Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3ccf34b7 by security tracker role at 2026-06-23T19:13:57+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,8 +1,314 @@
+CVE-2026-57062 (CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG 
through 2 ...)
+       TODO: check
+CVE-2026-56815 (pwnlift before d7a9544, in a privileged deployment, contains a 
symlink ...)
+       TODO: check
+CVE-2026-56784 (OpenRemote Manager before 1.24.2 contains an insecure direct 
object re ...)
+       TODO: check
+CVE-2026-56762 (Hono before 4.12.12 does not validate cookie names on the 
write path i ...)
+       TODO: check
+CVE-2026-56701 (Grav before 2.0.0-beta.2 contains an XML external entity 
injection vul ...)
+       TODO: check
+CVE-2026-56696 (OpenHarness /issue and /pr_comments slash commands lack 
remote_invocab ...)
+       TODO: check
+CVE-2026-56695 (OpenHarness ohmo gateway /resume and /summary slash commands 
default r ...)
+       TODO: check
+CVE-2026-56694 (NanoClaw before 2.1.0 contains a privilege escalation 
vulnerability in ...)
+       TODO: check
+CVE-2026-56693 (NanoClaw before 2.1.17 contains a privilege escalation 
vulnerability i ...)
+       TODO: check
+CVE-2026-56692 (NanoClaw before 2.1.17 contains a symlink following 
vulnerability in f ...)
+       TODO: check
+CVE-2026-56402 (NanoClaw before 2.1.17 contains a privilege escalation 
vulnerability i ...)
+       TODO: check
+CVE-2026-56379 (ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command 
injection ...)
+       TODO: check
+CVE-2026-56376 (ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap 
use-after-fr ...)
+       TODO: check
+CVE-2026-56371 (ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory 
leak in co ...)
+       TODO: check
+CVE-2026-56322 (Capgo before 12.128.2 contains an information disclosure 
vulnerability ...)
+       TODO: check
+CVE-2026-56315 (picklescan before 1.0.4 fails to block at least seven Python 
standard  ...)
+       TODO: check
+CVE-2026-56301 (Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running 
the dev ...)
+       TODO: check
+CVE-2026-56275 (Flowise before 3.1.0 contains a server-side request forgery 
vulnerabil ...)
+       TODO: check
+CVE-2026-56274 (Flowise before 3.1.2 contains multiple OS command injection 
vulnerabil ...)
+       TODO: check
+CVE-2026-56263 (Crawl4AI before 0.8.7 contains a stored cross-site scripting 
vulnerabi ...)
+       TODO: check
+CVE-2026-56258 (Crawl4AI before 0.8.8 contains an arbitrary file write 
vulnerability i ...)
+       TODO: check
+CVE-2026-56248 (Cap-go capgo (capgo-backend) before 12.128.12 contains an 
unauthentica ...)
+       TODO: check
+CVE-2026-56243 (Capgo before 12.128.2 contains a security control bypass 
vulnerability ...)
+       TODO: check
+CVE-2026-56234 (Capgo before 12.128.2 contains a credential validation 
vulnerability i ...)
+       TODO: check
+CVE-2026-56225 (Capgo before 12.128.2 contains an authorization bypass 
vulnerability i ...)
+       TODO: check
+CVE-2026-56222 (Capgo before 12.128.2 contains an authorization bypass 
vulnerability i ...)
+       TODO: check
+CVE-2026-56117 (dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a 
heap use-af ...)
+       TODO: check
+CVE-2026-56116 (dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a 
memory leak ...)
+       TODO: check
+CVE-2026-56115 (dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a 
one-byte st ...)
+       TODO: check
+CVE-2026-56114 (dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a 
one-byte st ...)
+       TODO: check
+CVE-2026-56113 (dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a 
heap use-af ...)
+       TODO: check
+CVE-2026-55736 (Improperly Controlled Modification of Dynamically-Determined 
Object At ...)
+       TODO: check
+CVE-2026-55517 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-55450 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-55447 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-55446 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-55423 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-55255 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-55249 (@rtk-ai/rtk-rewrite transparently rewrites shell commands 
executed via ...)
+       TODO: check
+CVE-2026-54892 (Inefficient algorithmic complexity in Plug's nested-parameter 
decoder  ...)
+       TODO: check
+CVE-2026-54324 (Daytona is a secure and elastic infrastructure runtime for 
AI-generate ...)
+       TODO: check
+CVE-2026-54323 (Daytona is a secure and elastic infrastructure runtime for 
AI-generate ...)
+       TODO: check
+CVE-2026-54322 (Daytona is a secure and elastic infrastructure runtime for 
AI-generate ...)
+       TODO: check
+CVE-2026-54321 (Daytona is a secure and elastic infrastructure runtime for 
AI-generate ...)
+       TODO: check
+CVE-2026-54320 (Daytona is a secure and elastic infrastructure runtime for 
AI-generate ...)
+       TODO: check
+CVE-2026-54319 (Daytona is a secure and elastic infrastructure runtime for 
AI-generate ...)
+       TODO: check
+CVE-2026-54318 (Home Assistant is open source home automation software that 
puts local ...)
+       TODO: check
+CVE-2026-54317 (Home Assistant is open source home automation software that 
puts local ...)
+       TODO: check
+CVE-2026-54316 (Claude Code is an agentic coding tool.  From 0.2.54 until 
2.1.163, bec ...)
+       TODO: check
+CVE-2026-54314 (n8n is an open source workflow automation platform. Prior to 
2.24.0, t ...)
+       TODO: check
+CVE-2026-54313 (n8n is an open source workflow automation platform. Prior to 
2.24.0, a ...)
+       TODO: check
+CVE-2026-54312 (n8n is an open source workflow automation platform. Prior to 
2.24.0, a ...)
+       TODO: check
+CVE-2026-54311 (n8n is an open source workflow automation platform. Prior to 
2.25.7 an ...)
+       TODO: check
+CVE-2026-54310 (n8n is an open source workflow automation platform. Prior to 
2.25.7 an ...)
+       TODO: check
+CVE-2026-54309 (n8n is an open source workflow automation platform. Prior to 
2.25.7 an ...)
+       TODO: check
+CVE-2026-54308 (n8n is an open source workflow automation platform. Prior to 
2.25.7 an ...)
+       TODO: check
+CVE-2026-54307 (n8n is an open source workflow automation platform. Prior to 
1.123.55, ...)
+       TODO: check
+CVE-2026-54306 (n8n is an open source workflow automation platform. Prior to 
2.25.7 an ...)
+       TODO: check
+CVE-2026-54305 (n8n is an open source workflow automation platform. Prior to 
1.123.55, ...)
+       TODO: check
+CVE-2026-54304 (n8n is an open source workflow automation platform. Prior to 
1.123.55, ...)
+       TODO: check
+CVE-2026-54303 (n8n is an open source workflow automation platform. Prior to 
2.24.0, a ...)
+       TODO: check
+CVE-2026-54302 (n8n is an open source workflow automation platform. Prior to 
1.123.55, ...)
+       TODO: check
+CVE-2026-54301 (n8n is an open source workflow automation platform. Prior to 
1.123.55, ...)
+       TODO: check
+CVE-2026-54257 (Electron is a framework for writing cross-platform desktop 
application ...)
+       TODO: check
+CVE-2026-54157 (LobeHub is a work-and-lifestyle space to find, build, and 
collaborate  ...)
+       TODO: check
+CVE-2026-54022 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54021 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54019 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54018 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54016 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54015 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54014 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54013 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54012 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54011 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54010 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54009 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54008 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54007 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-54006 (Open WebUI is a self-hosted artificial intelligence platform 
designed  ...)
+       TODO: check
+CVE-2026-53755 (Crawl4AI is an open-source LLM friendly web crawler & scraper. 
Prior t ...)
+       TODO: check
+CVE-2026-53754 (Crawl4AI is an open-source LLM friendly web crawler & scraper. 
Prior t ...)
+       TODO: check
+CVE-2026-53753 (Crawl4AI is an open-source LLM friendly web crawler & scraper. 
Prior t ...)
+       TODO: check
+CVE-2026-53662 (immich is a high performance self-hosted photo and video 
management so ...)
+       TODO: check
+CVE-2026-52846 (Caddy is an extensible server platform that uses TLS by 
default. Prior ...)
+       TODO: check
+CVE-2026-52845 (Caddy is an extensible server platform that uses TLS by 
default. Prior ...)
+       TODO: check
+CVE-2026-52844 (Caddy is an extensible server platform that uses TLS by 
default. Prior ...)
+       TODO: check
+CVE-2026-52673 (SQL Injection vulnerability in Cboard v.0.4.2 and before 
allows a remo ...)
+       TODO: check
+CVE-2026-50574 (yt-dlp is a command-line audio/video downloader. Prior to 
2026.06.09,  ...)
+       TODO: check
+CVE-2026-50023 (yt-dlp is a command-line audio/video downloader. Prior to 
2026.06.09,  ...)
+       TODO: check
+CVE-2026-50019 (yt-dlp is a command-line audio/video downloader. From 
2023.09.24 until ...)
+       TODO: check
+CVE-2026-4983 (Open VSX Registry does not sanitize SVG files uploaded as 
extension ic ...)
+       TODO: check
+CVE-2026-4610 (The ProfileGrid \u2013 User Profiles, Groups and Communities 
plugin fo ...)
+       TODO: check
+CVE-2026-49983 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49860 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49859 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49465 (n8n is an open source workflow automation platform. Prior to 
1.123.48, ...)
+       TODO: check
+CVE-2026-49444 (n8n is an open source workflow automation platform. Prior to 
1.123.48, ...)
+       TODO: check
+CVE-2026-49440 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49411 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49406 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49402 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-49401 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
Prior to 2. ...)
+       TODO: check
+CVE-2026-48520 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-48519 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-45732 (n8n is an open source workflow automation platform. Prior to 
1.123.43, ...)
+       TODO: check
+CVE-2026-45692 (Caddy is an extensible server platform that uses TLS by 
default. From  ...)
+       TODO: check
+CVE-2026-45135 (Caddy is an extensible server platform that uses TLS by 
default. From  ...)
+       TODO: check
+CVE-2026-44792 (n8n is an open source workflow automation platform. Prior to 
1.123.43, ...)
+       TODO: check
+CVE-2026-44791 (n8n is an open source workflow automation platform. Prior to 
1.123.43, ...)
+       TODO: check
+CVE-2026-44790 (n8n is an open source workflow automation platform. Prior to 
1.123.43, ...)
+       TODO: check
+CVE-2026-44789 (n8n is an open source workflow automation platform. Prior to 
1.123.43, ...)
+       TODO: check
+CVE-2026-44726 (Deno is a JavaScript, TypeScript, and WebAssembly runtime. 
From 2.0.0  ...)
+       TODO: check
+CVE-2026-44089 (TotolinkEX1200L router is vulnerable to Buffer Overflow in the 
login f ...)
+       TODO: check
+CVE-2026-42867 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-35019 (NetComm NF20MESH routers running firmware R6B031 and earlier 
contain a ...)
+       TODO: check
+CVE-2026-35018 (NetComm NF20MESH routers running firmware R6B031 and earlier 
contain a ...)
+       TODO: check
+CVE-2026-33760 (Langflow is a tool for building and deploying AI-powered 
agents and wo ...)
+       TODO: check
+CVE-2026-28496 (FOSSBilling is a free, open-source billing and client 
management syste ...)
+       TODO: check
+CVE-2026-27604 (FOSSBilling is a free, open-source billing and client 
management syste ...)
+       TODO: check
+CVE-2026-13007 (Tenable Identity Exposure contains multiple unauthenticated 
API endpoi ...)
+       TODO: check
+CVE-2026-12969 (An out-of-bounds read vulnerability exists in dnsmasq's 
find_soa() fun ...)
+       TODO: check
+CVE-2026-12958 (Missing symlink validation in Language Servers for AWS may 
allow an ar ...)
+       TODO: check
+CVE-2026-12957 (Improper trust boundary enforcement in Language Servers for 
AWS before ...)
+       TODO: check
+CVE-2026-11772 (DRIMO CMS is vulnerable to Reflected XSS via q parameter in 
searching  ...)
+       TODO: check
+CVE-2026-11374 (In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 
Manager ...)
+       TODO: check
+CVE-2026-10857 (Improper neutralization of input during web page generation 
('cross-si ...)
+       TODO: check
+CVE-2026-10711 (Missing authentication for critical function vulnerability in 
AKIN Sof ...)
+       TODO: check
+CVE-2026-10609 (A missing authorization flaw was found in the OpenShift 
Cluster Loggin ...)
+       TODO: check
+CVE-2026-10521 (An high privileged remote attacker can access a hidden 
configuration m ...)
+       TODO: check
+CVE-2026-0864 (When using the "configparser" module to write configuration 
files cont ...)
+       TODO: check
+CVE-2025-71382 (MuPDF before 1.27.0-rc1 contains an uncontrolled recursion 
vulnerabili ...)
+       TODO: check
+CVE-2025-71376 (picklescan before 0.0.29 fails to detect malicious pickle 
files using  ...)
+       TODO: check
+CVE-2025-71370 (picklescan before 0.0.28 fails to detect malicious 
torch.jit.unsupport ...)
+       TODO: check
+CVE-2025-71365 (picklescan before 0.0.33 fails to detect malicious pickle 
files that i ...)
+       TODO: check
+CVE-2025-71341 (picklescan before 0.0.29 fails to detect the 
profile.Profile.runctx fu ...)
+       TODO: check
+CVE-2025-71337 (Flowise before 3.0.10 (affected versions 3.0.7 and earlier) 
contains a ...)
+       TODO: check
+CVE-2025-62180 (Pega Platform versions 8.3.0 through Infinity 25.1.2 are 
affected by a ...)
+       TODO: check
+CVE-2025-61029 (An issue in the sqlo_untry component of openlink 
virtuoso-opensource v ...)
+       TODO: check
+CVE-2025-61028 (An issue in the time_t_to_dt component of openlink 
virtuoso-opensource ...)
+       TODO: check
+CVE-2025-61027 (An issue in the t_set_push component of openlink 
virtuoso-opensource v ...)
+       TODO: check
+CVE-2025-61025 (An issue in the sslr_qst_get component of openlink 
virtuoso-opensource ...)
+       TODO: check
+CVE-2025-61024 (An issue in the sqlo_try_in_loop component of openlink 
virtuoso-openso ...)
+       TODO: check
+CVE-2025-61023 (An issue in the st_compare component of openlink 
virtuoso-opensource v ...)
+       TODO: check
+CVE-2025-61022 (An issue in the sqlo_tb_col_preds component of openlink 
virtuoso-opens ...)
+       TODO: check
+CVE-2025-61021 (An issue in the sqlo_natural_join_cond component of openlink 
virtuoso- ...)
+       TODO: check
+CVE-2025-61020 (An issue in the sqlo_strip_in_join component of openlink 
virtuoso-open ...)
+       TODO: check
+CVE-2025-61019 (An issue in the sqlo_key_part_best component of openlink 
virtuoso-open ...)
+       TODO: check
+CVE-2025-61018 (An issue in the sqlo_place_dt_set component of openlink 
virtuoso-opens ...)
+       TODO: check
+CVE-2025-55639 (GPAC MP4Box v2.4 was discovered to contain a NULL pointer 
dereference  ...)
+       TODO: check
+CVE-2025-15619 (HCL Connections contains a broken access control vulnerability 
that ma ...)
+       TODO: check
+CVE-2025-13162 (Uncontrolled Search Path Element vulnerability in ABB Control 
Builder  ...)
+       TODO: check
+CVE-2023-54365 (Traefik before 2.10.5 and 3.0.0-beta4 is affected by a 
denial-of-servi ...)
+       TODO: check
 CVE-2026-44517
        - golang-github-containers-buildah <unfixed> (bug #1140619)
        NOTE: 
https://github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49
        NOTE: Fixed by: 
https://github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49
 (v1.43.2)
-CVE-2026-11940
+CVE-2026-11940 (tarfile.extractall() with the 'data' or 'tar'  filter could be 
bypasse ...)
        - python3.14 <unfixed>
        - python3.13 <unfixed>
        - python3.11 <removed>
@@ -19,7 +325,7 @@ CVE-2026-55556
        NOTE: https://www.openwall.com/lists/oss-security/2026/06/23/4
        NOTE: imhttp rsyslog plugin not packaged in Debian
        NOTE: 
https://github.com/rsyslog/rsyslog/commit/acde2ba25ea33816694b787859f4a727a247b6d6
 (v8.2604.0)
-CVE-2026-50221
+CVE-2026-50221 (In OpenStack Swift before 2.37.2, proxy-server does not strip 
internal ...)
        - swift <unfixed>
        NOTE: https://www.openwall.com/lists/oss-security/2026/06/23/5
        NOTE: https://bugs.launchpad.net/swift/+bug/2150261
@@ -217,7 +523,7 @@ CVE-2025-71344 (picklescan before 0.0.30 (affected versions 
0.0.26 and earlier)
        NOT-FOR-US: picklescan
 CVE-2025-71339 (Picklescan before 0.0.33 fails to detect the 
numpy.f2py.crackfortran._ ...)
        NOT-FOR-US: picklescan
-CVE-2026-9733
+CVE-2026-9733 (Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 
for Perl  ...)
        NOT-FOR-US: Mojolicious::Plugin::Web::Auth::OAuth2 Perl module
 CVE-2026-9610 (IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 
9.1.7, 9 ...)
        NOT-FOR-US: IBM
@@ -1243,11 +1549,11 @@ CVE-2016-20086 (Vembu StoreGrid 4.0 contains an 
unquoted service path vulnerabil
        NOT-FOR-US: Vembu StoreGrid
 CVE-2016-20085 (Realtek High Definition Audio Driver 6.0.1.6730 contains an 
unquoted s ...)
        NOT-FOR-US: Realtek
-CVE-2026-55568
+CVE-2026-55568 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in 
certain c ...)
        - guzzle 7.12.1-1
        [trixie] - guzzle <no-dsa> (Minor issue)
        NOTE: 
https://github.com/guzzle/guzzle/security/advisories/GHSA-wpwq-4j6v-78m3
-CVE-2026-55767
+CVE-2026-55767 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, 
CookieJar in ...)
        - guzzle 7.12.1-1
        [trixie] - guzzle <no-dsa> (Minor issue)
        NOTE: 
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwxw-98qj-8qjx
@@ -1408,7 +1714,7 @@ CVE-2026-2842
        REJECTED
 CVE-2026-25865 (Punto Switcher through 4.5.0.583 contains an unquoted search 
path elem ...)
        NOT-FOR-US: Punto Switcher
-CVE-2026-22674 (Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, 
contains a  ...)
+CVE-2026-22674 (Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, 
contains a  ...)
        NOT-FOR-US: Hashgraph Guardian
 CVE-2026-1856 (The Appointment Booking Calendar plugin for WordPress is 
vulnerable to ...)
        NOT-FOR-US: WordPress plugin
@@ -1453,7 +1759,7 @@ CVE-2025-15661 (libssh2 through 1.11.1, fixed in commit 
2dae302, contains an out
        NOTE: https://github.com/libssh2/libssh2/pull/1705
        NOTE: https://github.com/libssh2/libssh2/pull/1717
        NOTE: Fixed by: 
https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d
-CVE-2026-55766
+CVE-2026-55766 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation 
in PHP. ...)
        - php-guzzlehttp-psr7 2.12.1-1
        [trixie] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432
@@ -3945,7 +4251,7 @@ CVE-2024-22451 (Dell Peripheral Manager, versions from 
1.5.1 to 1.7.2, contain a
        NOT-FOR-US: Dell / EMC
 CVE-2024-22447 (Dell Peripheral Manager, versions prior to 1.7.3, contain an 
uncontrol ...)
        NOT-FOR-US: Dell / EMC
-CVE-2026-57053 [ToUnicode read-out-bounds]
+CVE-2026-57053 (GNU libidn before 1.44 is prone to out-of-bounds reads 
ofuninitialized ...)
        - libidn 1.44-1
        [trixie] - libidn <no-dsa> (Minor issue)
        NOTE: 
https://lists.gnu.org/archive/html/help-libidn/2026-06/msg00001.html
@@ -4596,7 +4902,8 @@ CVE-2025-56814 (A code injection vulnerability in the 
wxExecute() function of Op
        TODO: check
 CVE-2025-10262 (Nokia SR Linux is vulnerable to local privilege escalation 
vulnerabili ...)
        NOT-FOR-US: Nokia
-CVE-2026-56968 [NTLM client: Avoid use-of-unitialized-value inside libntlm]
+CVE-2026-56968 (GNU SASL before 2.2.4 lacks sanitization of a short challenge 
in _gsas ...)
+       {DSA-6348-1}
        - gsasl 2.2.4-1
        NOTE: 
https://lists.gnu.org/archive/html/help-gsasl/2026-06/msg00000.html
 CVE-2026-53704 (A flaw was found in GStreamer's RealMedia demuxer in the 
gst-plugins-u ...)
@@ -4616,6 +4923,7 @@ CVE-2026-53703 (A vulnerability was found in the 
GStreamer RealMedia demuxer (gs
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11831 (1.26 
branch)
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11832 (1.24 
branch)
 CVE-2026-52719 (An out-of-bounds read vulnerability was found in the VA JPEG 
decoder i ...)
+       {DSA-6362-1}
        - gst-plugins-bad1.0 1.28.4-1
        NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0040.html
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11805
@@ -4623,6 +4931,7 @@ CVE-2026-52719 (An out-of-bounds read vulnerability was 
found in the VA JPEG dec
        NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/987278d3b2c01c5bf387181a120bec5856aba82c
 (1.26 branch)
        NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c5f9c5bee5f2139157c0ce0a160f0a1173b7ce94
 (1.24 branch)
 CVE-2026-52718 (A denial of service vulnerability was found in GStreamer's AV1 
codec p ...)
+       {DSA-6362-1}
        - gst-plugins-bad1.0 1.28.4-1
        NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0039.html
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11803
@@ -5929,6 +6238,7 @@ CVE-2026-53702 (A stack buffer overflow flaw was found in 
the GStreamer H.265 co
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890aa461742661a1f5a67b69ba608f61e779c23c
 (1.28.3)
        NOTE: Backport for 1.26: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11341
 CVE-2026-53701 (An out-of-bounds write vulnerability was found in GStreamer's 
H.266/VV ...)
+       {DSA-6362-1}
        - gst-plugins-bad1.0 1.28.3-1
        NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0026.html
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11581
@@ -9413,7 +9723,7 @@ CVE-2021-47983 (WordPress Plugin Stripe Payments 2.0.39 
contains a stored cross-
        NOT-FOR-US: WordPress plugin
 CVE-2021-47982 (WordPress Plugin WP-Paginate 2.1.3 contains a stored 
cross-site script ...)
        NOT-FOR-US: WordPress plugin
-CVE-2026-49494 (Comodo Internet Security's firewall driver Inspect.sys 
contains an int ...)
+CVE-2026-49494 (Xcitium Client Security (XCS) before 13.8.2.10019 and Comodo 
Internet  ...)
        NOT-FOR-US: Comodo Internet Security
 CVE-2026-36229
        REJECTED
@@ -21438,17 +21748,17 @@ CVE-2026-39827 (An authenticated SSH client that 
repeatedly opened channels whic
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/35127
-CVE-2026-34917
+CVE-2026-34917 (Low\u2011privileged session IDs generated for the web admin 
console co ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-34916
+CVE-2026-34916 (A missing validation of user input when saving delivery 
limitations in ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-34915
+CVE-2026-34915 (A missing sanitisation of user input in the zone-include.php 
script of ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-34914
+CVE-2026-34914 (A missing sanitisation of user input in the zone-include.php 
script of ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-34913
+CVE-2026-34913 (A missing access control check when linking trackers to 
campaigns thro ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-34912
+CVE-2026-34912 (A missing access control check when linking banners or 
campaigns to a  ...)
        NOT-FOR-US: Revive Adserver
 CVE-2026-34911 (A malicious actor with access to the network and low 
privileges could  ...)
        NOT-FOR-US: UniFi
@@ -25390,6 +25700,7 @@ CVE-2026-44432 (urllib3 is an HTTP client library for 
Python. From 2.6.0 to befo
        NOTE: 
https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j
        NOTE: Fixed by: 
https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb5cc48a8662425e35e15adfe6a
 (2.7.0)
 CVE-2026-44431 (urllib3 is an HTTP client library for Python. From 1.23 to 
before 2.7. ...)
+       {DSA-6363-1}
        - python-urllib3 <unfixed> (bug #1136653)
        NOTE: 
https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
        NOTE: Fixed by: 
https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc
 (2.7.0)
@@ -58909,17 +59220,17 @@ CVE-2026-4519 (The webbrowser.open() API would accept 
leading dashes in the URL
        NOTE: https://github.com/python/cpython/pull/148517 (3.13)
        NOTE: 
https://github.com/python/cpython/commit/d6d68494be70bdbda20f89f83801ba52ec37daa4
 (3.13)
        NOTE: 
https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
 (3.11)
-CVE-2026-44961
+CVE-2026-44961 (The XML\u2011RPC API addUser method has a validation bypass 
introduced ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-44960
+CVE-2026-44960 (A stored XSS can be exploited by leveraging the usernames as 
an attack ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-44959
+CVE-2026-44959 (A missing validation of user input exists when saving delivery 
limitat ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-44958
+CVE-2026-44958 (An access control bypass allows an advertiser\u2011level user 
to activ ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-44957
+CVE-2026-44957 (A missing access control check when invoking various modify 
methods in ...)
        NOT-FOR-US: Revive Adserver
-CVE-2026-44956
+CVE-2026-44956 (Low\u2011privileged users could use their Full Name as a 
vector for a  ...)
        NOT-FOR-US: Revive Adserver
 CVE-2026-4505 (A vulnerability has been found in eosphoros-ai DB-GPT up to 
0.7.5. Thi ...)
        NOT-FOR-US: eosphoros-ai DB-GPT
@@ -151280,7 +151591,7 @@ CVE-2025-38352 (In the Linux kernel, the following 
vulnerability has been resolv
        NOTE: https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/
        NOTE: https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/
        NOTE: https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/
-CVE-2025-7962 (In Jakarta Mail 2.0.2 it is possible to preform a SMTP 
Injection by ut ...)
+CVE-2025-7962 (In Jakarta Mail versions prior to 2.0.2 it is possible to 
perform an S ...)
        - jakarta-mail <unfixed> (bug #1109804)
        [trixie] - jakarta-mail <no-dsa> (Minor issue)
        [bookworm] - jakarta-mail <no-dsa> (Minor issue)
@@ -593740,12 +594051,12 @@ CVE-2020-9715 (Adobe Acrobat and Reader versions 
2020.009.20074 and earlier, 202
        NOT-FOR-US: Adobe
 CVE-2020-9714 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)
        NOT-FOR-US: Adobe
-CVE-2020-9713
-       RESERVED
+CVE-2020-9713 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)
+       TODO: check
 CVE-2020-9712 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)
        NOT-FOR-US: Adobe
-CVE-2020-9711
-       RESERVED
+CVE-2020-9711 (Acrobat Reader versions 2020.009.20074, 2020.001.30002, 
2017.011.30171 ...)
+       TODO: check
 CVE-2020-9710 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)
        NOT-FOR-US: Adobe
 CVE-2020-9709
@@ -593776,8 +594087,8 @@ CVE-2020-9697 (Adobe Acrobat and Reader versions 
2020.009.20074 and earlier, 202
        NOT-FOR-US: Adobe
 CVE-2020-9696 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)
        NOT-FOR-US: Adobe
-CVE-2020-9695
-       RESERVED
+CVE-2020-9695 (Acrobat Reader versions 2020.009.20074, 2020.001.30002, 
2017.011.30171 ...)
+       TODO: check
 CVE-2020-9694 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)
        NOT-FOR-US: Adobe
 CVE-2020-9693 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 
2020.001 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ccf34b7289772c547791444ceff259f1e5fc76c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ccf34b7289772c547791444ceff259f1e5fc76c
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to