[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) Fri, 12 Jun 2026 02:52:32 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
7661eea8 by Moritz Muehlenhoff at 2026-06-12T11:43:03+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -115,7 +115,7 @@ CVE-2026-42653 (Improper Neutralization of Input During Web 
Page Generation ('Cr
 CVE-2026-42647 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-41005 (Cloud Foundry UAA incorrectly treated XML encryption to the 
Service Pr ...)
-       TODO: check
+       NOT-FOR-US: VMware
 CVE-2026-39494 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-20746 (Virtual attribute handling in Ping Identity PingDirectory in 
affected  ...)
@@ -454,9 +454,9 @@ CVE-2026-46695 (Boxlite is a sandbox service that allows 
users to create lightwe
 CVE-2026-46689 (Kanidm is an identity management platform. Prior to version 
1.9.3, a s ...)
        NOT-FOR-US: Kanidm
 CVE-2026-46683 (Snappy is a PHP library allowing thumbnail, snapshot or PDF 
generation ...)
-       TODO: check
+       NOT-FOR-US: Snappy PHP (different from src:snappy)
 CVE-2026-46679 (libp2p is a JavaScript Implementation of libp2p networking 
stack. Prio ...)
-       TODO: check
+       NOT-FOR-US: Node libp2p
 CVE-2026-46673 (Russh is a Rust SSH client & server library. Prior to version 
0.60.3,  ...)
        - rust-russh <unfixed> (bug #1139726)
        NOTE: 
https://github.com/Eugeny/russh/security/advisories/GHSA-g9f8-wqj9-fjw5
@@ -465,17 +465,17 @@ CVE-2026-46669 (OpenVM is a performant and modular zkVM 
framework built for cust
 CVE-2026-46668 (SpiceDB is an open source database system for creating and 
managing se ...)
        NOT-FOR-US: SpiceDB
 CVE-2026-46654 (Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to 
versions 0. ...)
-       TODO: check
+       NOT-FOR-US: Plonky3
 CVE-2026-46645 (SQLAdmin is a flexible Admin interface for SQLAlchemy models. 
Prior to ...)
-       TODO: check
+       NOT-FOR-US: SQLAdmin
 CVE-2026-46643 (Snappy is a PHP library allowing thumbnail, snapshot or PDF 
generation ...)
-       TODO: check
+       NOT-FOR-US: Snappy PHP (different from src:snappy)
 CVE-2026-46625 (JavaScript Cookie is a JavaScript API for handling cookies, 
client-sid ...)
        TODO: check
 CVE-2026-46519 (mcp-server-kubernetes is a Model Context Protocol server for 
Kubernete ...)
        NOT-FOR-US: mcp-server-kubernetes
 CVE-2026-45783 (libp2p is a JavaScript Implementation of libp2p networking 
stack. Prio ...)
-       TODO: check
+       NOT-FOR-US: Node libp2p
 CVE-2026-45384 (bit7z is a cross-platform C++ static library that allows the 
compressi ...)
        TODO: check
 CVE-2026-45380 (bit7z is a cross-platform C++ static library that allows the 
compressi ...)
@@ -487,11 +487,11 @@ CVE-2026-45177 (Idira Secrets Manager SaaS Edge versions 
prior to 1.8 exhibit im
 CVE-2026-45176 (Idira Endpoint Privilege Manager Agent versions prior to 26.5 
exhibit  ...)
        NOT-FOR-US: Palo Alto Networks
 CVE-2026-45106 (Weblate is a web based localization tool. Prior to version 
2026.5, Web ...)
-       TODO: check
+       - weblate <itp> (bug #745661)
 CVE-2026-44705 (tmp is a temporary file and directory creator for node.js. 
Prior to 0. ...)
        TODO: check
 CVE-2026-44693 (Pi-hole FTL is the core engine of the Pi-hole network-level 
advertisem ...)
-       TODO: check
+       NOT-FOR-US: Pi-hole FTL
 CVE-2026-44692 (Sharp is a content management framework built for Laravel as a 
package ...)
        TODO: check
 CVE-2026-44496 (Axios is a promise based HTTP client for the browser and 
Node.js. Axio ...)
@@ -513,13 +513,13 @@ CVE-2026-44487 (Axios is a promise based HTTP client for 
the browser and Node.js
 CVE-2026-44486 (Axios is a promise based HTTP client for the browser and 
Node.js. Prio ...)
        TODO: check
 CVE-2026-42568 (Yamcs is a mission control framework. Prior to versions 5.13.0 
and 5.1 ...)
-       TODO: check
+       NOT-FOR-US: Yamcs
 CVE-2026-42558 (Xibo is an open source digital signage platform with a web 
content man ...)
-       TODO: check
+       NOT-FOR-US: Xibo
 CVE-2026-42542 (TDengine is an open source, time-series database optimized for 
Interne ...)
        TODO: check
 CVE-2026-42462 (Fedify is a TypeScript library for building federated server 
apps powe ...)
-       TODO: check
+       NOT-FOR-US: Fedify
 CVE-2026-41856 (The Spring GraphQL annotation detection mechanism for 
@Controller data ...)
        TODO: check
 CVE-2026-41700 (Spring for GraphQL applications that have enabled the 
WebSocket transp ...)
@@ -565,9 +565,9 @@ CVE-2026-2827 (The Open User Map PRO plugin for WordPress 
is vulnerable to Store
 CVE-2026-1500 (GitLab has remediated an issue in GitLab CE/EE affecting all 
versions  ...)
        NOT-FOR-US: GitLab (used to be packaged in the Debian archive as 
src:gitlab, but never in a stable release)
 CVE-2026-11986 (A flaw was found in the admin-ui-ext component of Keycloak, 
which prov ...)
-       TODO: check
+       - keycloak <itp> (bug #1088287)
 CVE-2026-11956 (A vulnerability was determined in TwiN gatus 5.36.0. Impacted 
is the f ...)
-       TODO: check
+       NOT-FOR-US: TwiN gatus
 CVE-2026-11945 (PostgreSQL Anonymizer contains a vulnerability that allows a 
user to g ...)
        TODO: check
 CVE-2026-11850 (An integer underflow vulnerability was found in MIT krb5 in 
the berval ...)
@@ -575,7 +575,7 @@ CVE-2026-11850 (An integer underflow vulnerability was 
found in MIT krb5 in the
 CVE-2026-11839 (Unrestricted upload of file with dangerous type vulnerability 
in Ba\u0 ...)
        TODO: check
 CVE-2026-11816 (Keras versions prior to 3.14.0 are vulnerable to a path 
traversal issu ...)
-       TODO: check
+       - keras <removed>
 CVE-2026-11774 (An integer overflow flaw was found in the SASL I/O layer of 
389 Direct ...)
        TODO: check
 CVE-2026-11604 (An incorrect buffer size calculation in the epoch key 
generator in Ope ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7661eea8e3a7b459454aa1165670f3b8bfa728ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7661eea8e3a7b459454aa1165670f3b8bfa728ad
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

Reply via email to