Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eed94180 by Salvatore Bonaccorso at 2026-06-18T07:22:19+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13,7 +13,7 @@ CVE-2026-9675 (Impact: The undici WebSocket client enforces 
maxPayloadSize per-f
        - node-undici <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq
 CVE-2026-9591 (Cross-site request forgery (CSRF) in NewsItemApiController in 
SimplCom ...)
-       TODO: check
+       NOT-FOR-US: SimplCommerce
 CVE-2026-9570 (The Taskbuilder  WordPress plugin before 5.0.8 does not 
properly sanit ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-8607 (The Points Management System For Gamification, Ranks, Badges, 
and Loya ...)
@@ -39,13 +39,13 @@ CVE-2026-5667 (Use of Hard-coded Credentials vulnerability 
in Mitsubishi Electri
 CVE-2026-55743 (The shell tool command allowlist in the SecurityPolicy of 
OpenHuman de ...)
        TODO: check
 CVE-2026-55738 (A stack-based buffer overflow exists in the raw_to_header() 
function i ...)
-       TODO: check
+       NOT-FOR-US: microtar
 CVE-2026-55198 (Hermes WebUI before 0.51.443 contains an authorization bypass 
vulnerab ...)
-       TODO: check
+       NOT-FOR-US: Hermes WebUI
 CVE-2026-55197 (Hermes WebUI before 0.51.443 contains a broken access control 
vulnerab ...)
-       TODO: check
+       NOT-FOR-US: Hermes WebUI
 CVE-2026-55196 (Hermes WebUI before 0.51.409 contains an authentication bypass 
vulnera ...)
-       TODO: check
+       NOT-FOR-US: Hermes WebUI
 CVE-2026-54819 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-54818 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
@@ -83,9 +83,9 @@ CVE-2026-54803 (Subscriber Privilege Escalation in SMS Alert 
Order Notifications
 CVE-2026-54802 (Unauthenticated Broken Authentication in SMS Alert Order 
Notifications ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-54417 (An integer overflow in the mtar_next() function in 
src/microtar.c in r ...)
-       TODO: check
+       NOT-FOR-US: microtar
 CVE-2026-54415 (Missing Authorization in the server management routes 
(routes/admin.ph ...)
-       TODO: check
+       NOT-FOR-US: Azuriom Azuriom CMS
 CVE-2026-54196 (Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-54195 (Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder 
<= 3.6.0. ...)
@@ -107,19 +107,19 @@ CVE-2026-54185 (Subscriber SQL Injection in Cornerstone < 
7.8.8 versions.)
 CVE-2026-54184 (Unauthenticated Insecure Direct Object References (IDOR) in 
Clean Logi ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-53875 (picklescan before 1.0.3 contains a scanning bypass 
vulnerability in th ...)
-       TODO: check
+       NOT-FOR-US: picklescan
 CVE-2026-53874 (picklescan before 1.0.1 contains an unsafe deserialization 
vulnerabili ...)
-       TODO: check
+       NOT-FOR-US: picklescan
 CVE-2026-53873 (picklescan before 1.0.4 contains an incomplete blocklist for 
the profi ...)
-       TODO: check
+       NOT-FOR-US: picklescan
 CVE-2026-53872 (picklescan before 0.0.35 contains an unsafe pickle 
deserialization vul ...)
-       TODO: check
+       NOT-FOR-US: picklescan
 CVE-2026-53871 (Hermes WebUI before 0.51.368 contains an authorization bypass 
vulnerab ...)
-       TODO: check
+       NOT-FOR-US: Hermes WebUI
 CVE-2026-53870 (Hermes Agent before 0.16.0 creates response_store.db and 
webhook_subsc ...)
-       TODO: check
+       NOT-FOR-US: Hermes Agent
 CVE-2026-53869 (Hermes Agent before 0.16.0 contains a DNS rebinding 
vulnerability in W ...)
-       TODO: check
+       NOT-FOR-US: Hermes Agent
 CVE-2026-53805 (NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an 
unauthentica ...)
        TODO: check
 CVE-2026-52716 (Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 
1.7.11 ve ...)
@@ -1542,7 +1542,7 @@ CVE-2026-8442 (The WP Review Slider Pro plugin for 
WordPress is vulnerable to Ar
 CVE-2026-8176 (The LatePoint \u2013 Calendar Booking Plugin for Appointments 
and Even ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-5416 (Due to the improper neutralization of special elements used in 
a name  ...)
-       TODO: check
+       NOT-FOR-US: TURCK
 CVE-2026-54198 (Unauthenticated Cross Site Scripting (XSS) in Media LIbrary 
Assistant  ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-54197 (Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 
versions.)
@@ -1610,7 +1610,7 @@ CVE-2026-53841 (OpenClaw before 2026.5.12 contains a 
cross-site scripting vulner
 CVE-2026-53840 (OpenClaw before 2026.5.12 contains an information disclosure 
vulnerabi ...)
        NOT-FOR-US: OpenClaw
 CVE-2026-53776 (Perry before 0.5.1166 contains a JWT validation vulnerability 
that all ...)
-       TODO: check
+       NOT-FOR-US: Perry
 CVE-2026-52715 (Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-52714 (Unauthenticated Broken Access Control in SEO Plugin by 
Squirrly SEO <= ...)
@@ -2098,59 +2098,59 @@ CVE-2026-52692 (Unauthenticated Sensitive Data Exposure 
in Affiliates Manager <=
 CVE-2026-50892 (Incorrect access control in the "Let's Encrypt" certificate 
download e ...)
        TODO: check
 CVE-2026-50891 (Incorrect access control in the /admin/api/config component of 
Filesta ...)
