Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
df82e5dd by security tracker role at 2026-06-26T07:13:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,189 @@
+CVE-2026-9222 (Setracker2 Android Companion App com.tgelec.setracker versions
3.1.5 a ...)
+ TODO: check
+CVE-2026-9221 (The Setracker2 Android Companion App (com.tgelec.setracker)
versions 3 ...)
+ TODO: check
+CVE-2026-9220 (Setracker2 Android Companion App com.tgelec.setracker versions
3.1.5 a ...)
+ TODO: check
+CVE-2026-9219 (Setracker2 Android Companion App com.tgelec.setracker versions
3.1.5 a ...)
+ TODO: check
+CVE-2026-8797 (An access control deficiency vulnerability exists in
ExpressUpdate Age ...)
+ TODO: check
+CVE-2026-8720 (wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message
when t ...)
+ TODO: check
+CVE-2026-8661 (Server-Side Cross-Site Scripting and Server-Side Request
Forgery vulne ...)
+ TODO: check
+CVE-2026-8380 (The Frontend File Manager Plugin WordPress plugin through 23.6
does no ...)
+ TODO: check
+CVE-2026-7532 (iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is
not defi ...)
+ TODO: check
+CVE-2026-7531 (Use-after-free in PQC hybrid key-share handling. This is an
incomplete ...)
+ TODO: check
+CVE-2026-7511 (PKCS7_verify signer confusion allows forged signatures, where
the sign ...)
+ TODO: check
+CVE-2026-6731 (X.509 name constraint bypass via the Subject Common Name when
treated ...)
+ TODO: check
+CVE-2026-6681 (The PKCS#7 decode path ignores the caller-supplied output
buffer size ...)
+ TODO: check
+CVE-2026-6679 (A heap buffer overflow could occur in the DTLS 1.3 ACK
serialization p ...)
+ TODO: check
+CVE-2026-6678 (Integer underflow in wc_PKCS7_DecryptOri when handling crafted
Other R ...)
+ TODO: check
+CVE-2026-6450 (A CRL critical extension bypass exists in ParseCRL_Extensions
where cr ...)
+ TODO: check
+CVE-2026-6412 (Certificate policy and RFC 8446 compliance concerns regarding
the cont ...)
+ TODO: check
+CVE-2026-6331 (HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a
zero-le ...)
+ TODO: check
+CVE-2026-6330 (The ML-KEM ARM64 NEON ciphertext comparison only compares half
of the ...)
+ TODO: check
+CVE-2026-6329 (PKCS#12 MAC verification uses an attacker-controlled comparison
length ...)
+ TODO: check
+CVE-2026-6325 (Out-of-bounds write in SetSuitesHashSigAlgo when processing an
oversiz ...)
+ TODO: check
+CVE-2026-6092 (When HAVE_ENCRYPT_THEN_MAC is configured, the implementation
could fal ...)
+ TODO: check
+CVE-2026-57522 (Bitwarden Server before 2026.5.0 contains a JSON injection
vulnerabili ...)
+ TODO: check
+CVE-2026-57521 (Bitwarden Server before 2026.5.0 contains a broken access
control vuln ...)
+ TODO: check
+CVE-2026-57520 (Bitwarden Server before 2026.5.0 contains a privilege
escalation vulne ...)
+ TODO: check
+CVE-2026-56445 (The qrscp application's C-STORE handler uses a specific
instance from ...)
+ TODO: check
+CVE-2026-55964 (Chain intermediate CA:TRUE without keyCertSign accepted as a
signing C ...)
+ TODO: check
+CVE-2026-55962 (TLS 1.3 post-handshake authentication (PHA) issue where a
server could ...)
+ TODO: check
+CVE-2026-55960 (Un-negotiated Raw Public Key (RFC 7250) accepted in place of
an X.509 ...)
+ TODO: check
+CVE-2026-55958 (Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript
buffer. In ...)
+ TODO: check
+CVE-2026-54479 (The WebSocket backend uses charging station identifiers to
uniquely as ...)
+ TODO: check
+CVE-2026-50745 (A missing sanitisation vulnerability exists with user input in
the sta ...)
+ TODO: check
+CVE-2026-50744 (A bypass to the admin\u2011only restriction of the
XML\u2011RPC API in ...)
+ TODO: check
+CVE-2026-50742 (A stored XSS vulnerabilities exists in the
`maintenance-acl-check.php` ...)
+ TODO: check
+CVE-2026-50741 (Bypass to the fix for CVE-2026-34916. Variants of such vectors
have be ...)
+ TODO: check
+CVE-2026-50740 (A missing sanitisation vulnerability of user input in the
zone-include ...)
+ TODO: check
+CVE-2026-50739 (A bypass for CVE\u20112026\u201134913 exists with proper
ownership val ...)
+ TODO: check
+CVE-2026-50176 (The WebSocket Application Programming Interface lacks
restrictions on ...)
+ TODO: check
+CVE-2026-46602 (The TIFF decoder does not set a limit on the size of tiles in
tiled im ...)
+ TODO: check
+CVE-2026-46601 (The webp decoder can panic when processing a VP8 chunk with
dimensions ...)
+ TODO: check
+CVE-2026-44622 (Charging station authentication identifiers are publicly
accessible vi ...)
+ TODO: check
+CVE-2026-43920 (FOSSBilling is a free, open-source billing and client
management syste ...)
+ TODO: check
+CVE-2026-40941 (Cacti is an open source performance and fault management
framework. Ve ...)
+ TODO: check
+CVE-2026-40702 (WebSocket endpoints lack proper authentication mechanisms,
enabling at ...)
+ TODO: check
+CVE-2026-40084 (Cacti is an open source performance and fault management
framework. Ve ...)
+ TODO: check
+CVE-2026-40083 (Cacti is an open source performance and fault management
framework. Ve ...)
+ TODO: check
+CVE-2026-40082 (Cacti is an open source performance and fault management
framework. Ve ...)
+ TODO: check
+CVE-2026-40080 (Cacti is an open source performance and fault management
framework. Ve ...)
+ TODO: check
+CVE-2026-38640 (A reachable unwrap in the __assert_fail function
(/assert/mod.rs) of r ...)
+ TODO: check
+CVE-2026-38637 (An issue in the pthread_rwlockattr_setpshared() function of
relibc com ...)
+ TODO: check
+CVE-2026-37454 (Insecure Permissions vulnerability in MSI NBFoundation Service
v.2.0.2 ...)
+ TODO: check
+CVE-2026-37453 (Insecure Permissions vulnerability in MSI NBFoundation Service
v.2.0.2 ...)
+ TODO: check
+CVE-2026-37452 (Insecure Permissions vulnerability in MSI NBFoundation Service
v.2.0.2 ...)
+ TODO: check
+CVE-2026-37149 (GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN
v1.0 wa ...)
+ TODO: check
+CVE-2026-2299 (The Mattermost Google Drive plugin before version 1.1.0 fails
to valid ...)
+ TODO: check
+CVE-2026-22879 (vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer
overflow ...)
+ TODO: check
+CVE-2026-13322 (A flaw was found in KubeVirt's downward metrics virtio-serial
server. ...)
+ TODO: check
+CVE-2026-13318 (A server-side request forgery (SSRF) flaw was found in
KubeVirt's virt ...)
+ TODO: check
+CVE-2026-13283 (Use after free in AdFilter in Google Chrome on Android prior
to 149.0. ...)
+ TODO: check
+CVE-2026-13282 (Use after free in Payments in Google Chrome on Android prior
to 149.0. ...)
+ TODO: check
+CVE-2026-13281 (Integer overflow in Mojo in Google Chrome prior to
149.0.7827.201 allo ...)
+ TODO: check
+CVE-2026-13226 (The Groundhogg \u2014 CRM, Newsletters, and Marketing
Automation plugi ...)
+ TODO: check
+CVE-2026-13218 (A flaw was found in KubeVirt's virt-handler network cache
handling. Th ...)
+ TODO: check
+CVE-2026-13083 (A flaw was found in the Pen Drive report generator.
Cluster-sourced da ...)
+ TODO: check
+CVE-2026-12993 (A flaw was found in Apicurio Registry. The
DocumentBuilderAccessor cor ...)
+ TODO: check
+CVE-2026-12992 (A flaw was found in Apicurio Registry. The WSDLReaderAccessor
creates ...)
+ TODO: check
+CVE-2026-12975 (A flaw was found in Apicurio Registry. The
ContentTypeUtil.isParsableX ...)
+ TODO: check
+CVE-2026-12473 (Two data sources (DICOMWebProxy and DICOMJSON) shipped in the
default ...)
+ TODO: check
+CVE-2026-12340 (Out-of-bounds heap read during SM2/SM3 certificate signature
verificat ...)
+ TODO: check
+CVE-2026-11800 (A flaw was found in Keycloak. This JWT algorithm confusion
vulnerabili ...)
+ TODO: check
+CVE-2026-11703 (Missing SNI/ALPN binding on stateful (session-ID) resumption,
which pr ...)
+ TODO: check
+CVE-2026-11310 (X.509 trust-chain bypass in the OpenSSL compatibility
certificate veri ...)
+ TODO: check
+CVE-2026-10835 (The SALESmanago & Leadoo WordPress plugin before 3.11.3 does
not prope ...)
+ TODO: check
+CVE-2026-10823 (The YMC Filter WordPress plugin before 3.11.3 does not
properly author ...)
+ TODO: check
+CVE-2026-10592 (Certificates with wildcard DNS SANs (e.g. *.example.com)
bypassed CA n ...)
+ TODO: check
+CVE-2026-10512 (The X25519 x86_64 assembly implementation fails to clear the
most sign ...)
+ TODO: check
+CVE-2026-10098 (OCSP CertID serial-number length-confusion in
wolfSSL_OCSP_resp_find_s ...)
+ TODO: check
+CVE-2026-10097 (ML-KEM-1024 x64 AVX2 implicit rejection failure in the
Fujisaki-Okamot ...)
+ TODO: check
+CVE-2025-71340 (picklescan through 0.0.26 fails to detect malicious pickle
files that ...)
+ TODO: check
+CVE-2025-71338 (Flowise contains a path traversal vulnerability in the
/api/v1/documen ...)
+ TODO: check
+CVE-2025-71336 (Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and
earlier) con ...)
+ TODO: check
+CVE-2025-71335 (Flowise before 3.0.10 (affected versions 3.0.7 and earlier)
fails to i ...)
+ TODO: check
+CVE-2025-71334 (Flowise before 3.0.6 (affected versions 2.2.8 and earlier)
contains an ...)
+ TODO: check
+CVE-2025-71333 (Flowise through 2.2.4 contains an unauthenticated arbitrary
file uploa ...)
+ TODO: check
+CVE-2025-71328 (Flowise before 3.0.10 contains an unverified password change
vulnerabi ...)
+ TODO: check
+CVE-2025-71327 (Flowise contains an authentication bypass vulnerability in the
unprote ...)
+ TODO: check
+CVE-2025-71324 (Flowise before 3.0.6 contains an arbitrary file read
vulnerability in ...)
+ TODO: check
+CVE-2025-60465 (A use-after-free in the gf_filter_pid_inst_swap function
(/filter_core ...)
+ TODO: check
+CVE-2025-60464 (A use-after-free in the gf_sei_load_from_state_internal
function (/fil ...)
+ TODO: check
+CVE-2025-10268 (The Printcart Web to Print Product Designer for WooCommerce
WordPress ...)
+ TODO: check
+CVE-2021-47987 (Parse Server before 4.10.0 was affected by a supply chain
incident in ...)
+ TODO: check
+CVE-2021-47986 (Parse Server before 4.10.0 contains a supply chain
vulnerability where ...)
+ TODO: check
+CVE-2020-37256 (Grav before 1.6.30 contains a cross-site scripting
vulnerability in th ...)
+ TODO: check
CVE-2026-48750
- incus 7.0.0-5
- lxd <removed>
@@ -461,46 +647,55 @@ CVE-2026-12844 (List::SomeUtils::XS versions before 0.59
for Perl have a heap bu
NOTE: https://www.openwall.com/lists/oss-security/2026/06/25/11
NOTE: Fixed by:
https://github.com/houseabsolute/List-SomeUtils-XS/commit/22549f78669b780d6aa338a2d2e49a3dedfffaa6
(v0.59)
CVE-2026-40211 (An attacker can send crafted DNS over HTTP/3 queries,
triggering an ex ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40211-denial-of-service-via-crafted-doh3-queries
CVE-2026-40210 (An out-of-bounds read might happen when SetMacAddrAction is
used, pote ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40210-out-of-bounds-read-in-setmacaddraction
CVE-2026-40209 (An attacker might be able to cause outgoing TCP connections to
backend ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40209-denial-of-service-via-ixfr-queries
CVE-2026-40208 (An attacker might be able to delay the processing of DoH3
queries by s ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40208-denial-of-service-via-doh3-queries
CVE-2026-42004 (An attacker can send a crafted EDNS OPT record that will be
ignored by ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-42004-edns-options-smuggling
CVE-2026-40011 (An attacker sending a large number of crafted DNS queries
might be abl ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40011-prometheus-denial-of-service-via-crafted-dns-queries
CVE-2026-52690 (Spoofing replies to Recursor might mark an IP of an
authoritative serv ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-52690-spoofed-answers-can-mark-an-authoritative-non-edns-capable
CVE-2026-42387 (A malicious authoritative server can send a crafted zone via
the ZoneT ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42387-insufficient-input-validation-in-zonetocache
CVE-2026-42388 (Incomplete validation of the SOA record present in a catalog
zone migh ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -512,11 +707,13 @@ CVE-2026-42389 (This fix provides extra hardening for the
5.4.x branch by doing
[bullseye] - pdns-recursor <not-affected> (Vulnerable code not present,
only affects 5.4.x)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42389-reject-more-queries-with-invalid-header-values
CVE-2026-42390 (An invalid zone might pass ZONEMD validation while it should
not. This ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42390-zonemd-validation-can-be-bypassed
CVE-2026-42005 (An attacker can send a web request that causes unlimited
memory alloc ...)
+ {DSA-6369-1 DSA-6368-1 DSA-6367-1}
- pdns-recursor 5.3.0-1
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -532,11 +729,13 @@ CVE-2026-42005 (An attacker can send a web request that
causes unlimited memory
NOTE:
https://github.com/PowerDNS/pdns/commit/11e4f2da8259e5070e7a193f48d23ade38b71dc0
NOTE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-42005-insufficient-input-validation-of-internal-web-server
CVE-2026-40012 (ECS zero scoped answers are stored in the packet cache while
they shou ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-40012-information-about-ecs-zero-scoped-answers-might-leak-to-clients-that-use-a-specific-ecs
CVE-2026-33612 (A malicious authoritative server can send a crafted zone via
the ZoneT ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -1644,7 +1843,7 @@ CVE-2025-60467 (A use-after-free in the
gf_filter_pid_inst_swap_delete_task func
TODO: check
CVE-2025-60466 (A use-after-free in the gf_filter_pid_get_packet function
(/filter_cor ...)
TODO: check
-CVE-2026-13201 (A flaw was found in KubeVirt's safepath package. The
OpenAtNoFollow fu ...)
+CVE-2026-13201 (A flaw was found in KubeVirt's safepath package used by
virt-handler. ...)
NOT-FOR-US: KubeVirt
CVE-2026-13208 (A flaw was found in KubeVirt's virt-handler domain notify
server. The ...)
NOT-FOR-US: KubeVirt
@@ -3191,7 +3390,7 @@ CVE-2026-11997 (The Bulk SEO Image plugin for WordPress
is vulnerable to Cross-S
NOT-FOR-US: WordPress plugin
CVE-2026-11972 (When using the "tarfile" module with a file opened in
"streaming mode" ...)
TODO: check
-CVE-2026-11820 (Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM \u2014
AV:N/AC: ...)
+CVE-2026-11820 (A flaw was found in the community.general Ansible collection's
nexmo m ...)
NOT-FOR-US: Red Hat
CVE-2026-11819 (Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM
\u2014 ...)
NOT-FOR-US: Red Hat
@@ -5197,38 +5396,38 @@ CVE-2026-48931 (A flaw in Node.js HTTP Agent can cause
a client to accept as val
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#http-response-queue-poisoning-via-toctou-race-condition-in-httpagent-cve-2026-48931---low
NOTE:
https://github.com/nodejs/node/commit/0a22d40180cb796e0d68e94c1a7a8a05a8f47c10
(v22.23.0)
-CVE-2026-48936
+CVE-2026-48936 (A flaw in Node.js Permission API can cause a local server to
be starte ...)
- nodejs <not-affected> (Only affects Node.js v26)
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unix-domain-socket-server-bypasses---permission-network-restrictions-incomplete-cve-2026-21636-fix-cve-2026-48936---low
-CVE-2026-48935
+CVE-2026-48935 (A flaw in Node.js Permission API can cause a file metadata to
be modif ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#permission-model-bypass-via-filehandleutimes-in-the-promises-api-cve-2026-48935---low
NOTE:
https://github.com/nodejs/node/commit/28dcd388644c676b5b8149abfe18ec32cd010781
(v22.23.0)
-CVE-2026-48934
+CVE-2026-48934 (A flaw in Node.js TLS host verification can cause an attacker
to bypas ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#tls-host-identity-verification-bypass-via-session-reuse-with-different-servername-leads-to-unauthorized-connections-cve-2026-48934---medium
NOTE:
https://github.com/nodejs/node/commit/fd890ba01d508ac111bbba302981d7fdf734d2ce
(v22.23.0)
-CVE-2026-48930
+CVE-2026-48930 (A flaw in Node.js TLS hostname handling can cause Embedded-nul
hostnam ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#embedded-nul-hostnames-can-lead-to-silent-authority-rebinding-due-to-c-string-truncation-in-resolver-bindings-cve-2026-48930---medium
NOTE:
https://github.com/nodejs/node/commit/c551a51d0c58dfc91961fb3f24c2c86af6183eca
(v22.23.0)
-CVE-2026-48928
+CVE-2026-48928 (A inconsistency in Node.js hostname matching can cause a
trust-policy ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#uppercase-sni-context-matching-can-lead-to-mtls-authorization-bypass-due-to-case-sensitive-hostname-matching-cve-2026-48928---medium
NOTE:
https://github.com/nodejs/node/commit/39d1d0968471a144d93dc293d640008f57d3c58e
(v22.23.0)
-CVE-2026-48619
+CVE-2026-48619 (A flaw in Node.js HTTP/2 client allows a server to send an
unlimited n ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unbounded-memory-growth-in-nodehttp2-clients-via-attacker-controlled-origin-frames-cve-2026-48619---medium
NOTE:
https://github.com/nodejs/node/commit/c79968e108002c2394bdb9e9cefb2c8c8cc202f8
(v22.23.0)
-CVE-2026-48615
+CVE-2026-48615 (A flaw in Node.js proxy tunnel error handling could expose
proxy crede ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#proxy-credentials-leaked-in-err_proxy_tunnel-error-message-cve-2026-48615---medium
NOTE:
https://github.com/nodejs/node/commit/9b6af26132f6e87659ce360e6a59f42a03ff1701
(v22.23.0)
-CVE-2026-48618
+CVE-2026-48618 (A flaw in Node.js TLS hostname handling can cause Node.js
unicode dot ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-unicode-dot-separator-handling-can-lead-to-tls-wildcard-depth-authentication-bypass-due-to-resolver-and-verifier-hostname-normalization-mismat-cve-2026-48618---high
NOTE:
https://github.com/nodejs/node/commit/2197a47144f3356ab451c5dcd858a49eb5957a70
(v22.23.0)
-CVE-2026-48933
+CVE-2026-48933 (A flaw in Node.js WebCrypto implementation can crash the
process if th ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-webcrypto-aes-integer-overflow-leads-to-remote-process-abort-dos-cve-2026-48933---high
NOTE:
https://github.com/nodejs/node/commit/38b4c5ed51b2ec81c28fbd379fea72e22fa12a15
(v22.23.0)
@@ -15386,12 +15585,12 @@ CVE-2026-11309 (Insufficient policy enforcement in
History in Google Chrome prio
- chromium 149.0.7827.53-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-9698 (DBI versions before 1.648 for Perl saved errors in a
limited-sized buf ...)
- {DSA-6338-1}
+ {DSA-6338-1 DLA-4649-1}
- libdbi-perl 1.648-1
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40831067/
NOTE: Fixed by:
https://github.com/perl5-dbi/dbi/commit/bfe5d73c162d2d1f761a639a0aa33aad6a9eb54e
(1.648)
CVE-2026-10879 (DBI versions before 1.648 for Perl have a heap overflow when
preparsin ...)
- {DSA-6338-1}
+ {DSA-6338-1 DLA-4649-1}
- libdbi-perl 1.648-1
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40729086/
NOTE: Fixed by:
https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978
(1.648)
@@ -51677,7 +51876,7 @@ CVE-2026-2509 (The Page Builder: Pagelayer plugin for
WordPress is vulnerable to
NOT-FOR-US: WordPress plugin
CVE-2026-2481 (The Beaver Builder Page Builder \u2013 Drag and Drop Website
Builder p ...)
NOT-FOR-US: WordPress plugin
-CVE-2026-2377 (A flaw was found in mirror-registry. Authenticated users can
exploit t ...)
+CVE-2026-2377 (A flaw was found in Red Hat Quay and mirror registry for Red
Hat OpenS ...)
NOT-FOR-US: Quay
CVE-2026-2104 (GitLab has remediated an issue in GitLab CE/EE affecting all
versions ...)
- gitlab <not-affected> (Vulnerable code introduced later)
@@ -64177,6 +64376,7 @@ CVE-2026-26948 (Dell Integrated Dell Remote Access
Controller 9, 14G versions pr
CVE-2026-26945 (Dell Integrated Dell Remote Access Controller 9, 14G versions
prior to ...)
NOT-FOR-US: Dell / EMC
CVE-2026-26740 (Buffer Overflow vulnerability in giflib v.5.2.2 allows a
remote attack ...)
+ {DLA-4650-1}
- giflib 6.1.3-1 (bug #1131368)
[trixie] - giflib <no-dsa> (Minor issue)
NOTE:
https://github.com/zakkanijia/POC/blob/main/giflib/giftool/giflib_giftool_gce_len_heap_oobwrite_disclosure.md
@@ -68079,6 +68279,7 @@ CVE-2026-23907 (This issue affects the
ExtractEmbeddedFiles example inApache PD
NOTE: Examples are not shipped in the Debian package
NOTE: https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw
CVE-2026-23868 (Giflib contains a double-free vulnerability that is the result
of a sh ...)
+ {DLA-4650-1}
- giflib 6.1.3-1 (bug #1130495)
[trixie] - giflib <no-dsa> (Minor issue)
NOTE: https://www.facebook.com/security/advisories/cve-2026-23868
@@ -114973,11 +115174,11 @@ CVE-2025-65065
REJECTED
CVE-2025-65064
REJECTED
-CVE-2025-64309 (Brightpick Mission Control discloses device telemetry,
configuration, ...)
+CVE-2025-64309 (The affected product discloses device telemetry,
configuration, and se ...)
NOT-FOR-US: Brightpick Mission Control
CVE-2025-64308 (The Brightpick Mission Control web application exposes
hardcoded crede ...)
NOT-FOR-US: Brightpick Mission Control
-CVE-2025-64307 (The Brightpick Internal Logic Control web interface is
accessible wit ...)
+CVE-2025-64307 (The Brightpick Internal Logic Control web interface is
accessible with ...)
NOT-FOR-US: Brightpick
CVE-2025-64084 (An authenticated SQL injection vulnerability exists in
Cloudlog 2.7.5 ...)
NOT-FOR-US: Cloudlog
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df82e5ddfe76e2e1da7a259d35db28bd131bfeab
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df82e5ddfe76e2e1da7a259d35db28bd131bfeab
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits