Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b34b3d27 by Salvatore Bonaccorso at 2026-06-18T22:02:09+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -68,29 +68,29 @@ CVE-2026-54220 (uBB.threads is vulnerable to aCross-Site
Request Forgery (CSRF)
CVE-2026-54219 (UBB.threads is vulnerable to Stored XSS via user posts and
user profil ...)
NOT-FOR-US: UBB.threads
CVE-2026-54106 (The U.S. Government Accountability Office (GAO) Electronic
Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-54105 (The U.S. Government Accountability Office (GAO) Electronic
Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-54104 (The U.S. Government Accountability Office (GAO) Electronic
Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-54103 (The U.S. Government Accountability Office (GAO) Electronic
Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-50643 (8cc is vulnerable to an Out\u2011of\u2011Bounds Read due to
improper h ...)
- TODO: check
+ NOT-FOR-US: 8cc
CVE-2026-50141 (Woodpecker is a CI/CD engine. Starting in version 3.0.0 and
prior to v ...)
TODO: check
CVE-2026-48986 (pam_usb provides hardware authentication for Linux using
removable med ...)
- TODO: check
+ NOT-FOR-US: pam_usb
CVE-2026-48985 (pam_usb provides hardware authentication for Linux using
ordinary remo ...)
- TODO: check
+ NOT-FOR-US: pam_usb
CVE-2026-48984 (pam_usb provides hardware authentication for Linux using
ordinary remo ...)
- TODO: check
+ NOT-FOR-US: pam_usb
CVE-2026-48937 (A flaw in Node.js HTTP/2 server API can cause servers to keep
acceptin ...)
TODO: check
CVE-2026-48617 (A flaw in Node.js Permission Model enforcement allows Bypass
via `proc ...)
TODO: check
CVE-2026-47833 (setupBpmLogs follows symlink for bpm.log open and chown \u2014
contain ...)
- TODO: check
+ NOT-FOR-US: setupBpmLogs
CVE-2026-46580 (In Eclipse Theia versions prior to 1.71.0, files matching the
pattern ...)
TODO: check
CVE-2026-44942 (A path traversal in handling the "path" component of .repo
files proce ...)
@@ -106,15 +106,15 @@ CVE-2026-40456 (An OS Command Injection vulnerability
exists in LMS (LAN Managem
CVE-2026-40455 (An SQL Injection vulnerability exists in LMS (LAN Management
System) b ...)
TODO: check
CVE-2026-38718 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042
(including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38717 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042
(including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38716 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042
(including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38715 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042
(including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38714 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042
(including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-2021 (The Slideshow Gallery LITE plugin for WordPress is vulnerable
to Store ...)
NOT-FOR-US: WordPress plugin
CVE-2026-28573 (In AndroidManifest.xml, there is a possible persistent denial
of servi ...)
@@ -539,7 +539,7 @@ CVE-2026-48142 (NGINX Plus and NGINX Open Source have a
vulnerability in the ngx
NOTE:
https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7
(release-1.30.3)
NOTE:
https://github.com/nginx/nginx/commit/319a0bff157b15d9061f4712b2edbe6fdd2dee66
(release-1.31.2)
CVE-2026-48117 (DroneAware is a drone detection platform. The centralized
DroneAware s ...)
- TODO: check
+ NOT-FOR-US: DroneAware
CVE-2026-47340 (Allow authenticated users to access alert instances associated
with al ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-47103 (Python StateMachine versions 3.0.0 before 3.2.0 contains a
remote code ...)
@@ -618,7 +618,7 @@ CVE-2026-40641 (Dell PowerFlex Manager, version(s) 4.6.0.1,
contain(s) an Use of
CVE-2026-3894 (Out-of-bounds Read vulnerability in RTI Connext Professional
(Core Lib ...)
NOT-FOR-US: RTI Connext
CVE-2026-3490 (picklescan before 1.0.4 fails to block pkgutil.resolve_name,
allowing ...)
- TODO: check
+ NOT-FOR-US: picklescan
CVE-2026-39597 (Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons
for Elemen ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-39596 (Unauthenticated SQL Injection in Blocksy Companion Pro <
2.1.29 versio ...)
@@ -658,7 +658,7 @@ CVE-2026-39442 (Unauthenticated PHP Object Injection in
PressMart <= 1.2.26 vers
CVE-2026-39199 (snes9x 1.63 allows an out-of-bounds write and denial of
service via a ...)
TODO: check
CVE-2026-36418 (JimuReport versions 2.3.4 and below are vulnerable to remote
code exec ...)
- TODO: check
+ NOT-FOR-US: JimuReport
CVE-2026-35162 (Dell PowerFlex Manager, version(s) [Versions], contain(s) an
Improper ...)
NOT-FOR-US: Dell / EMC
CVE-2026-35069 (Dell PowerFlex Manager, version(s) [Versions], contain(s) an
Improper ...)
@@ -1386,7 +1386,7 @@ CVE-2026-46766 (Vulnerability in the Oracle WebCenter
Content product of Oracle
CVE-2026-46765 (Vulnerability in the Oracle WebCenter Portal product of Oracle
Fusion ...)
NOT-FOR-US: Oracle
CVE-2026-44587 (CarrierWave is a framework to upload files from Ruby
applications. In ...)
- TODO: check
+ NOT-FOR-US: CarrierWave
CVE-2026-40761 (Unauthenticated PHP Object Injection in Valeska <= 1.2.2
versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-40760 (Unauthenticated PHP Object Injection in Behold <= 1.5
versions.)
@@ -2649,27 +2649,27 @@ CVE-2026-48836 (Unauthenticated Remote Code Execution
(RCE) in Easy Invoice <= 2
CVE-2026-48835 (Unauthenticated Broken Access Control in Contact Form by
WPForms <= 1. ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-48723 (The browserstack-cypress-cli is BrowserStack's CLI which
allows users ...)
- TODO: check
+ NOT-FOR-US: browserstack-cypress-cli
CVE-2026-48714 (i18next-http-middleware is a middleware to be used with
Node.js web fr ...)
- TODO: check
+ NOT-FOR-US: i18next-http-middleware
CVE-2026-48713 (Versions prior to 2.6.6 are vulnerable to prototype pollution
via craf ...)
- TODO: check
+ NOT-FOR-US: i18next-fs-backend
CVE-2026-48709 (OliveTin gives access to predefined shell commands from a web
interfac ...)
- TODO: check
+ NOT-FOR-US: OliveTin
CVE-2026-48708 (OliveTin gives access to predefined shell commands from a web
interfac ...)
- TODO: check
+ NOT-FOR-US: OliveTin
CVE-2026-48599 (Authorization Bypass Through User-Controlled Key vulnerability
in elix ...)
- TODO: check
+ NOT-FOR-US: elixir-grpc grpc
CVE-2026-48518 (MultiJuicer is used to run separate Juice Shop instances on a
central ...)
- TODO: check
+ NOT-FOR-US: MultiJuicer
CVE-2026-48157 (Slim is a PHP micro framework that enables users to write
simple web a ...)
TODO: check
CVE-2026-48124 (Cursor is a code editor built for programming with AI. In
versions pri ...)
- TODO: check
+ NOT-FOR-US: Cursor
CVE-2026-48114 (Metacat is data repository software that helps researchers
preserve, s ...)
- TODO: check
+ NOT-FOR-US: Metacat
CVE-2026-48017 (DbGate is cross-platform database manager. In versions 7.1.8
and prior ...)
- TODO: check
+ NOT-FOR-US: DbGate
CVE-2026-47835 (In Spring AI Vector Stores, special characters could be used
to force ...)
NOT-FOR-US: VMware
CVE-2026-47825 (Spring Cloud Gateway Server forwards the X-Forwarded-For and
Forwarded ...)
@@ -2920,9 +2920,9 @@ CVE-2026-39007 (An issue in Observeinc's Observe
v.2026-01-28 and before allows
CVE-2026-39006 (An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to
execute arb ...)
TODO: check
CVE-2026-38812 (RuoYi v4.8.2 is vulnerable to SQL Injection via the
/tool/gen/createTa ...)
- TODO: check
+ NOT-FOR-US: RuoYi
CVE-2026-38329 (Bludit CMS before version 3.18.4 allows Remote Code Execution
(RCE) vi ...)
- TODO: check
+ NOT-FOR-US: Bludit CMS
CVE-2026-38065 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command
injecti ...)
NOT-FOR-US: Tenda
CVE-2026-38064 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command
injecti ...)
@@ -2936,17 +2936,17 @@ CVE-2026-38061 (Tenda 5G03 V05.03.02.04 (Version 1.0)
is vulnerable to Command i
CVE-2026-38060 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command
injecti ...)
NOT-FOR-US: Tenda
CVE-2026-37216 (Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the
interfa ...)
- TODO: check
+ NOT-FOR-US: Ruoyi
CVE-2026-36933 (An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a
physical ...)
- TODO: check
+ NOT-FOR-US: Boyleep K11, y108 firmware
CVE-2026-36670 (A Time-Based Blind SQL Injection vulnerability in the
alias_management ...)
TODO: check
CVE-2026-36537 (ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass
during ...)
- TODO: check
+ NOT-FOR-US: ThingsBoard
CVE-2026-36521 (PublicCMS V5.202506.d has a Cross Site Scripting (XSS)
vulnerability i ...)
- TODO: check
+ NOT-FOR-US: PublicCMS
CVE-2026-36213 (An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a
local att ...)
- TODO: check
+ NOT-FOR-US: Microvirt MEmu Android Emulator
CVE-2026-34902 (Unauthenticated Cross Site Scripting (XSS) in WooCommerce
Product Tabl ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-34901 (Unauthenticated Privilege Escalation in iControlWP <= 5.5.3
versions.)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b34b3d27ba1b685250fe57290d3c038052676a07
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b34b3d27ba1b685250fe57290d3c038052676a07
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits