Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
16f7f0f7 by Salvatore Bonaccorso at 2026-06-19T22:24:07+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -45,9 +45,9 @@ CVE-2026-51843 (Tenda AC7 v15.03.06.44 contains a stack 
buffer overflow vulnerab
 CVE-2026-50242 (In JetBrains Hub before 2026.1.13757, 2025.3.148033, 
2025.2.148048, 20 ...)
        NOT-FOR-US: JetBrains
 CVE-2026-4027 (A security vulnerability has been identified in FlexNet Manager 
Suite  ...)
-       TODO: check
+       NOT-FOR-US: FlexNet Manager Suite
 CVE-2026-4026 (A security vulnerability has been identified in FlexNet Manager 
Suite  ...)
-       TODO: check
+       NOT-FOR-US: FlexNet Manager Suite
 CVE-2026-49872 (Improper Authentication vulnerability in Apache APISIX.  When 
the cas- ...)
        NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-49871 (Cross-Site Request Forgery (CSRF) vulnerability in the 
cas-auth plugin ...)
@@ -59,11 +59,11 @@ CVE-2026-49358 (PhpWeasyPrint is a PHP library allowing PDF 
generation from a UR
 CVE-2026-49357 (Line Desktop MCP is a project that, while unaffiliated with 
the offici ...)
        NOT-FOR-US: Line Desktop MCP
 CVE-2026-49339 (gonic is a music streaming server / free-software subsonic 
server API  ...)
-       TODO: check
+       NOT-FOR-US: gonic music streaming server
 CVE-2026-49336 (@microsoft/kiota-http-fetchlibrary provides TypeScript 
libraries for K ...)
        TODO: check
 CVE-2026-49293 (js-toml is a TOML parser for JavaScript, fully compliant with 
the TOML ...)
-       TODO: check
+       NOT-FOR-US: js-toml
 CVE-2026-49291 (mcp-memory-service is a semantic memory layer for AI 
applications. Pri ...)
        NOT-FOR-US: mcp-memory-service
 CVE-2026-49290 (Slopsmith is a self-contained web application for browsing, 
playing, a ...)
@@ -134,13 +134,13 @@ CVE-2026-12619 (Improper Neutralization of Input During 
Web Page Generation (XSS
 CVE-2026-12238 (The WP Go Maps \u2013 Most Popular Map Plugin plugin for 
WordPress is  ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-12104 (OS command injection in the environment and tunnel 
configuration funct ...)
-       TODO: check
+       NOT-FOR-US: SIMA GmbH Bondix
 CVE-2026-11941 (Cloudflare Quiche was affected by 2 use-after-free 
vulnerabilities in  ...)
-       TODO: check
+       NOT-FOR-US: Cloudflare Quiche
 CVE-2026-11576 (The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo 
refacto ...)
        NOT-FOR-US: Eclipse
 CVE-2025-71326 (AVAST Antivirus 25.11 contains an unquoted service path 
vulnerability  ...)
-       TODO: check
+       NOT-FOR-US: AVAST Antivirus
 CVE-2025-62821 (Microsoft HEIF Image Extensions 1.2.22.0 has an out-of-bounds 
read bec ...)
        TODO: check
 CVE-2023-54357 (Joomla com_booking component 2.4.9 contains an information 
disclosure  ...)
@@ -1317,18 +1317,18 @@ CVE-2026-12151 (Impact: The undici WebSocket client 
enforces maxPayloadSize on t
 CVE-2026-12115 (The Counter Box \u2013 Add Countdowns, Timers & Dynamic 
Counters to Wo ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-11975 (Stored cross-site scripting (XSS) in NewsItemApiControllerIn 
SimplComm ...)
-       TODO: check
+       NOT-FOR-US: SimplCommerce
 CVE-2026-11858 (Quanos SCHEMA ST4 on-premises contains a local privilege 
escalation vu ...)
-       TODO: check
+       NOT-FOR-US: Quanos SCHEMA ST4 on-premises
 CVE-2026-11857 (Quanos SCHEMA ST4 on-premises contains a local privilege 
escalation vu ...)
-       TODO: check
+       NOT-FOR-US: Quanos SCHEMA ST4 on-premises
 CVE-2026-11525 (Impact: When undici parses a Set-Cookie header, it accepts any 
SameSit ...)
        - node-undici <unfixed> (bug #1140363)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m
 CVE-2026-11311 (When NGINX Plus is configured as the data plane for NGINX 
Gateway Fabr ...)
        TODO: check
 CVE-2026-10850 (Plane CE 1.3.1 allows a low-privileged project member to 
submit arbitr ...)
-       TODO: check
+       NOT-FOR-US: Plane
 CVE-2026-10839 (Open redirection vulnerability in the authentication system 
allows an  ...)
        TODO: check
 CVE-2026-10837 (Open redirection vulnerability due to insufficient validation 
of the X ...)
@@ -2266,7 +2266,7 @@ CVE-2026-11410 (An authenticated OS command injection 
vulnerability exists in th
 CVE-2026-11409 (An authenticated OS command injection vulnerability exists in 
the IPv6 ...)
        NOT-FOR-US: TPLink
 CVE-2026-10303 (In ServerCo getssl version 2.49 and prior, the ACME challenge 
token re ...)
-       TODO: check
+       NOT-FOR-US: ServerCo getssl
 CVE-2026-0165 (In several functions of the RTCP packet decoder, there is a 
possible o ...)
        NOT-FOR-US: Google devices
 CVE-2026-0164 (In Modem, there is a possible out of bounds write due to a 
missing bou ...)
@@ -2928,7 +2928,7 @@ CVE-2026-0646 (A denial-of-service security issue exists 
within the 1794-AENTR a
 CVE-2025-9912 (Nokia SR Linux is vulnerable to a local privilege escalation 
vulnerabi ...)
        NOT-FOR-US: Nokia
 CVE-2025-71261 (An attacker with network-level access between the SUSE 
Virtualization  ...)
-       TODO: check
+       NOT-FOR-US: Rancher
 CVE-2025-68045 (Unauthenticated Broken Access Control in WP Event SOlution <= 
4.1.12 v ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2025-14272 (A security issue wasidentifiedin Pavilion due to 
improperauthorization ...)
@@ -3483,15 +3483,15 @@ CVE-2026-39435 (Unauthenticated Cross Site Scripting 
(XSS) in CformsII <= 15.1.3
 CVE-2026-39434 (Shop manager PHP Object Injection in CTX Feed <= 6.6.26 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-39197 (An issue in the /util/http/prelude.rs endpoint of Datadog, Inc 
Vector  ...)
-       TODO: check
+       NOT-FOR-US: Datadog, Inc Vector
 CVE-2026-39196 (Datadog, Inc Vector v0.54.0 was discovered to contain a SQL 
injection  ...)
-       TODO: check
+       NOT-FOR-US: Datadog, Inc Vector
 CVE-2026-39118 (An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows 
a local  ...)
-       TODO: check
+       NOT-FOR-US: Iru, Inc Kandji Agent
 CVE-2026-39007 (An issue in Observeinc's Observe v.2026-01-28 and before 
allows a remo ...)
-       TODO: check
+       NOT-FOR-US: Observeinc's Observe
 CVE-2026-39006 (An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to 
execute arb ...)
-       TODO: check
+       NOT-FOR-US: SNMP4J-Agent
 CVE-2026-38812 (RuoYi v4.8.2 is vulnerable to SQL Injection via the 
/tool/gen/createTa ...)
        NOT-FOR-US: RuoYi
 CVE-2026-38329 (Bludit CMS before version 3.18.4 allows Remote Code Execution 
(RCE) vi ...)
@@ -3535,9 +3535,9 @@ CVE-2026-34891 (Unauthenticated Sensitive Data Exposure 
in IDPay Payment Gateway
 CVE-2026-34886 (Unauthenticated Broken Access Control in Simple Membership <= 
4.7.1 ve ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-30121 (remotion-dev remotion v4.0.409 was discovered to contain an 
arbitrary  ...)
-       TODO: check
+       NOT-FOR-US: remotion-dev remotion
 CVE-2026-30120 (remotion-dev remotion v4.0.409 was discovered to contain a 
remote code ...)
-       TODO: check
+       NOT-FOR-US: remotion-dev remotion
 CVE-2026-27407 (Editor Privilege Escalation in AI Engine <= 3.4.9 versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-27333 (Unauthenticated Deserialization of untrusted data in Paid 
Videochat Tu ...)
@@ -3575,7 +3575,7 @@ CVE-2025-68851 (Unauthenticated Cross Site Scripting 
(XSS) in Okay Toolkit <= 2.
 CVE-2025-68840 (Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO 
<= 1.1.2 ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2025-68713 (An issue was discovered in Rakuten Send Anywhere (File 
Transfer) for A ...)
-       TODO: check
+       NOT-FOR-US: Rakuten Send Anywhere (File Transfer) for Android 
(com.estmob.android.sendanywhere)
 CVE-2025-68049 (Subscriber Broken Access Control in bunny.net <= 2.3.6 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2025-60175 (Administrator Server Side Request Forgery (SSRF) in PopAd <= 
1.0.4 ver ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f7f0f77cff004834c8ab696e669f8f0bd8d363

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f7f0f77cff004834c8ab696e669f8f0bd8d363
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to