Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 606d7730 by Salvatore Bonaccorso at 2026-06-18T22:13:04+02:00 Add new nodejs issues from june release - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,33 @@ +CVE-2026-48931 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#http-response-queue-poisoning-via-toctou-race-condition-in-httpagent-cve-2026-48931---low +CVE-2026-48936 + - nodejs <not-affected> (Only affects Node.js v26) + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unix-domain-socket-server-bypasses---permission-network-restrictions-incomplete-cve-2026-21636-fix-cve-2026-48936---low +CVE-2026-48935 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#permission-model-bypass-via-filehandleutimes-in-the-promises-api-cve-2026-48935---low +CVE-2026-48934 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#tls-host-identity-verification-bypass-via-session-reuse-with-different-servername-leads-to-unauthorized-connections-cve-2026-48934---medium +CVE-2026-48930 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#embedded-nul-hostnames-can-lead-to-silent-authority-rebinding-due-to-c-string-truncation-in-resolver-bindings-cve-2026-48930---medium +CVE-2026-48928 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#uppercase-sni-context-matching-can-lead-to-mtls-authorization-bypass-due-to-case-sensitive-hostname-matching-cve-2026-48928---medium +CVE-2026-48619 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unbounded-memory-growth-in-nodehttp2-clients-via-attacker-controlled-origin-frames-cve-2026-48619---medium +CVE-2026-48615 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#proxy-credentials-leaked-in-err_proxy_tunnel-error-message-cve-2026-48615---medium +CVE-2026-48618 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-unicode-dot-separator-handling-can-lead-to-tls-wildcard-depth-authentication-bypass-due-to-resolver-and-verifier-hostname-normalization-mismat-cve-2026-48618---high +CVE-2026-48933 + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-webcrypto-aes-integer-overflow-leads-to-remote-process-abort-dos-cve-2026-48933---high CVE-2026-9815 (The MagicForm WordPress plugin through 0.1.3 does not properly validat ...) NOT-FOR-US: WordPress plugin CVE-2026-9158 (In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DE ...) @@ -86,9 +116,11 @@ CVE-2026-48985 (pam_usb provides hardware authentication for Linux using ordinar CVE-2026-48984 (pam_usb provides hardware authentication for Linux using ordinary remo ...) NOT-FOR-US: pam_usb CVE-2026-48937 (A flaw in Node.js HTTP/2 server API can cause servers to keep acceptin ...) - TODO: check + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#http2-sessions-never-clean-up-after-goaway-on-invalid-protocol-errors-cve-2026-48937---medium CVE-2026-48617 (A flaw in Node.js Permission Model enforcement allows Bypass via `proc ...) - TODO: check + - nodejs <unfixed> + NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#permission-model-bypass-via-processreportwritereport-path-misvalidation-cve-2026-48617---low CVE-2026-47833 (setupBpmLogs follows symlink for bpm.log open and chown \u2014 contain ...) NOT-FOR-US: setupBpmLogs CVE-2026-46580 (In Eclipse Theia versions prior to 1.71.0, files matching the pattern ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/606d773043773a4b4a0cea1bff8f8d501a55366e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/606d773043773a4b4a0cea1bff8f8d501a55366e You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
