Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
78034eb7 by Moritz Muehlenhoff at 2026-07-07T10:25:19+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3,9 +3,9 @@ CVE-2026-59713 (Leantime contains an OIDC login CSRF
vulnerability in the verify
CVE-2026-59712 (Leantime's Users::getUser method in the JSON-RPC API lacks
proper auth ...)
NOT-FOR-US: Leantime
CVE-2026-59711 (showdown contains a cross-site scripting vulnerability in
metadata tit ...)
- TODO: check
+ NOT-FOR-US: showdown
CVE-2026-59710 (showdown contains a stored cross-site scripting vulnerability
in the p ...)
- TODO: check
+ NOT-FOR-US: showdown
CVE-2026-58404 (Hugo is a static site generator. From v0.162.0 through
v0.163.0, the d ...)
- hugo <unfixed>
NOTE:
https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv
@@ -132,7 +132,7 @@ CVE-2026-41515 (OP-TEE is a Trusted Execution Environment
(TEE) designed as comp
CVE-2026-41514 (OP-TEE is a Trusted Execution Environment (TEE) designed as
companion ...)
TODO: check
CVE-2026-38979 (ajenti through v2.2.13 has a clickjacking weakness in the
browser-faci ...)
- TODO: check
+ NOT-FOR-US: ajenti
CVE-2026-38976 (mrubyc through 3.4.1 was found to contain a NULL pointer
dereference i ...)
TODO: check
CVE-2026-38973 (mrubyc through release3.4.1 was found to contain an
out-of-bounds read ...)
@@ -216,13 +216,13 @@ CVE-2026-14468 (HashiCorp Terraform Enterprise contained
an issue in its version
CVE-2026-14345 (The WPFunnels \u2013 Funnel Builder for WooCommerce with
Checkout & On ...)
NOT-FOR-US: WordPress plugin
CVE-2026-13356 (A malicious webpage could interrupt a pending navigation by
enqueuing ...)
- TODO: check
+ NOT-FOR-US: Firefox for iOS
CVE-2026-12375 (The uncanny-automator-pro WordPress plugin before 7.3.0.6 was
distribu ...)
NOT-FOR-US: WordPress plugin
CVE-2026-12277 (The Frontend File Manager Plugin WordPress plugin through 23.6
does no ...)
NOT-FOR-US: WordPress plugin
CVE-2026-11405 (The web server binary /bin/httpd contains a hidden backdoor
authentica ...)
- TODO: check
+ NOT-FOR-US: Tenda
CVE-2026-11328 (The Exclusive Addons for Elementor plugin for WordPress is
vulnerable ...)
NOT-FOR-US: WordPress plugin
CVE-2026-10834 (The WP Travel Engine WordPress plugin before 6.8.1 does not
properly ...)
@@ -234,7 +234,7 @@ CVE-2025-59616 (Memory Corruption when processing multiple
IOCTL calls with the
CVE-2025-59615 (Memory Corruption when invoking device input/output control
operations ...)
NOT-FOR-US: Qualcomm
CVE-2024-56141 (Minosoft is an open-source, multi-version Minecraft Java
Edition clien ...)
- TODO: check
+ NOT-FOR-US: Minosoft
CVE-2026-49861
- fastdds <unfixed>
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
@@ -348,7 +348,7 @@ CVE-2026-55379 (Pillow is a Python imaging library. Prior
to 12.3.0, PIL/BdfFont
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc
NOTE: Fixed by:
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
(12.3.0)
CVE-2026-54893 (URL path injection in the Microsoft Graph adapter of Swoosh.
Swoosh.Ad ...)
- TODO: check
+ NOT-FOR-US: Swoosh
CVE-2026-54291 (pgjdbc is an open source postgresql JDBC Driver. In releases
42.7.4 th ...)
- libpgjava 42.7.12-1
NOTE:
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867
@@ -380,7 +380,7 @@ CVE-2026-49086 (Improper Input Validation, Unintended Proxy
or Intermediary ('Co
CVE-2026-49042 (Improper Input Validation vulnerability in Apache Camel. This
issue a ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-48614 (An improper authorization vulnerability in the Plesk XML API
allows an ...)
- TODO: check
+ NOT-FOR-US: Plesk
CVE-2026-48316 (ColdFusion versions 2025.9, 2023.20 and earlier are affected
by an Imp ...)
NOT-FOR-US: Adobe
CVE-2026-48206 (Improper Input Validation, Authorization Bypass Through
User-Controlle ...)
@@ -418,11 +418,11 @@ CVE-2026-46454 (Improper Input Validation vulnerability
in Apache Camel Cometd C
CVE-2026-46453 (Improper Input Validation, Authorization Bypass Through
User-Controlle ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-44937 (Potential forgery of webhook requests when using a
unauthenticated web ...)
- TODO: check
+ NOT-FOR-US: Rancher
CVE-2026-44936 (Missing filtering when the helmRepoURLRegex field isn't set on
a GitRe ...)
- TODO: check
+ NOT-FOR-US: Rancher
CVE-2026-44934 (A information disclosure when DEBUG loglevel is set in SUSE
Rancher AI ...)
- TODO: check
+ NOT-FOR-US: Rancher
CVE-2026-43867 (Deserialization of Untrusted Data vulnerability in Apache
Camel PQC Co ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-43866 (Deserialization of Untrusted Data vulnerability in Apache
Camel, Apach ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78034eb7e3daab4ff3ddba09cfa94f759afa85d1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78034eb7e3daab4ff3ddba09cfa94f759afa85d1
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits