Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20a6f24d by Moritz Muehlenhoff at 2026-07-08T13:11:34+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -28,9 +28,9 @@ CVE-2026-60000 (sshd in OpenSSH before 10.4 allows remote 
attackers to cause a d
        - openssh 1:10.4p1-1
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-5799 (Authorization bypass through User-Controlled key vulnerability 
in Idvl ...)
-       TODO: check
+       NOT-FOR-US: Idvlabs Ontime
 CVE-2026-5730 (Authorization bypass through User-Controlled key vulnerability 
in Idvl ...)
-       TODO: check
+       NOT-FOR-US: Idvlabs Ontime
 CVE-2026-59999 (In sshd in OpenSSH before 10.4, DisableForwarding=yes was 
supposed to  ...)
        - openssh 1:10.4p1-1
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
@@ -65,7 +65,7 @@ CVE-2026-59153 (Anki is a program for creating and reviewing 
flashcards. Prior t
        NOTE: 
https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g
        NOTE: Fixed by: 
https://github.com/ankitects/anki/commit/858e5689d0e4fd24f74856c7e8f245412694a219
 (25.09.3)
 CVE-2026-58583 (FluxInk (formerly Sunia SPB Peripheral) Color Management 
Driver (TcnPe ...)
-       TODO: check
+       NOT-FOR-US: FluxInk
 CVE-2026-58473 (Cognee before 1.2.0 contains an improper access control 
vulnerability  ...)
        TODO: check
 CVE-2026-58472 (GNU Wget through 1.25.0, fixed in commit dd692d9, contains a 
heap buff ...)
@@ -81,27 +81,27 @@ CVE-2026-58469 (GNU Wget through 1.25.0, fixed in commit 
37a40fc, contains a hea
        - wget <unfixed>
        NOTE: Fixed by: 
https://gitlab.com/gnuwget/wget/-/commit/37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
 CVE-2026-58468 (NocoBase through 2.1.20 contains a server-side request forgery 
vulnera ...)
-       TODO: check
+       NOT-FOR-US: NocoBase
 CVE-2026-58384 (A flaw was found in GIMP's PSD parser. An integer overflow in 
read_RLE ...)
        - gimp 3.2.4-1
        NOTE: https://gitlab.gnome.org/GNOME/gimp/-/work_items/16216
        NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e21779a851fcd95d2af29294bee4071a67a7
 (GIMP_3_2_4)
 CVE-2026-58266 (Anki is a program for creating and reviewing flashcards. Prior 
to 25.0 ...)
-       TODO: check
+       - anki <removed>
 CVE-2026-57895 (Incorrect default permissions issue exists in Pupsman versions 
prior t ...)
-       TODO: check
+       NOT-FOR-US: Fuji
 CVE-2026-57851 (MSI Feature Manager contains a local privilege escalation 
vulnerabilit ...)
-       TODO: check
+       NOT-FOR-US: MSI
 CVE-2026-57172 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
        NOT-FOR-US: DataEase
 CVE-2026-56843 (Incorrect authorization in the XML-RPC API of WebPros Plesk 
before 18. ...)
-       TODO: check
+       NOT-FOR-US: WebPros Plesk
 CVE-2026-56812 (Improper Check for Unusual or Exceptional Conditions 
vulnerability in  ...)
        TODO: check
 CVE-2026-56811 (Allocation of Resources Without Limits or Throttling 
vulnerability in  ...)
        TODO: check
 CVE-2026-56437 (Uncontrolled search path element issue exists in Pupsman 
versions prio ...)
-       TODO: check
+       NOT-FOR-US: Fuji
 CVE-2026-55647 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
        NOT-FOR-US: DataEase
 CVE-2026-55635 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
@@ -113,57 +113,57 @@ CVE-2026-55631 (DataEase is an open source data 
visualization and analysis tool.
 CVE-2026-55592 (Dashy is a self-hostable personal dashboard. Prior to 4.3.7, 
Dashy's w ...)
        TODO: check
 CVE-2026-55490 (OpenWrt is a Linux operating system targeting embedded 
devices. Before ...)
-       TODO: check
+       NOT-FOR-US: OpenWrt
 CVE-2026-55438 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55437 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55436 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55435 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55434 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55433 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55432 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55431 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55430 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55429 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55428 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55427 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55418 (FastGPT is an open source AI knowledge base platform. Prior to 
v4.15.0 ...)
-       TODO: check
+       NOT-FOR-US: FastGPT
 CVE-2026-55417 (Chevereto is a self-hosted media-sharing platform. Starting in 
version ...)
        TODO: check
 CVE-2026-55408 (Koodo Reader is an ebook reader. In version 2.3.0 and earlier, 
Koodo R ...)
-       TODO: check
+       NOT-FOR-US: Koodo Reader
 CVE-2026-55079 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55078 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55077 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55076 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-55075 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-54698 (Hasura is an open-source product that provides users GraphQL 
or REST A ...)
-       TODO: check
+       NOT-FOR-US: Hasura
 CVE-2026-54607 (FastGPT is a knowledge-based AI application platform. Prior to 
4.15.0- ...)
-       TODO: check
+       NOT-FOR-US: FastGPT
 CVE-2026-54602 (FastGPT is a knowledge-based AI application platform. Prior to 
4.15.0, ...)
-       TODO: check
+       NOT-FOR-US: FastGPT
 CVE-2026-54601 (FastGPT is an open source AI knowledge base platform. From 
4.14.17 to  ...)
-       TODO: check
+       NOT-FOR-US: FastGPT
 CVE-2026-53935 (Cilium is a networking, observability, and security solution. 
Prior to ...)
-       TODO: check
+       - cilium <itp> (bug #858303)
 CVE-2026-53751 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
        NOT-FOR-US: DataEase
 CVE-2026-53730 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
@@ -179,7 +179,7 @@ CVE-2026-53481 (Dell PowerProtect Data Domain, versions 
7.7.1.0 through 8.7, LTS
 CVE-2026-53479 (DellPowerProtectData Domain, versions 7.7.1.0 through 8.7, 
LTS2026 rel ...)
        NOT-FOR-US: Dell / EMC
 CVE-2026-51937 (An issue in Oneblog V2.3.9 allows a remote attacker to obtain 
sensitiv ...)
-       TODO: check
+       NOT-FOR-US: Oneblog
 CVE-2026-50811 (An out-of-bounds read vulnerability exists in FreeType 2.14.3 
and vers ...)
        TODO: check
 CVE-2026-50810 (A NULL pointer dereference in smooth_parse_stream_index() in 
src/media ...)
@@ -189,13 +189,13 @@ CVE-2026-50530 (DataEase is an open source data 
visualization and analysis tool.
 CVE-2026-50529 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
        NOT-FOR-US: DataEase
 CVE-2026-50179 (Actual is a local-first personal finance tool. Prior to 
26.6.0, export ...)
-       TODO: check
+       NOT-FOR-US: Actual
 CVE-2026-50007 (Actual is an open-source personal finance application. Prior 
to 26.7.0 ...)
-       TODO: check
+       NOT-FOR-US: Actual
 CVE-2026-49471 (Serena is a powerful MCP toolkit for coding that provides 
semantic ret ...)
-       TODO: check
+       NOT-FOR-US: Serena
 CVE-2026-49229 (Actual is a local-first personal finance app. Prior to 26.6.0, 
in Open ...)
-       TODO: check
+       NOT-FOR-US: Actual
 CVE-2026-49033 (The application contains a stack-based buffer overflow 
vulnerability t ...)
        TODO: check
 CVE-2026-48958 (An improper access check allows unauthorized users to create 
custom fi ...)
@@ -223,27 +223,27 @@ CVE-2026-48948 (An improper access check allows user to 
download vcard exports o
 CVE-2026-48947 (An improper access check allows privileged users to overwrite 
media fi ...)
        NOT-FOR-US: Joomla
 CVE-2026-46700 (Actual is a local-first personal finance tool. Prior to 
26.6.0, the GE ...)
-       TODO: check
+       NOT-FOR-US: Actual
 CVE-2026-46672 (Actual is a local-first personal finance app. Prior to 26.6.0, 
@actual ...)
-       TODO: check
+       NOT-FOR-US: Actual
 CVE-2026-46354 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-45796 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-44938 (A vulnerability has been identified in Fleet's agent-side 
deployer, wh ...)
        TODO: check
 CVE-2026-44877 (An unauthenticated remote disclosure vulnerability has been 
identified ...)
        NOT-FOR-US: HPE
 CVE-2026-44454 (Coder allows organizations to provision remote development 
environment ...)
-       TODO: check
+       NOT-FOR-US: Coder
 CVE-2026-42958 (The application contains a use-after-free vulnerability that 
can be ex ...)
        TODO: check
 CVE-2026-42953 (The application contains an out-of-bounds write vulnerability 
that can ...)
        TODO: check
 CVE-2026-37271 (Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is 
vulnerable ...)
-       TODO: check
+       NOT-FOR-US: Fire-Boltt Smartwatch
 CVE-2026-37270 (Trueview Security camera T18161- AF v4.9.60.0 contains an 
authenticati ...)
-       TODO: check
+       NOT-FOR-US: ActualSecurity camera
 CVE-2026-36163 (An HTML injection vulnerability in the file view endpoint of 
LiquidFil ...)
        TODO: check
 CVE-2026-36162 (An authenticated stored cross-site scripting (XSS) 
vulnerability in th ...)
@@ -251,9 +251,9 @@ CVE-2026-36162 (An authenticated stored cross-site 
scripting (XSS) vulnerability
 CVE-2026-28378 (The public dashboard deletion endpoint does not enforce 
organization i ...)
        TODO: check
 CVE-2026-23698 (Vtiger CRM through 8.4.0 contains an authenticated remote code 
executi ...)
-       TODO: check
+       NOT-FOR-US: Vtiger CRM
 CVE-2026-23697 (Vtiger CRM before 8.4.0 contains an authenticated file upload 
vulnerab ...)
-       TODO: check
+       NOT-FOR-US: Vtiger CRM
 CVE-2026-14969 (A flaw was found in 389-ds-base where the LDBM backend 
attribute encry ...)
        TODO: check
 CVE-2026-14940 (A heap-buffer-overflow flaw was found in 389 Directory Server 
(389-ds- ...)
@@ -287,7 +287,7 @@ CVE-2026-14158 (The Widget Logic Visual plugin for 
WordPress is vulnerable to Re
 CVE-2026-13696 (Improper neutralization of special elements used in an LDAP 
query ('LD ...)
        TODO: check
 CVE-2026-13199 (EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices 
produce ...)
-       TODO: check
+       NOT-FOR-US: Raspberry Pi
 CVE-2026-13020 (A Weak Password Recovery Mechanism for Forgotten Password 
exists in Es ...)
        NOT-FOR-US: Esri
 CVE-2026-13019 (Esri Portal for ArcGIS versions 12.1 and earlier on Windows, 
Linux and ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20a6f24d67d9ada26a45997e8da6fae9ccb07515

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20a6f24d67d9ada26a45997e8da6fae9ccb07515
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to