Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b34b3d27 by Salvatore Bonaccorso at 2026-06-18T22:02:09+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -68,29 +68,29 @@ CVE-2026-54220 (uBB.threads is vulnerable to aCross-Site 
Request Forgery (CSRF)
 CVE-2026-54219 (UBB.threads is vulnerable to Stored XSS via user posts and 
user profil ...)
        NOT-FOR-US: UBB.threads
 CVE-2026-54106 (The U.S. Government Accountability Office (GAO) Electronic 
Protest Doc ...)
-       TODO: check
+       NOT-FOR-US: Government Accountability Office
 CVE-2026-54105 (The U.S. Government Accountability Office (GAO) Electronic 
Protest Doc ...)
-       TODO: check
+       NOT-FOR-US: Government Accountability Office
 CVE-2026-54104 (The U.S. Government Accountability Office (GAO) Electronic 
Protest Doc ...)
-       TODO: check
+       NOT-FOR-US: Government Accountability Office
 CVE-2026-54103 (The U.S. Government Accountability Office (GAO) Electronic 
Protest Doc ...)
-       TODO: check
+       NOT-FOR-US: Government Accountability Office
 CVE-2026-50643 (8cc is vulnerable to an Out\u2011of\u2011Bounds Read due to 
improper h ...)
-       TODO: check
+       NOT-FOR-US: 8cc
 CVE-2026-50141 (Woodpecker is a CI/CD engine. Starting in version 3.0.0 and 
prior to v ...)
        TODO: check
 CVE-2026-48986 (pam_usb provides hardware authentication for Linux using 
removable med ...)
-       TODO: check
+       NOT-FOR-US: pam_usb
 CVE-2026-48985 (pam_usb provides hardware authentication for Linux using 
ordinary remo ...)
-       TODO: check
+       NOT-FOR-US: pam_usb
 CVE-2026-48984 (pam_usb provides hardware authentication for Linux using 
ordinary remo ...)
-       TODO: check
+       NOT-FOR-US: pam_usb
 CVE-2026-48937 (A flaw in Node.js HTTP/2 server API can cause servers to keep 
acceptin ...)
        TODO: check
 CVE-2026-48617 (A flaw in Node.js Permission Model enforcement allows Bypass 
via `proc ...)
        TODO: check
 CVE-2026-47833 (setupBpmLogs follows symlink for bpm.log open and chown \u2014 
contain ...)
-       TODO: check
+       NOT-FOR-US: setupBpmLogs
 CVE-2026-46580 (In Eclipse Theia versions prior to 1.71.0, files matching the 
pattern  ...)
        TODO: check
 CVE-2026-44942 (A path traversal in handling the "path" component of .repo 
files proce ...)
@@ -106,15 +106,15 @@ CVE-2026-40456 (An OS Command Injection vulnerability 
exists in LMS (LAN Managem
 CVE-2026-40455 (An SQL Injection vulnerability exists in LMS (LAN Management 
System) b ...)
        TODO: check
 CVE-2026-38718 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 
(including ...)
-       TODO: check
+       NOT-FOR-US: InHand Networks IR912
 CVE-2026-38717 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 
(including ...)
-       TODO: check
+       NOT-FOR-US: InHand Networks IR912
 CVE-2026-38716 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 
(including ...)
-       TODO: check
+       NOT-FOR-US: InHand Networks IR912
 CVE-2026-38715 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 
(including ...)
-       TODO: check
+       NOT-FOR-US: InHand Networks IR912
 CVE-2026-38714 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 
(including ...)
-       TODO: check
+       NOT-FOR-US: InHand Networks IR912
 CVE-2026-2021 (The Slideshow Gallery LITE plugin for WordPress is vulnerable 
to Store ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-28573 (In AndroidManifest.xml, there is a possible persistent denial 
of servi ...)
@@ -539,7 +539,7 @@ CVE-2026-48142 (NGINX Plus and NGINX Open Source have a 
vulnerability in the ngx
        NOTE: 
https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7 
(release-1.30.3)
        NOTE: 
https://github.com/nginx/nginx/commit/319a0bff157b15d9061f4712b2edbe6fdd2dee66 
(release-1.31.2)
 CVE-2026-48117 (DroneAware is a drone detection platform. The centralized 
DroneAware s ...)
-       TODO: check
+       NOT-FOR-US: DroneAware
 CVE-2026-47340 (Allow authenticated users to access alert instances associated 
with al ...)
        NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-47103 (Python StateMachine versions 3.0.0 before 3.2.0 contains a 
remote code ...)
@@ -618,7 +618,7 @@ CVE-2026-40641 (Dell PowerFlex Manager, version(s) 4.6.0.1, 
contain(s) an Use of
 CVE-2026-3894 (Out-of-bounds Read vulnerability in RTI Connext Professional 
(Core Lib ...)
        NOT-FOR-US: RTI Connext
 CVE-2026-3490 (picklescan before 1.0.4 fails to block pkgutil.resolve_name, 
allowing  ...)
-       TODO: check
+       NOT-FOR-US: picklescan
 CVE-2026-39597 (Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons 
for Elemen ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-39596 (Unauthenticated SQL Injection in Blocksy Companion Pro < 
2.1.29 versio ...)
@@ -658,7 +658,7 @@ CVE-2026-39442 (Unauthenticated PHP Object Injection in 
PressMart <= 1.2.26 vers
 CVE-2026-39199 (snes9x 1.63 allows an out-of-bounds write and denial of 
service via a  ...)
        TODO: check
 CVE-2026-36418 (JimuReport versions 2.3.4 and below are vulnerable to remote 
code exec ...)
-       TODO: check
+       NOT-FOR-US: JimuReport
 CVE-2026-35162 (Dell PowerFlex Manager, version(s) [Versions], contain(s) an 
Improper  ...)
        NOT-FOR-US: Dell / EMC
 CVE-2026-35069 (Dell PowerFlex Manager, version(s) [Versions], contain(s) an 
Improper  ...)
@@ -1386,7 +1386,7 @@ CVE-2026-46766 (Vulnerability in the Oracle WebCenter 
Content product of Oracle
 CVE-2026-46765 (Vulnerability in the Oracle WebCenter Portal product of Oracle 
Fusion  ...)
        NOT-FOR-US: Oracle
 CVE-2026-44587 (CarrierWave is a framework to upload files from Ruby 
applications. In  ...)
-       TODO: check
+       NOT-FOR-US: CarrierWave
 CVE-2026-40761 (Unauthenticated PHP Object Injection in Valeska <= 1.2.2 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-40760 (Unauthenticated PHP Object Injection in Behold <= 1.5 
versions.)
@@ -2649,27 +2649,27 @@ CVE-2026-48836 (Unauthenticated Remote Code Execution 
(RCE) in Easy Invoice <= 2
 CVE-2026-48835 (Unauthenticated Broken Access Control in Contact Form by 
WPForms <= 1. ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-48723 (The browserstack-cypress-cli is BrowserStack's CLI which 
allows users  ...)
-       TODO: check
+       NOT-FOR-US: browserstack-cypress-cli
 CVE-2026-48714 (i18next-http-middleware is a middleware to be used with 
Node.js web fr ...)
-       TODO: check
+       NOT-FOR-US: i18next-http-middleware
 CVE-2026-48713 (Versions prior to 2.6.6 are vulnerable to prototype pollution 
via craf ...)
-       TODO: check
+       NOT-FOR-US: i18next-fs-backend
 CVE-2026-48709 (OliveTin gives access to predefined shell commands from a web 
interfac ...)
-       TODO: check
+       NOT-FOR-US: OliveTin
 CVE-2026-48708 (OliveTin gives access to predefined shell commands from a web 
interfac ...)
-       TODO: check
+       NOT-FOR-US: OliveTin
 CVE-2026-48599 (Authorization Bypass Through User-Controlled Key vulnerability 
in elix ...)
-       TODO: check
+       NOT-FOR-US: elixir-grpc grpc
 CVE-2026-48518 (MultiJuicer is used to run separate Juice Shop instances on a 
central  ...)
-       TODO: check
+       NOT-FOR-US: MultiJuicer
 CVE-2026-48157 (Slim is a PHP micro framework that enables users to write 
simple web a ...)
        TODO: check
 CVE-2026-48124 (Cursor is a code editor built for programming with AI. In 
versions pri ...)
-       TODO: check
+       NOT-FOR-US: Cursor
 CVE-2026-48114 (Metacat is data repository software that helps researchers 
preserve, s ...)
-       TODO: check
+       NOT-FOR-US: Metacat
 CVE-2026-48017 (DbGate is cross-platform database manager. In versions 7.1.8 
and prior ...)
-       TODO: check
+       NOT-FOR-US: DbGate
 CVE-2026-47835 (In Spring AI Vector Stores, special characters could be used 
to force  ...)
        NOT-FOR-US: VMware
 CVE-2026-47825 (Spring Cloud Gateway Server forwards the X-Forwarded-For and 
Forwarded ...)
@@ -2920,9 +2920,9 @@ CVE-2026-39007 (An issue in Observeinc's Observe 
v.2026-01-28 and before allows
 CVE-2026-39006 (An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to 
execute arb ...)
        TODO: check
 CVE-2026-38812 (RuoYi v4.8.2 is vulnerable to SQL Injection via the 
/tool/gen/createTa ...)
-       TODO: check
+       NOT-FOR-US: RuoYi
 CVE-2026-38329 (Bludit CMS before version 3.18.4 allows Remote Code Execution 
(RCE) vi ...)
-       TODO: check
+       NOT-FOR-US: Bludit CMS
 CVE-2026-38065 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command 
injecti ...)
        NOT-FOR-US: Tenda
 CVE-2026-38064 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command 
injecti ...)
@@ -2936,17 +2936,17 @@ CVE-2026-38061 (Tenda 5G03 V05.03.02.04 (Version 1.0) 
is vulnerable to Command i
 CVE-2026-38060 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command 
injecti ...)
        NOT-FOR-US: Tenda
 CVE-2026-37216 (Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the 
interfa ...)
-       TODO: check
+       NOT-FOR-US: Ruoyi
 CVE-2026-36933 (An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a 
physical ...)
-       TODO: check
+       NOT-FOR-US: Boyleep K11, y108 firmware
 CVE-2026-36670 (A Time-Based Blind SQL Injection vulnerability in the 
alias_management ...)
        TODO: check
 CVE-2026-36537 (ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass 
during  ...)
-       TODO: check
+       NOT-FOR-US: ThingsBoard
 CVE-2026-36521 (PublicCMS V5.202506.d has a Cross Site Scripting (XSS) 
vulnerability i ...)
-       TODO: check
+       NOT-FOR-US: PublicCMS
 CVE-2026-36213 (An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a 
local att ...)
-       TODO: check
+       NOT-FOR-US: Microvirt MEmu Android Emulator
 CVE-2026-34902 (Unauthenticated Cross Site Scripting (XSS) in WooCommerce 
Product Tabl ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-34901 (Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 
versions.)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b34b3d27ba1b685250fe57290d3c038052676a07

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b34b3d27ba1b685250fe57290d3c038052676a07
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to