Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1fc73041 by Moritz Muehlenhoff at 2026-06-28T00:21:47+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -904,7 +904,7 @@ CVE-2026-1869 (The User Registration & Membership \u2013 
Free & Paid Memberships
 CVE-2026-13434 (A flaw was found in KubeVirt's network annotation generator. 
When a te ...)
        NOT-FOR-US: KubeVirt
 CVE-2026-13426 (The Mattermost Go module 
github.com/mattermost/mattermost/server/publi ...)
-       TODO: check
+       NOT-FOR-US: Mattermost Go module
 CVE-2026-13372 (Incorrect link resolution by display name in the custom 
PowerShell VPN ...)
        NOT-FOR-US: Devolutions
 CVE-2026-13325 (A flaw was found in KubeVirt's migration proxy. When 
spec.configuratio ...)
@@ -1195,7 +1195,7 @@ CVE-2021-47987 (Parse Server before 4.10.0 was affected 
by a supply chain incide
 CVE-2021-47986 (Parse Server before 4.10.0 contains a supply chain 
vulnerability where ...)
        NOT-FOR-US: Parse Server
 CVE-2020-37256 (Grav before 1.6.30 contains a cross-site scripting 
vulnerability in th ...)
-       TODO: check
+       NOT-FOR-US: Grav CMS
 CVE-2026-48750
        {DSA-6370-1}
        - incus 7.0.0-5
@@ -1407,7 +1407,7 @@ CVE-2026-56129 (Generic IO & Memory Access driver for PCs 
provided by TOSHIBA CO
 CVE-2026-56123 (socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based 
buffer ove ...)
        - socat 1.8.1.3-1
 CVE-2026-56122 (Winstone Servlet Engine through 0.9.10 contains a path 
traversal vulne ...)
-       TODO: check
+       NOT-FOR-US: Winstone Servlet Container
 CVE-2026-56091 (When using Apache Shiro with the shiro-guice module in a web 
servlet c ...)
        TODO: check
 CVE-2026-56071 (Unauthenticated Cross Site Scripting (XSS) in Forminator <= 
1.53.1 ver ...)
@@ -1665,9 +1665,9 @@ CVE-2026-13222 (Our payment integration with Oppwa-based 
payment methods did not
 CVE-2026-12937 (The Tourfic \u2013 AI Powered Travel Booking, Hotel Booking & 
Car Rent ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-12921 (In AzeoTech DAQFactory versions 21.1 and prior, a Use After 
Free vulne ...)
-       TODO: check
+       NOT-FOR-US: AzeoTech DAQFactory
 CVE-2026-12897 (Horner Automation Cscape versions prior to 10.2 SP3 are 
vulnerable to  ...)
-       TODO: check
+       NOT-FOR-US: Horner Automation Cscape
 CVE-2026-12755 (Improper input validation in the PAM AD discovery endpoints in 
 Devolu ...)
        NOT-FOR-US: Devolutions
 CVE-2026-11999 (X.509 trust-chain bypass (path-depth exhaustion) in the 
OpenSSL compat ...)
@@ -2858,13 +2858,13 @@ CVE-2026-10642 (The Zephyr PL011 UART driver 
(drivers/serial/uart_pl011.c) conta
 CVE-2026-10086 (GitLab has remediated an issue in GitLab EE affecting all 
versions fro ...)
        NOT-FOR-US: GitLab (used to be packaged in the Debian archive as 
src:gitlab, but never in a stable release)
 CVE-2026-10043 (MosaicML Composer Deserialization of Untrusted Data Remote 
Code Execut ...)
-       TODO: check
+       NOT-FOR-US: MosaicML
 CVE-2026-0934 (GitLab has remediated an issue in GitLab EE affecting all 
versions fro ...)
        NOT-FOR-US: GitLab (used to be packaged in the Debian archive as 
src:gitlab, but never in a stable release)
 CVE-2025-8106
        REJECTED
 CVE-2025-64719 (Gogs is an open source self-hosted Git service. Prior to 
0.14.3, a mal ...)
-       TODO: check
+       NOT-FOR-US: Go Git Service
 CVE-2025-60474 (A buffer overflow in the gf_media_import function 
(/media_tools/av_par ...)
        - gpac <removed>
        [bullseye] - gpac <end-of-life> (EOL in bullseye LTS)
@@ -3130,7 +3130,7 @@ CVE-2026-12986 (A critical vulnerability in Admin GUI in 
Payara Server Full 4.x,
 CVE-2026-12760 (A denial-of-service (DoS) vulnerability has been identified in 
Tapo C2 ...)
        NOT-FOR-US: TPLink
 CVE-2026-12537 (Improper Neutralization used in an OS Command in the container 
launche ...)
-       TODO: check
+       NOT-FOR-US: Google Gemini CLI
 CVE-2026-12242 (The AdRotate Banner Manager plugin for WordPress is vulnerable 
to PHP  ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-11968 (Argument Injection in TortoiseGitBlame via Malicious Git 
History Filen ...)
@@ -5474,19 +5474,19 @@ CVE-2026-42129 (The Loki datasource plugin's 
callResource handler contains a pat
 CVE-2026-42127 (The public dashboard query endpoint does not limit request 
body size b ...)
        NOT-FOR-US: Grafana Labs
 CVE-2026-41049 (Incorrect caching of authentication between different users of 
the qSn ...)
-       TODO: check
+       NOT-FOR-US: qSnapper
 CVE-2026-41048 (Incorrect caching of authentication between different polkit 
methods i ...)
-       TODO: check
+       NOT-FOR-US: qSnapper
 CVE-2026-41047 (Lack of authentication when using the "snapshot diff" 
functions in qSn ...)
-       TODO: check
+       NOT-FOR-US: qSnapper
 CVE-2026-41046 (A path traversal attack when using a "configName" parameter in 
qSnappe ...)
-       TODO: check
+       NOT-FOR-US: qSnapper
 CVE-2026-41045 (A time-to-check-time-of-use in polkit authentication of 
qSnapper befor ...)
-       TODO: check
+       NOT-FOR-US: qSnapper
 CVE-2026-28381 (The Snowflake datasource allows for GET/PUT commands, which 
can allow  ...)
        TODO: check
 CVE-2026-12888 (An HTML injection vulnerability exists in the Google Chat 
webhook noti ...)
-       TODO: check
+       NOT-FOR-US: Canarytokens
 CVE-2026-12863 (An unvalidated redirect was contained in Venueless' social 
login funct ...)
        NOT-FOR-US: rami.io products
 CVE-2026-12862 (Untrusted user data was passed verbatim to Excel exports for 
administr ...)
@@ -5514,9 +5514,9 @@ CVE-2026-12549 (The fix for CVE-2026-2443 was regressed 
by a subsequent rework c
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2489999
        NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/work_items/516
 CVE-2026-12479 (A path traversal vulnerability exists in keras-team/keras 
version 3.14 ...)
-       TODO: check
+       - keras <removed>
 CVE-2026-12249 (An issue was discovered in Canonical ADSys upstream versions 
through v ...)
-       TODO: check
+       NOT-FOR-US: ADSys
 CVE-2026-11994 (Akaunting 3.1.21 contains an authenticated stored Cross-Site 
Scripting ...)
        NOT-FOR-US: Akaunting
 CVE-2026-11943 (Akaunting 3.1.21 contains an authenticated stored cross-site 
scripting ...)
@@ -5538,13 +5538,13 @@ CVE-2026-10601 (The Tempo and Loki datasource plugins 
construct backend HTTP req
 CVE-2026-10561 (IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due 
to an im ...)
        NOT-FOR-US: IBM
 CVE-2025-66389 (GitHub Copilot 1.372.0 allows filesystem access outside of a 
workspace ...)
-       TODO: check
+       NOT-FOR-US: GitHub Copilot
 CVE-2025-66336 (Apache Doris MCP Server contains a SQL injection vulnerability 
in a me ...)
        NOT-FOR-US: Apache software not packaged in Debian
 CVE-2025-62198 (An authenticated user can perform XSS.  This issue affects 
Apache Atla ...)
        NOT-FOR-US: Apache software not packaged in Debian
 CVE-2025-4994 (The SafeLine SL6 and SL6+ devices integrated into elevator 
emergency i ...)
-       TODO: check
+       NOT-FOR-US: SafeLine
 CVE-2025-33128 (IBM Engineering Workflow Management 7.0.3 through 7.0.3 
Interim Fix 02 ...)
        NOT-FOR-US: IBM
 CVE-2025-2669 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak 
for Data  ...)
@@ -5554,9 +5554,9 @@ CVE-2024-54178 (IBM Db2 on Cloud Pak for Data and Db2 
Warehouse on Cloud Pak for
 CVE-2024-51454 (IBM Engineering Workflow Management 7.0.2 through 7.0.2 
Interim Fix 03 ...)
        NOT-FOR-US: IBM
 CVE-2023-45796 (A stored cross-site scripting vulnerability in the Runtime 
component o ...)
-       TODO: check
+       NOT-FOR-US: Pilz PASvisu
 CVE-2023-45795 (A cross-site scripting vulnerability in the Builder Component 
of Pilz  ...)
-       TODO: check
+       NOT-FOR-US: Pilz PASvisu
 CVE-2023-33854 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak 
for Data  ...)
        NOT-FOR-US: IBM
 CVE-2026-11373 (Net::Statsite::Client versions through 1.1.0 for Perl allow 
metric inj ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fc73041a2b0cb553161c1b5e11d6480d7b2d4ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fc73041a2b0cb553161c1b5e11d6480d7b2d4ab
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to