Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
20a6f24d by Moritz Muehlenhoff at 2026-07-08T13:11:34+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -28,9 +28,9 @@ CVE-2026-60000 (sshd in OpenSSH before 10.4 allows remote
attackers to cause a d
- openssh 1:10.4p1-1
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-5799 (Authorization bypass through User-Controlled key vulnerability
in Idvl ...)
- TODO: check
+ NOT-FOR-US: Idvlabs Ontime
CVE-2026-5730 (Authorization bypass through User-Controlled key vulnerability
in Idvl ...)
- TODO: check
+ NOT-FOR-US: Idvlabs Ontime
CVE-2026-59999 (In sshd in OpenSSH before 10.4, DisableForwarding=yes was
supposed to ...)
- openssh 1:10.4p1-1
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
@@ -65,7 +65,7 @@ CVE-2026-59153 (Anki is a program for creating and reviewing
flashcards. Prior t
NOTE:
https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g
NOTE: Fixed by:
https://github.com/ankitects/anki/commit/858e5689d0e4fd24f74856c7e8f245412694a219
(25.09.3)
CVE-2026-58583 (FluxInk (formerly Sunia SPB Peripheral) Color Management
Driver (TcnPe ...)
- TODO: check
+ NOT-FOR-US: FluxInk
CVE-2026-58473 (Cognee before 1.2.0 contains an improper access control
vulnerability ...)
TODO: check
CVE-2026-58472 (GNU Wget through 1.25.0, fixed in commit dd692d9, contains a
heap buff ...)
@@ -81,27 +81,27 @@ CVE-2026-58469 (GNU Wget through 1.25.0, fixed in commit
37a40fc, contains a hea
- wget <unfixed>
NOTE: Fixed by:
https://gitlab.com/gnuwget/wget/-/commit/37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
CVE-2026-58468 (NocoBase through 2.1.20 contains a server-side request forgery
vulnera ...)
- TODO: check
+ NOT-FOR-US: NocoBase
CVE-2026-58384 (A flaw was found in GIMP's PSD parser. An integer overflow in
read_RLE ...)
- gimp 3.2.4-1
NOTE: https://gitlab.gnome.org/GNOME/gimp/-/work_items/16216
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e21779a851fcd95d2af29294bee4071a67a7
(GIMP_3_2_4)
CVE-2026-58266 (Anki is a program for creating and reviewing flashcards. Prior
to 25.0 ...)
- TODO: check
+ - anki <removed>
CVE-2026-57895 (Incorrect default permissions issue exists in Pupsman versions
prior t ...)
- TODO: check
+ NOT-FOR-US: Fuji
CVE-2026-57851 (MSI Feature Manager contains a local privilege escalation
vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: MSI
CVE-2026-57172 (DataEase is an open source data visualization and analysis
tool. Prior ...)
NOT-FOR-US: DataEase
CVE-2026-56843 (Incorrect authorization in the XML-RPC API of WebPros Plesk
before 18. ...)
- TODO: check
+ NOT-FOR-US: WebPros Plesk
CVE-2026-56812 (Improper Check for Unusual or Exceptional Conditions
vulnerability in ...)
TODO: check
CVE-2026-56811 (Allocation of Resources Without Limits or Throttling
vulnerability in ...)
TODO: check
CVE-2026-56437 (Uncontrolled search path element issue exists in Pupsman
versions prio ...)
- TODO: check
+ NOT-FOR-US: Fuji
CVE-2026-55647 (DataEase is an open source data visualization and analysis
tool. Prior ...)
NOT-FOR-US: DataEase
CVE-2026-55635 (DataEase is an open source data visualization and analysis
tool. Prior ...)
@@ -113,57 +113,57 @@ CVE-2026-55631 (DataEase is an open source data
visualization and analysis tool.
CVE-2026-55592 (Dashy is a self-hostable personal dashboard. Prior to 4.3.7,
Dashy's w ...)
TODO: check
CVE-2026-55490 (OpenWrt is a Linux operating system targeting embedded
devices. Before ...)
- TODO: check
+ NOT-FOR-US: OpenWrt
CVE-2026-55438 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55437 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55436 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55435 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55434 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55433 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55432 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55431 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55430 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55429 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55428 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55427 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55418 (FastGPT is an open source AI knowledge base platform. Prior to
v4.15.0 ...)
- TODO: check
+ NOT-FOR-US: FastGPT
CVE-2026-55417 (Chevereto is a self-hosted media-sharing platform. Starting in
version ...)
TODO: check
CVE-2026-55408 (Koodo Reader is an ebook reader. In version 2.3.0 and earlier,
Koodo R ...)
- TODO: check
+ NOT-FOR-US: Koodo Reader
CVE-2026-55079 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55078 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55077 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55076 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-55075 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-54698 (Hasura is an open-source product that provides users GraphQL
or REST A ...)
- TODO: check
+ NOT-FOR-US: Hasura
CVE-2026-54607 (FastGPT is a knowledge-based AI application platform. Prior to
4.15.0- ...)
- TODO: check
+ NOT-FOR-US: FastGPT
CVE-2026-54602 (FastGPT is a knowledge-based AI application platform. Prior to
4.15.0, ...)
- TODO: check
+ NOT-FOR-US: FastGPT
CVE-2026-54601 (FastGPT is an open source AI knowledge base platform. From
4.14.17 to ...)
- TODO: check
+ NOT-FOR-US: FastGPT
CVE-2026-53935 (Cilium is a networking, observability, and security solution.
Prior to ...)
- TODO: check
+ - cilium <itp> (bug #858303)
CVE-2026-53751 (DataEase is an open source data visualization and analysis
tool. Prior ...)
NOT-FOR-US: DataEase
CVE-2026-53730 (DataEase is an open source data visualization and analysis
tool. Prior ...)
@@ -179,7 +179,7 @@ CVE-2026-53481 (Dell PowerProtect Data Domain, versions
7.7.1.0 through 8.7, LTS
CVE-2026-53479 (DellPowerProtectData Domain, versions 7.7.1.0 through 8.7,
LTS2026 rel ...)
NOT-FOR-US: Dell / EMC
CVE-2026-51937 (An issue in Oneblog V2.3.9 allows a remote attacker to obtain
sensitiv ...)
- TODO: check
+ NOT-FOR-US: Oneblog
CVE-2026-50811 (An out-of-bounds read vulnerability exists in FreeType 2.14.3
and vers ...)
TODO: check
CVE-2026-50810 (A NULL pointer dereference in smooth_parse_stream_index() in
src/media ...)
@@ -189,13 +189,13 @@ CVE-2026-50530 (DataEase is an open source data
visualization and analysis tool.
CVE-2026-50529 (DataEase is an open source data visualization and analysis
tool. Prior ...)
NOT-FOR-US: DataEase
CVE-2026-50179 (Actual is a local-first personal finance tool. Prior to
26.6.0, export ...)
- TODO: check
+ NOT-FOR-US: Actual
CVE-2026-50007 (Actual is an open-source personal finance application. Prior
to 26.7.0 ...)
- TODO: check
+ NOT-FOR-US: Actual
CVE-2026-49471 (Serena is a powerful MCP toolkit for coding that provides
semantic ret ...)
- TODO: check
+ NOT-FOR-US: Serena
CVE-2026-49229 (Actual is a local-first personal finance app. Prior to 26.6.0,
in Open ...)
- TODO: check
+ NOT-FOR-US: Actual
CVE-2026-49033 (The application contains a stack-based buffer overflow
vulnerability t ...)
TODO: check
CVE-2026-48958 (An improper access check allows unauthorized users to create
custom fi ...)
@@ -223,27 +223,27 @@ CVE-2026-48948 (An improper access check allows user to
download vcard exports o
CVE-2026-48947 (An improper access check allows privileged users to overwrite
media fi ...)
NOT-FOR-US: Joomla
CVE-2026-46700 (Actual is a local-first personal finance tool. Prior to
26.6.0, the GE ...)
- TODO: check
+ NOT-FOR-US: Actual
CVE-2026-46672 (Actual is a local-first personal finance app. Prior to 26.6.0,
@actual ...)
- TODO: check
+ NOT-FOR-US: Actual
CVE-2026-46354 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-45796 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-44938 (A vulnerability has been identified in Fleet's agent-side
deployer, wh ...)
TODO: check
CVE-2026-44877 (An unauthenticated remote disclosure vulnerability has been
identified ...)
NOT-FOR-US: HPE
CVE-2026-44454 (Coder allows organizations to provision remote development
environment ...)
- TODO: check
+ NOT-FOR-US: Coder
CVE-2026-42958 (The application contains a use-after-free vulnerability that
can be ex ...)
TODO: check
CVE-2026-42953 (The application contains an out-of-bounds write vulnerability
that can ...)
TODO: check
CVE-2026-37271 (Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is
vulnerable ...)
- TODO: check
+ NOT-FOR-US: Fire-Boltt Smartwatch
CVE-2026-37270 (Trueview Security camera T18161- AF v4.9.60.0 contains an
authenticati ...)
- TODO: check
+ NOT-FOR-US: ActualSecurity camera
CVE-2026-36163 (An HTML injection vulnerability in the file view endpoint of
LiquidFil ...)
TODO: check
CVE-2026-36162 (An authenticated stored cross-site scripting (XSS)
vulnerability in th ...)
@@ -251,9 +251,9 @@ CVE-2026-36162 (An authenticated stored cross-site
scripting (XSS) vulnerability
CVE-2026-28378 (The public dashboard deletion endpoint does not enforce
organization i ...)
TODO: check
CVE-2026-23698 (Vtiger CRM through 8.4.0 contains an authenticated remote code
executi ...)
- TODO: check
+ NOT-FOR-US: Vtiger CRM
CVE-2026-23697 (Vtiger CRM before 8.4.0 contains an authenticated file upload
vulnerab ...)
- TODO: check
+ NOT-FOR-US: Vtiger CRM
CVE-2026-14969 (A flaw was found in 389-ds-base where the LDBM backend
attribute encry ...)
TODO: check
CVE-2026-14940 (A heap-buffer-overflow flaw was found in 389 Directory Server
(389-ds- ...)
@@ -287,7 +287,7 @@ CVE-2026-14158 (The Widget Logic Visual plugin for
WordPress is vulnerable to Re
CVE-2026-13696 (Improper neutralization of special elements used in an LDAP
query ('LD ...)
TODO: check
CVE-2026-13199 (EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices
produce ...)
- TODO: check
+ NOT-FOR-US: Raspberry Pi
CVE-2026-13020 (A Weak Password Recovery Mechanism for Forgotten Password
exists in Es ...)
NOT-FOR-US: Esri
CVE-2026-13019 (Esri Portal for ArcGIS versions 12.1 and earlier on Windows,
Linux and ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20a6f24d67d9ada26a45997e8da6fae9ccb07515
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20a6f24d67d9ada26a45997e8da6fae9ccb07515
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits