Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1fc73041 by Moritz Muehlenhoff at 2026-06-28T00:21:47+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -904,7 +904,7 @@ CVE-2026-1869 (The User Registration & Membership \u2013
Free & Paid Memberships
CVE-2026-13434 (A flaw was found in KubeVirt's network annotation generator.
When a te ...)
NOT-FOR-US: KubeVirt
CVE-2026-13426 (The Mattermost Go module
github.com/mattermost/mattermost/server/publi ...)
- TODO: check
+ NOT-FOR-US: Mattermost Go module
CVE-2026-13372 (Incorrect link resolution by display name in the custom
PowerShell VPN ...)
NOT-FOR-US: Devolutions
CVE-2026-13325 (A flaw was found in KubeVirt's migration proxy. When
spec.configuratio ...)
@@ -1195,7 +1195,7 @@ CVE-2021-47987 (Parse Server before 4.10.0 was affected
by a supply chain incide
CVE-2021-47986 (Parse Server before 4.10.0 contains a supply chain
vulnerability where ...)
NOT-FOR-US: Parse Server
CVE-2020-37256 (Grav before 1.6.30 contains a cross-site scripting
vulnerability in th ...)
- TODO: check
+ NOT-FOR-US: Grav CMS
CVE-2026-48750
{DSA-6370-1}
- incus 7.0.0-5
@@ -1407,7 +1407,7 @@ CVE-2026-56129 (Generic IO & Memory Access driver for PCs
provided by TOSHIBA CO
CVE-2026-56123 (socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based
buffer ove ...)
- socat 1.8.1.3-1
CVE-2026-56122 (Winstone Servlet Engine through 0.9.10 contains a path
traversal vulne ...)
- TODO: check
+ NOT-FOR-US: Winstone Servlet Container
CVE-2026-56091 (When using Apache Shiro with the shiro-guice module in a web
servlet c ...)
TODO: check
CVE-2026-56071 (Unauthenticated Cross Site Scripting (XSS) in Forminator <=
1.53.1 ver ...)
@@ -1665,9 +1665,9 @@ CVE-2026-13222 (Our payment integration with Oppwa-based
payment methods did not
CVE-2026-12937 (The Tourfic \u2013 AI Powered Travel Booking, Hotel Booking &
Car Rent ...)
NOT-FOR-US: WordPress plugin
CVE-2026-12921 (In AzeoTech DAQFactory versions 21.1 and prior, a Use After
Free vulne ...)
- TODO: check
+ NOT-FOR-US: AzeoTech DAQFactory
CVE-2026-12897 (Horner Automation Cscape versions prior to 10.2 SP3 are
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: Horner Automation Cscape
CVE-2026-12755 (Improper input validation in the PAM AD discovery endpoints in
Devolu ...)
NOT-FOR-US: Devolutions
CVE-2026-11999 (X.509 trust-chain bypass (path-depth exhaustion) in the
OpenSSL compat ...)
@@ -2858,13 +2858,13 @@ CVE-2026-10642 (The Zephyr PL011 UART driver
(drivers/serial/uart_pl011.c) conta
CVE-2026-10086 (GitLab has remediated an issue in GitLab EE affecting all
versions fro ...)
NOT-FOR-US: GitLab (used to be packaged in the Debian archive as
src:gitlab, but never in a stable release)
CVE-2026-10043 (MosaicML Composer Deserialization of Untrusted Data Remote
Code Execut ...)
- TODO: check
+ NOT-FOR-US: MosaicML
CVE-2026-0934 (GitLab has remediated an issue in GitLab EE affecting all
versions fro ...)
NOT-FOR-US: GitLab (used to be packaged in the Debian archive as
src:gitlab, but never in a stable release)
CVE-2025-8106
REJECTED
CVE-2025-64719 (Gogs is an open source self-hosted Git service. Prior to
0.14.3, a mal ...)
- TODO: check
+ NOT-FOR-US: Go Git Service
CVE-2025-60474 (A buffer overflow in the gf_media_import function
(/media_tools/av_par ...)
- gpac <removed>
[bullseye] - gpac <end-of-life> (EOL in bullseye LTS)
@@ -3130,7 +3130,7 @@ CVE-2026-12986 (A critical vulnerability in Admin GUI in
Payara Server Full 4.x,
CVE-2026-12760 (A denial-of-service (DoS) vulnerability has been identified in
Tapo C2 ...)
NOT-FOR-US: TPLink
CVE-2026-12537 (Improper Neutralization used in an OS Command in the container
launche ...)
- TODO: check
+ NOT-FOR-US: Google Gemini CLI
CVE-2026-12242 (The AdRotate Banner Manager plugin for WordPress is vulnerable
to PHP ...)
NOT-FOR-US: WordPress plugin
CVE-2026-11968 (Argument Injection in TortoiseGitBlame via Malicious Git
History Filen ...)
@@ -5474,19 +5474,19 @@ CVE-2026-42129 (The Loki datasource plugin's
callResource handler contains a pat
CVE-2026-42127 (The public dashboard query endpoint does not limit request
body size b ...)
NOT-FOR-US: Grafana Labs
CVE-2026-41049 (Incorrect caching of authentication between different users of
the qSn ...)
- TODO: check
+ NOT-FOR-US: qSnapper
CVE-2026-41048 (Incorrect caching of authentication between different polkit
methods i ...)
- TODO: check
+ NOT-FOR-US: qSnapper
CVE-2026-41047 (Lack of authentication when using the "snapshot diff"
functions in qSn ...)
- TODO: check
+ NOT-FOR-US: qSnapper
CVE-2026-41046 (A path traversal attack when using a "configName" parameter in
qSnappe ...)
- TODO: check
+ NOT-FOR-US: qSnapper
CVE-2026-41045 (A time-to-check-time-of-use in polkit authentication of
qSnapper befor ...)
- TODO: check
+ NOT-FOR-US: qSnapper
CVE-2026-28381 (The Snowflake datasource allows for GET/PUT commands, which
can allow ...)
TODO: check
CVE-2026-12888 (An HTML injection vulnerability exists in the Google Chat
webhook noti ...)
- TODO: check
+ NOT-FOR-US: Canarytokens
CVE-2026-12863 (An unvalidated redirect was contained in Venueless' social
login funct ...)
NOT-FOR-US: rami.io products
CVE-2026-12862 (Untrusted user data was passed verbatim to Excel exports for
administr ...)
@@ -5514,9 +5514,9 @@ CVE-2026-12549 (The fix for CVE-2026-2443 was regressed
by a subsequent rework c
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2489999
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/work_items/516
CVE-2026-12479 (A path traversal vulnerability exists in keras-team/keras
version 3.14 ...)
- TODO: check
+ - keras <removed>
CVE-2026-12249 (An issue was discovered in Canonical ADSys upstream versions
through v ...)
- TODO: check
+ NOT-FOR-US: ADSys
CVE-2026-11994 (Akaunting 3.1.21 contains an authenticated stored Cross-Site
Scripting ...)
NOT-FOR-US: Akaunting
CVE-2026-11943 (Akaunting 3.1.21 contains an authenticated stored cross-site
scripting ...)
@@ -5538,13 +5538,13 @@ CVE-2026-10601 (The Tempo and Loki datasource plugins
construct backend HTTP req
CVE-2026-10561 (IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due
to an im ...)
NOT-FOR-US: IBM
CVE-2025-66389 (GitHub Copilot 1.372.0 allows filesystem access outside of a
workspace ...)
- TODO: check
+ NOT-FOR-US: GitHub Copilot
CVE-2025-66336 (Apache Doris MCP Server contains a SQL injection vulnerability
in a me ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2025-62198 (An authenticated user can perform XSS. This issue affects
Apache Atla ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2025-4994 (The SafeLine SL6 and SL6+ devices integrated into elevator
emergency i ...)
- TODO: check
+ NOT-FOR-US: SafeLine
CVE-2025-33128 (IBM Engineering Workflow Management 7.0.3 through 7.0.3
Interim Fix 02 ...)
NOT-FOR-US: IBM
CVE-2025-2669 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak
for Data ...)
@@ -5554,9 +5554,9 @@ CVE-2024-54178 (IBM Db2 on Cloud Pak for Data and Db2
Warehouse on Cloud Pak for
CVE-2024-51454 (IBM Engineering Workflow Management 7.0.2 through 7.0.2
Interim Fix 03 ...)
NOT-FOR-US: IBM
CVE-2023-45796 (A stored cross-site scripting vulnerability in the Runtime
component o ...)
- TODO: check
+ NOT-FOR-US: Pilz PASvisu
CVE-2023-45795 (A cross-site scripting vulnerability in the Builder Component
of Pilz ...)
- TODO: check
+ NOT-FOR-US: Pilz PASvisu
CVE-2023-33854 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak
for Data ...)
NOT-FOR-US: IBM
CVE-2026-11373 (Net::Statsite::Client versions through 1.1.0 for Perl allow
metric inj ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fc73041a2b0cb553161c1b5e11d6480d7b2d4ab
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fc73041a2b0cb553161c1b5e11d6480d7b2d4ab
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits