[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) Fri, 19 Jun 2026 06:49:57 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
78aab5b9 by Moritz Muehlenhoff at 2026-06-19T15:48:15+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -73,9 +73,9 @@ CVE-2026-54130 (Missing authentication for critical function 
in M365 Copilot all
 CVE-2026-54017 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
        NOT-FOR-US: Open WebUI
 CVE-2026-52866 (An attacker within BLE communication range can monopolize the 
device's ...)
-       TODO: check
+       NOT-FOR-US: Apollo Pharmacy
 CVE-2026-50034 (An attacker within BLE communication range can passively 
intercept  wi ...)
-       TODO: check
+       NOT-FOR-US: Apollo Pharmacy
 CVE-2026-4328 (The Advanced Import plugin for WordPress is vulnerable to 
Server-Side  ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-49454 (Relyra is a strict-by-default SAML 2.0 Service Provider 
library for El ...)
@@ -121,19 +121,19 @@ CVE-2026-43915 (Coturn is a free open source 
implementation of TURN and STUN Ser
        - coturn 4.12.0-1
        NOTE: 
https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j
 CVE-2026-40624 (Improper input validation in AVer PTC500S, PTC115, PTC500+, 
and PTC115 ...)
-       TODO: check
+       NOT-FOR-US: AVer
 CVE-2026-32174 (Improper authentication in Azure Bot Service allows an 
authorized atta ...)
        NOT-FOR-US: Microsoft
 CVE-2026-2842
        REJECTED
 CVE-2026-25865 (Punto Switcher through 4.5.0.583 contains an unquoted search 
path elem ...)
-       TODO: check
+       NOT-FOR-US: Punto Switcher
 CVE-2026-22674 (Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, 
contains a  ...)
        NOT-FOR-US: Hashgraph Guardian
 CVE-2026-1856 (The Appointment Booking Calendar plugin for WordPress is 
vulnerable to ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-12644 (Versions of the package ts-deepmerge before 8.0.0 are 
vulnerable to Un ...)
-       TODO: check
+       NOT-FOR-US: Node ts-deepmerge
 CVE-2026-12430 (The Blocksy Companion plugin for WordPress is vulnerable to 
Stored Cro ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-12157 (The BetterDocs - Knowledge Base Docs & FAQ Solution for 
Elementor & Bl ...)
@@ -157,7 +157,7 @@ CVE-2026-11989 (The Bit integrations \u2013 Form 
Integration, Webhook, Spreadshe
 CVE-2026-11775 (The User Admin Simplifier plugin for WordPress is vulnerable 
to Cross- ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-11752 (A vulnerability has been identified in armeria-xds versions 
1.38.0 thr ...)
-       TODO: check
+       NOT-FOR-US: Armeria
 CVE-2026-10779 (The Classified Listing \u2013 Classified ads & Business 
Directory plug ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-10746
@@ -347,9 +347,9 @@ CVE-2026-28573 (In AndroidManifest.xml, there is a possible 
persistent denial of
 CVE-2026-22551 (In Eclipse Theia versions prior to 1.71.0, the AI chat 
rendered Markdo ...)
        NOT-FOR-US: Eclipse
 CVE-2026-12539 (Docker Sandboxes (sbx) blocks ICMP egress with an authorizer 
applied o ...)
-       TODO: check
+       NOT-FOR-US: Docker Sandboxes
 CVE-2026-12527 (A broken authorization boundary in the RTSP media delivery 
pipeline of ...)
-       TODO: check
+       NOT-FOR-US: Shenzhen Liandian Communication Technology
 CVE-2026-12475
        REJECTED
 CVE-2026-12390 (In AzeoTech DAQFactory versions 21.1 and prior, a Type 
Confusion vulne ...)
@@ -365,17 +365,17 @@ CVE-2026-12102 (The UsersWP \u2013 Front-end login form, 
User Registration, User
 CVE-2026-12098 (The PowerPress Podcasting plugin by Blubrry plugin for 
WordPress is vu ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-12039 (Docker Sandboxes (sbx) enforces an HTTP/S-only egress 
allowlist but do ...)
-       TODO: check
+       NOT-FOR-US: Docker Sandboxes
 CVE-2026-11982 (Grav 2.0.0-rc.9 with Admin2 2.0.0-rc.14 contains a stored 
cross-site s ...)
-       TODO: check
+       NOT-FOR-US: Grav CMS
 CVE-2026-11958 (Local privilege escalation by loading DLLs from a shared 
temporary dir ...)
-       TODO: check
+       NOT-FOR-US: DFIR-ORC
 CVE-2026-11719 (An authenticated authorization bypass vulnerability exists in 
MCP Tool ...)
-       TODO: check
+       NOT-FOR-US: mcp-toolbox
 CVE-2026-11718 (An authentication bypass vulnerability exists in the generic 
opaque to ...)
-       TODO: check
+       NOT-FOR-US: mcp-toolbox
 CVE-2026-11717 (An authentication bypass vulnerability exists in the generic 
opaque to ...)
-       TODO: check
+       NOT-FOR-US: mcp-toolbox
 CVE-2026-11395 (The CF7 to Webhook plugin for WordPress is vulnerable to 
Server-Side R ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-10687
@@ -494,7 +494,7 @@ CVE-2026-48988 (markdown-it is a Markdown parser. Versions 
14.1.1 and below cont
        NOTE: 
https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq
        NOTE: 
https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5
 (14.2.0)
 CVE-2026-48979 (PHP Standard Library (PSL) is set of APIs covering async, 
collections, ...)
-       TODO: check
+       NOT-FOR-US: PHP Standard Library (PSL)
 CVE-2026-48823 (Shaarli is a personal bookmarking service. Versions 0.16.1 and 
prior c ...)
        - shaarli <unfixed> (bug #1140347)
        NOTE: 
https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6
@@ -530,7 +530,7 @@ CVE-2026-44645 (LiquidJS is a Shopify/GitHub Pages 
compatible template engine wr
 CVE-2026-44644 (LiquidJS is a Shopify/GitHub Pages compatible template engine 
written  ...)
        NOT-FOR-US: LiquidJS
 CVE-2026-32682 (When NGINX Gateway Fabric is configured using GRPCRoutes, an 
authentic ...)
-       TODO: check
+       NOT-FOR-US: NGINX Gateway Fabric
 CVE-2026-12569 (A critical remote code execution (RCE) vulnerability has been 
reported ...)
        NOT-FOR-US: PTC WindChill
 CVE-2026-12568 (The postman_download module uses the workspace name field from 
the Pos ...)
@@ -562,7 +562,7 @@ CVE-2026-11777 (The Form Maker by 10Web \u2013 
Mobile-Friendly Drag & Drop Conta
 CVE-2026-11776 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop 
Contact For ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-11407 (Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass 
vulnerability ...)
-       TODO: check
+       NOT-FOR-US: Pimcore
 CVE-2026-11402 (The Services Section Block \u2013 Showcase Service Details in 
Grid or  ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-11360 (The Advanced Order Export For WooCommerce plugin for WordPress 
is vuln ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78aab5b9aa3e2c7f325e17b3d19a0426f334e475

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78aab5b9aa3e2c7f325e17b3d19a0426f334e475
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

Reply via email to