Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3de08701 by Salvatore Bonaccorso at 2026-07-12T22:56:43+02:00
Process some more NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -29,35 +29,35 @@ CVE-2026-56241 (Capgo before 12.128.2 contains a privilege
escalation vulnerabil
CVE-2026-56238 (Capgo before 12.128.2 contains an information disclosure
vulnerability ...)
NOT-FOR-US: Cap-go
CVE-2026-15502 (A vulnerability was detected in AojiaoZero Antaris 1.0. This
affects t ...)
- TODO: check
+ NOT-FOR-US: AojiaoZero Antaris
CVE-2026-15501 (A security vulnerability has been detected in AstrBotDevs
AstrBot up t ...)
- TODO: check
+ NOT-FOR-US: AstrBotDevs AstrBot
CVE-2026-15500 (A weakness has been identified in AstrBotDevs AstrBot up to
4.25.2. Af ...)
- TODO: check
+ NOT-FOR-US: AstrBotDevs AstrBot
CVE-2026-15499 (A security flaw has been discovered in AstrBotDevs AstrBot up
to 4.25. ...)
- TODO: check
+ NOT-FOR-US: AstrBotDevs AstrBot
CVE-2026-15498 (A vulnerability was identified in sergomanov SmartHomeAdatum
up to cf4 ...)
- TODO: check
+ NOT-FOR-US: sergomanov SmartHomeAdatum
CVE-2026-15497 (A vulnerability was determined in SonicCloudOrg sonic-agent up
to 2.7. ...)
- TODO: check
+ NOT-FOR-US: SonicCloudOrg
CVE-2026-15496 (A vulnerability was found in SonicCloudOrg sonic-agent up to
2.7.2. Th ...)
- TODO: check
+ NOT-FOR-US: SonicCloudOrg
CVE-2026-15495 (A vulnerability has been found in SonicCloudOrg sonic-agent up
to 2.7. ...)
- TODO: check
+ NOT-FOR-US: SonicCloudOrg
CVE-2026-15494 (A flaw has been found in AMTT Hotel Broadband Operation System
1.0. Im ...)
- TODO: check
+ NOT-FOR-US: AMTT Hotel Broadband Operation System
CVE-2026-15493 (A vulnerability was detected in Akpali9
Attendance-Management-System u ...)
- TODO: check
+ NOT-FOR-US: Akpali9 Attendance-Management-System
CVE-2026-15492 (A security vulnerability has been detected in igweze wizgrade
up to b1 ...)
- TODO: check
+ NOT-FOR-US: igweze wizgrade
CVE-2026-15491 (A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up
to ddfe1 ...)
- TODO: check
+ NOT-FOR-US: RafyMrX TOKO-ONLINE-ROTI
CVE-2026-15490 (A security flaw has been discovered in RafyMrX
TOKO-ONLINE-ROTI up to ...)
- TODO: check
+ NOT-FOR-US: RafyMrX TOKO-ONLINE-ROTI
CVE-2026-15489 (A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up
to ddfe1 ...)
- TODO: check
+ NOT-FOR-US: RafyMrX TOKO-ONLINE-ROTI
CVE-2026-15488 (A vulnerability was determined in hcr707305003 shiroiAdmin
1.1/1.3. Af ...)
- TODO: check
+ NOT-FOR-US: hcr707305003 shiroiAdmin
CVE-2026-15487 (A vulnerability was found in TRENDnet TEW-821DAP 1.11B03. This
impacts ...)
NOT-FOR-US: TRENDnet
CVE-2026-15486 (A vulnerability has been found in TRENDnet TEW-821DAP 1.11B03.
This af ...)
@@ -83,31 +83,31 @@ CVE-2026-15484 (A vulnerability was detected in TRENDnet
TEW-821DAP 1.12B01. The
CVE-2026-15483 (A security vulnerability has been detected in TRENDnet
TEW-821DAP 1.12 ...)
NOT-FOR-US: TRENDnet
CVE-2026-15482 (A weakness has been identified in Aster Telecom Azcall 10/11.
This iss ...)
- TODO: check
+ NOT-FOR-US: Aster Telecom Azcall
CVE-2026-15481 (A security flaw has been discovered in Trendnet TEW-635BRM up
to 1.00. ...)
NOT-FOR-US: TRENDnet
CVE-2026-15480 (A vulnerability was identified in Trendnet TEW-635BRM up to
1.00.03. T ...)
NOT-FOR-US: TRENDnet
CVE-2026-15479 (A vulnerability was found in H3C NX15 V100R017. Affected by
this vulne ...)
- TODO: check
+ NOT-FOR-US: H3C
CVE-2026-15478 (A flaw has been found in IceHRM up to 35.0.1. This impacts an
unknown ...)
- TODO: check
+ NOT-FOR-US: IceHRM
CVE-2026-15477 (A vulnerability was detected in Bahmni bahmnicore up to 0.93.
This aff ...)
- TODO: check
+ NOT-FOR-US: Bahmni bahmnicore
CVE-2026-15476 (A security vulnerability has been detected in QILING Disk
Master 6.0.0 ...)
- TODO: check
+ NOT-FOR-US: QILING Disk Master
CVE-2026-15475 (A weakness has been identified in MiniTool Partition Wizard up
to 13.6 ...)
- TODO: check
+ NOT-FOR-US: MiniTool Partition Wizard
CVE-2026-15474 (A security flaw has been discovered in Eleveo Call Recording
Software ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15473 (A vulnerability was identified in Eleveo Call Recording
Software 9.7.0 ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15472 (A vulnerability was determined in Eleveo Call Recording
Software 9.7.0 ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15471 (A vulnerability was found in Eleveo Call Recording Software
9.7.0. Thi ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15470 (A vulnerability has been found in Eleveo Call Recording
Software 9.7.0 ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-61870 (ImageMagick before 7.1.2-26 contains a memory leak
vulnerability in th ...)
- imagemagick 8:7.1.2.26+dfsg1-1
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-m596-67p7-69wh
@@ -365,9 +365,9 @@ CVE-2026-45196 (Kernel software installed and running
inside a Host VM may post
CVE-2026-44795 (Spinnaker is an open source, multi-cloud continuous delivery
platform. ...)
NOT-FOR-US: Spinnaker
CVE-2026-44383 (Multiple connections to the backend using the same charging
station ID ...)
- TODO: check
+ NOT-FOR-US: Hydro-Quebec
CVE-2026-42952 (Previously, there was no throttling on repeated authentication
attempt ...)
- TODO: check
+ NOT-FOR-US: Hydro-Quebec
CVE-2026-42219 (Frappe is a full-stack web application framework. Prior to
16.19.0 and ...)
NOT-FOR-US: Frappe
CVE-2026-41482 (Frappe is a full-stack web application framework. Prior to
16.18.3, po ...)
@@ -776,15 +776,15 @@ CVE-2026-51119 (An issue in Invixium IXM WEB v.2.3.85.25
allows an attacker to e
CVE-2026-46388 (osquery is a SQL powered operating system instrumentation,
monitoring, ...)
TODO: check
CVE-2026-41880 (R-SOFT DMS is vulnerable toOS Command Injection in the Optical
Charact ...)
- TODO: check
+ NOT-FOR-US: R-SOFT DMS
CVE-2026-41879 (R-SOFT DMSstores superadmin credentials using a non-salted
nested MD5 ...)
- TODO: check
+ NOT-FOR-US: R-SOFT DMS
CVE-2026-41878 (R-SOFT DMS is vulnerable toInsecure Direct Object Reference
(IDOR) att ...)
- TODO: check
+ NOT-FOR-US: R-SOFT DMS
CVE-2026-41877 (R-SOFT DMS is vulnerable to Stored XSS in file upload
functionality. A ...)
- TODO: check
+ NOT-FOR-US: R-SOFT DMS
CVE-2026-41876 (R-SOFT DMS is vulnerable toOS Command Injection in
konwertujAction() f ...)
- TODO: check
+ NOT-FOR-US: R-SOFT DMS
CVE-2026-40454 (Out-of-bounds Read, Improper Input Validation vulnerability in
Apache ...)
TODO: check
CVE-2026-40452 (Incorrect Authorization, Improper Access Control vulnerability
in Apac ...)
@@ -802,29 +802,29 @@ CVE-2026-40005 (Improper Limitation of a Pathname to a
Restricted Directory ('Pa
CVE-2026-3907 (The Hostel plugin for WordPress is vulnerable to Stored
Cross-Site Scr ...)
NOT-FOR-US: WordPress plugin
CVE-2026-3251 (Improper neutralization of input during web page generation
('cross-si ...)
- TODO: check
+ NOT-FOR-US: Webremium Istanbul Web Design Mezunum Satiyorum
CVE-2026-39903 (Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0
Alpha 5 ...)
- TODO: check
+ NOT-FOR-US: Simple Machines Forum
CVE-2026-39244 (adm-zip before 0.5.18 is vulnerable to denial of service via a
crafted ...)
TODO: check
CVE-2026-38059 (The iDirect iQ200 exposes the /api/identity and /api/ REST API
endpoin ...)
- TODO: check
+ NOT-FOR-US: iDirect iQ200
CVE-2026-38057 (The iDirect iQ200 does not validate CSRF tokens on
state-changing API ...)
- TODO: check
+ NOT-FOR-US: iDirect iQ200
CVE-2026-33382 (Several Grafana API endpoints, some of them unauthenticated,
do not li ...)
NOT-FOR-US: Grafana Labs
CVE-2026-2398 (Authorization bypass through User-Controlled key vulnerability
in Adam ...)
- TODO: check
+ NOT-FOR-US: Adam Retail Automation
CVE-2026-2397 (Improper neutralization of special elements used in an SQL
command ('S ...)
- TODO: check
+ NOT-FOR-US: Adam Retail Automation
CVE-2026-29519 (Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and
7.0.x r ...)
- TODO: check
+ NOT-FOR-US: Lucee CFML Server
CVE-2026-28564 (Insufficient Session Expiration, Authentication Bypass by
Capture-repl ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-22660 (FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a
logic flaw ...)
- TODO: check
+ NOT-FOR-US: FlaskBBFlaskBB
CVE-2026-22659 (FlaskBB through 2.2.0, fixed in commit acc88cf, contains an
authorizat ...)
- TODO: check
+ NOT-FOR-US: FlaskBBFlaskBB
CVE-2026-1946 (The GW AI Website Builder plugin for WordPress is vulnerable to
unauth ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1667 (The SEO Plugin by Squirrly SEO plugin for WordPress is
vulnerable to A ...)
@@ -832,15 +832,15 @@ CVE-2026-1667 (The SEO Plugin by Squirrly SEO plugin for
WordPress is vulnerable
CVE-2026-15378 (A flaw was found in the `guardrails-detectors` component. This
vulnera ...)
TODO: check
CVE-2026-15377 (A vulnerability was determined in Eleveo Call Recording
Software 9.7.0 ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15376 (A vulnerability was found in Eleveo Call Recording Software
9.7.0. Aff ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15375 (A vulnerability has been found in Eleveo Call Recording
Software 9.7.0 ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15374 (A flaw has been found in Eleveo Call Recording Software 9.7.0.
This af ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15373 (A vulnerability was detected in Eleveo Call Recording Software
9.7.0. ...)
- TODO: check
+ NOT-FOR-US: Eleveo Call Recording Software
CVE-2026-15146 (GNU Wget does not validate the IP address provided by an FTP
PASV resp ...)
TODO: check
CVE-2026-15143 (A flaw was found in the file_type content detector of
guardrails-detec ...)
@@ -1024,7 +1024,7 @@ CVE-2026-45780 (Discourse is an open-source discussion
platform. Prior to 2026.6
CVE-2026-44787 (Discourse is an open-source discussion platform. Prior to
2026.6.0, 20 ...)
NOT-FOR-US: Discourse
CVE-2026-44342 (New API is a large language mode (LLM) gateway and artificial
intellig ...)
- TODO: check
+ NOT-FOR-US: New API
CVE-2026-39246 (decompress before 4.2.2 allows arbitrary symlink creation
during archi ...)
TODO: check
CVE-2026-39245 (decompress before 4.2.2 contains an improper path containment
check th ...)
@@ -1046,9 +1046,9 @@ CVE-2026-33799 (An Out-of-bounds Write vulnerability in
the SNMP daemon (snmpd)
CVE-2026-33794 (An Improper Check for Unusual or Exceptional Conditions
vulnerability ...)
NOT-FOR-US: Juniper
CVE-2026-33655 (New API is a large language mode (LLM) gateway and artificial
intellig ...)
- TODO: check
+ NOT-FOR-US: New API
CVE-2026-31267 (Mercusys MW302R MW302R(EU)_V1_1.4.10 Build 231023 is
vulnerable to Buf ...)
- TODO: check
+ NOT-FOR-US: Mercusys
CVE-2026-21901 (A NULL Pointer Dereference vulnerability in the management
daemon (mgd ...)
NOT-FOR-US: Juniper
CVE-2026-21057 (Improper input validation in Samsung Pass prior to version
5.2.10.3 al ...)
@@ -1088,17 +1088,17 @@ CVE-2026-21040 (Improper access control in IAFDService
prior to SMR Jul-2026 Rel
CVE-2026-21039 (Improper access control in Settings prior to SMR Jul-2026
Release 1 al ...)
NOT-FOR-US: Samsung Mobile
CVE-2026-15332 (A security flaw has been discovered in zhayujie CowAgent up to
2.1.0. ...)
- TODO: check
+ NOT-FOR-US: zhayujie CowAgent
CVE-2026-15331 (A vulnerability was identified in zhayujie CowAgent up to
2.1.0. The a ...)
- TODO: check
+ NOT-FOR-US: zhayujie CowAgent
CVE-2026-15330 (A vulnerability was determined in zhayujie CowAgent up to
2.1.1. Impac ...)
- TODO: check
+ NOT-FOR-US: zhayujie CowAgent
CVE-2026-15329 (A vulnerability was found in zhayujie CowAgent up to 2.1.0.
This issue ...)
- TODO: check
+ NOT-FOR-US: zhayujie CowAgent
CVE-2026-15326 (A vulnerability was identified in halo-dev halo up to 2.24.2.
This aff ...)
TODO: check
CVE-2026-15321 (A vulnerability was found in MyEMS up to 6.4.0. The affected
element i ...)
- TODO: check
+ NOT-FOR-US: MyEMS
CVE-2026-15320 (A vulnerability was detected in Sipeed PicoClaw up to 0.2.9.
This vuln ...)
TODO: check
CVE-2026-15319 (A security vulnerability has been detected in Sipeed PicoClaw
up to 0. ...)
@@ -1767,21 +1767,21 @@ CVE-2026-52200 (An issue in Generic OEM UZ801_v2.1 4G
LTE Router V3.4.3 allows a
CVE-2026-51535 (In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion
(Denial of Ser ...)
NOT-FOR-US: OpENer
CVE-2026-49866 (libp2p is a JavaScript Implementation of libp2p networking
stack. Prio ...)
- TODO: check
+ NOT-FOR-US: js-libp2p
CVE-2026-48492 (Snipe-IT is an IT asset/license management system. Prior to
version 8. ...)
- snipe-it <itp> (bug #1005172)
CVE-2026-47840 (A network attacker positioned between UAA and its LDAP
directory can i ...)
- TODO: check
+ NOT-FOR-US: Cloud Foundry UAA
CVE-2026-47831 (Use of a cryptographically weak random number generator in the
Generat ...)
- TODO: check
+ NOT-FOR-US: bosh-windows-stemcell-builder
CVE-2026-47830 (Incorrect Permission Assignment in BOSH.Utils.psm1 in
BOSH-Ecosystem b ...)
- TODO: check
+ NOT-FOR-US: bosh-windows-stemcell-builder
CVE-2026-47829 (Argument Injection in bosh-cli allows a compromised BOSH
Director to i ...)
- TODO: check
+ NOT-FOR-US: bosh-cli
CVE-2026-47828 (During bosh create-env and bosh delete-env, the CLI uploads
compiled C ...)
- TODO: check
+ NOT-FOR-US: bosh-cli
CVE-2026-47826 (The blobs.yml path key traversal vulnerability in the BOSH CLI
tool al ...)
- TODO: check
+ NOT-FOR-US: bosh-cli
CVE-2026-47646 (Improper neutralization of input during web page generation
('cross-si ...)
NOT-FOR-US: Microsoft
CVE-2026-45045 (Fiber is an Express inspired web framework written in Go.
Prior to 3.3 ...)
@@ -1815,7 +1815,7 @@ CVE-2026-35211 (OpenCTI is an open source platform for
managing cyber threat int
CVE-2026-35210 (OpenCTI is an open source platform for managing cyber threat
intellige ...)
NOT-FOR-US: OpenCTI
CVE-2026-31309 (Improper authorization in the /tequilapi/config/user endpoint
of Myste ...)
- TODO: check
+ NOT-FOR-US: Mysterium Node
CVE-2026-15174 (Catapult DCT2000 protocol dissector crash in Wireshark 4.6.0
to 4.6.6 ...)
NOT-FOR-US: GitLab (used to be packaged in the Debian archive as
src:gitlab, but never in a stable release)
CVE-2026-15173 (pcapng file parser crash in Wireshark 4.6.0 to 4.6.6 allows
denial of ...)
@@ -2344,7 +2344,7 @@ CVE-2026-49145 (App::Ack versions through 3.10.0 for Perl
read arbitrary files v
NOTE: Fixed by:
https://github.com/beyondgrep/ack3/commit/45ff5fe77dbd96f7332f31943102291f878f30b8
(v3.10.0)
NOTE: v3.10.0 only released with a partial fix for the --follow-option.
CVE-2026-44840 (Dgraph is an open source distributed GraphQL database. Prior
to versio ...)
- TODO: check
+ NOT-FOR-US: Dgraph
CVE-2026-41122 (Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7,
LTS2026 r ...)
NOT-FOR-US: Dell / EMC
CVE-2026-41042 (Unauthenticated callers can supply a malicious H2 JDBC URL
through the ...)
@@ -2368,7 +2368,7 @@ CVE-2026-24698 (An OS command injection vulnerability
exists in the save_syslog_
CVE-2026-24697 (An OS command injection vulnerability exists in the
start_bonjour() fu ...)
TODO: check
CVE-2026-22927 (Omnissa Workspace ONE\xae Tunnel for Windows addresses a
Local Privi ...)
- TODO: check
+ NOT-FOR-US: Omnissa
CVE-2026-15067 (Snowflake Terraform Provider versions prior to 2.18.0 contain
several ...)
TODO: check
CVE-2026-15063 (A flaw was found in the gorch service template, which is part
of the t ...)
@@ -2674,7 +2674,7 @@ CVE-2026-49471 (Serena is a powerful MCP toolkit for
coding that provides semant
CVE-2026-49229 (Actual is a local-first personal finance app. Prior to 26.6.0,
in Open ...)
NOT-FOR-US: Actual
CVE-2026-49033 (The application contains a stack-based buffer overflow
vulnerability t ...)
- TODO: check
+ NOT-FOR-US: Labcenter
CVE-2026-48958 (An improper access check allows unauthorized users to create
custom fi ...)
NOT-FOR-US: Joomla
CVE-2026-48957 (An improper access check allows unauthorized users to access
com_priva ...)
@@ -2722,9 +2722,9 @@ CVE-2026-37271 (Fire-Boltt Smartwatch FB BGS001 Firmware:
MOY-JS14-2.0.4 is vuln
CVE-2026-37270 (Trueview Security camera T18161- AF v4.9.60.0 contains an
authenticati ...)
NOT-FOR-US: ActualSecurity camera
CVE-2026-36163 (An HTML injection vulnerability in the file view endpoint of
LiquidFil ...)
- TODO: check
+ NOT-FOR-US: LiquidFiles
CVE-2026-36162 (An authenticated stored cross-site scripting (XSS)
vulnerability in th ...)
- TODO: check
+ NOT-FOR-US: LiquidFiles
CVE-2026-28378 (The public dashboard deletion endpoint does not enforce
organization i ...)
TODO: check
CVE-2026-23698 (Vtiger CRM through 8.4.0 contains an authenticated remote code
executi ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3de08701c8a8639eaaf302d13b1e036e02c18af1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3de08701c8a8639eaaf302d13b1e036e02c18af1
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits