grades
Manage ...)
@@ -10128,7 +10128,7 @@ CVE-2026-47372 (Crypt::SaltedHash versions through 0.09
for Perl generate insecu
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40252126/
NOTE: Fixed by:
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5
(0.10)
CVE-2026-9101 (Prototype pollution in csv parsing logic during import can lead
to unt ...)
- TODO: check
+ NOT-FOR-US: MongoDB Compass
CVE-2026-9100 (The MongoDB C Driver's legacy GridFS API accepts malformed file
metada ...)
- mongo-c-driver 2.2.4-1 (bug #1137217)
[trixie] - mongo-c-driver 1.30.4-1+deb13u2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f45e7d65f32baee247a6a78a8c71c7a57fa94a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f45e7d65f32baee247a6a78a8c71c7a57fa94a
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