-       TODO: check
+       NOT-FOR-US: Filestash
 CVE-2026-50890 (Bernd Bestel grocy v4.6.0 was discovered to contain a SQL 
injection vu ...)
        - grocy <itp> (bug #969056)
 CVE-2026-50889 (An input handling flaw in the HTTP refresh token process of 
LLDAP v0.6 ...)
        TODO: check
 CVE-2026-50888 (An authenticated Server-Side Request Forgery (SSRF) in the 
custom scra ...)
-       TODO: check
+       NOT-FOR-US: Benjamin Jonard Koillection
 CVE-2026-50887 (A Server-Side Request Forgery (SSRF) in the automatic short 
URL title  ...)
-       TODO: check
+       NOT-FOR-US: shlink
 CVE-2026-50886 (Incorrect access control in the webhook management component 
of Projec ...)
-       TODO: check
+       NOT-FOR-US: Firefly
 CVE-2026-50885 (Incorrect access control in the share-based read endpoints of 
Sismics  ...)
-       TODO: check
+       NOT-FOR-US: Sismics Docs (Teedy)
 CVE-2026-50884 (Incorrect access control in statping-ng v0.93.0 allows 
attackers to es ...)
-       TODO: check
+       NOT-FOR-US: statping-ng
 CVE-2026-50883 (An HTML injection vulnerability in the /src/highlight.rs 
component of  ...)
-       TODO: check
+       NOT-FOR-US: matze wastebin
 CVE-2026-50882 (An issue in the /api/v0/pastes endpoint of anna-is-cute paste 
v0.1.1 a ...)
-       TODO: check
+       NOT-FOR-US: anna-is-cute paste
 CVE-2026-50881 (Incorrect access control in the impworks Bonsai v6.0 allows 
authentica ...)
-       TODO: check
+       NOT-FOR-US: impworks Bonsai
 CVE-2026-50880 (An issue in the sendmail transport integration component of 
YouTransfe ...)
-       TODO: check
+       NOT-FOR-US: YouTransfer
 CVE-2026-50879 (An issue in the uploadPostHandler component of Andrei Marcu 
linx-serve ...)
-       TODO: check
+       NOT-FOR-US: Andrei Marcu linx-server
 CVE-2026-50878 (An issue in the attachment handling component of Feuerhamster 
MailForm ...)
-       TODO: check
+       NOT-FOR-US: Feuerhamster MailForm
 CVE-2026-50877 (An issue in Zhoros SuperBin v1.0.0 allows attackers to execute 
a direc ...)
-       TODO: check
+       NOT-FOR-US: Zhoros SuperBin
 CVE-2026-50876 (A cross-site scripting (XSS) vulnerability in Deck9 Input 
v2.0.1 allow ...)
-       TODO: check
+       NOT-FOR-US: Deck9 Input
 CVE-2026-50875 (Incorrect access control in the /{form}/webhooks/{webhook} 
endpoint of ...)
-       TODO: check
+       NOT-FOR-US: Deck9 Input
 CVE-2026-50874 (An OS command injection vulnerability in the 
/manage/features/media co ...)
-       TODO: check
+       NOT-FOR-US: kanishka-linux Reminiscence
 CVE-2026-50873 (An arbitrary file upload vulnerability in the attachment 
handling comp ...)
-       TODO: check
+       NOT-FOR-US: flatnotes
 CVE-2026-50872 (An issue in the loopback request handling component of fossar 
selfoss  ...)
-       TODO: check
+       NOT-FOR-US: fossar selfoss
 CVE-2026-50871 (An OS command injection vulnerability in the media archiving 
and expor ...)
-       TODO: check
+       NOT-FOR-US: kanishka-linux Reminiscence
 CVE-2026-50870 (An information disclosure vulnerability in the configuration 
endpoint  ...)
-       TODO: check
+       NOT-FOR-US: Ben Busby whoogle-search
 CVE-2026-50869 (An issue in the api/plugin.php component of Bludit v3.19.0 
allows atta ...)
-       TODO: check
+       NOT-FOR-US: Bludit
 CVE-2026-50255 (Incorrect default permissions issue exists in Optical Disc 
Archive Sof ...)
-       TODO: check
+       NOT-FOR-US: Optical Disc Archive Software for Windows
 CVE-2026-49954 (Discuz! X5.0 releases 20260320 through 20260610 contain a 
local file i ...)
-       TODO: check
+       NOT-FOR-US: Discuz!
 CVE-2026-49953 (Discuz! X5.0 releases 20260320 through 20260610 contains a 
CAPTCHA byp ...)
-       TODO: check
+       NOT-FOR-US: Discuz!
 CVE-2026-49952 (Discuz! X5.0 releases 20260320 through 20260501 contains an 
authentica ...)
-       TODO: check
+       NOT-FOR-US: Discuz!
 CVE-2026-49781 (Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-49780 (Customer Privilege Escalation in Dokan <= 5.0.2 versions.)
@@ -2761,7 +2761,7 @@ CVE-2026-52704 (Improper Control of Generation of Code 
('Code Injection') vulner
 CVE-2026-50100 (Multiple printer drivers provided by Ricoh Company, Ltd. and 
KONICA MI ...)
        NOT-FOR-US: Ricoh
 CVE-2026-49757 (Authentication Bypass by Spoofing vulnerability in 
team-alembic AshAut ...)
-       TODO: check
+       NOT-FOR-US: team-alembic AshAuthentication
 CVE-2026-49294 (Valhalla is an open source routing engine and accompanying 
libraries f ...)
        TODO: check
 CVE-2026-49111 (Incorrect Privilege Assignment vulnerability in ThemeGrill 
Masteriyo - ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed94180a2581eb1dc7b65856272606ddaaa7e82

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed94180a2581eb1dc7b65856272606ddaaa7e82
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to