Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3ccf34b7 by security tracker role at 2026-06-23T19:13:57+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,8 +1,314 @@
+CVE-2026-57062 (CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG
through 2 ...)
+ TODO: check
+CVE-2026-56815 (pwnlift before d7a9544, in a privileged deployment, contains a
symlink ...)
+ TODO: check
+CVE-2026-56784 (OpenRemote Manager before 1.24.2 contains an insecure direct
object re ...)
+ TODO: check
+CVE-2026-56762 (Hono before 4.12.12 does not validate cookie names on the
write path i ...)
+ TODO: check
+CVE-2026-56701 (Grav before 2.0.0-beta.2 contains an XML external entity
injection vul ...)
+ TODO: check
+CVE-2026-56696 (OpenHarness /issue and /pr_comments slash commands lack
remote_invocab ...)
+ TODO: check
+CVE-2026-56695 (OpenHarness ohmo gateway /resume and /summary slash commands
default r ...)
+ TODO: check
+CVE-2026-56694 (NanoClaw before 2.1.0 contains a privilege escalation
vulnerability in ...)
+ TODO: check
+CVE-2026-56693 (NanoClaw before 2.1.17 contains a privilege escalation
vulnerability i ...)
+ TODO: check
+CVE-2026-56692 (NanoClaw before 2.1.17 contains a symlink following
vulnerability in f ...)
+ TODO: check
+CVE-2026-56402 (NanoClaw before 2.1.17 contains a privilege escalation
vulnerability i ...)
+ TODO: check
+CVE-2026-56379 (ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command
injection ...)
+ TODO: check
+CVE-2026-56376 (ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap
use-after-fr ...)
+ TODO: check
+CVE-2026-56371 (ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory
leak in co ...)
+ TODO: check
+CVE-2026-56322 (Capgo before 12.128.2 contains an information disclosure
vulnerability ...)
+ TODO: check
+CVE-2026-56315 (picklescan before 1.0.4 fails to block at least seven Python
standard ...)
+ TODO: check
+CVE-2026-56301 (Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running
the dev ...)
+ TODO: check
+CVE-2026-56275 (Flowise before 3.1.0 contains a server-side request forgery
vulnerabil ...)
+ TODO: check
+CVE-2026-56274 (Flowise before 3.1.2 contains multiple OS command injection
vulnerabil ...)
+ TODO: check
+CVE-2026-56263 (Crawl4AI before 0.8.7 contains a stored cross-site scripting
vulnerabi ...)
+ TODO: check
+CVE-2026-56258 (Crawl4AI before 0.8.8 contains an arbitrary file write
vulnerability i ...)
+ TODO: check
+CVE-2026-56248 (Cap-go capgo (capgo-backend) before 12.128.12 contains an
unauthentica ...)
+ TODO: check
+CVE-2026-56243 (Capgo before 12.128.2 contains a security control bypass
vulnerability ...)
+ TODO: check
+CVE-2026-56234 (Capgo before 12.128.2 contains a credential validation
vulnerability i ...)
+ TODO: check
+CVE-2026-56225 (Capgo before 12.128.2 contains an authorization bypass
vulnerability i ...)
+ TODO: check
+CVE-2026-56222 (Capgo before 12.128.2 contains an authorization bypass
vulnerability i ...)
+ TODO: check
+CVE-2026-56117 (dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a
heap use-af ...)
+ TODO: check
+CVE-2026-56116 (dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a
memory leak ...)
+ TODO: check
+CVE-2026-56115 (dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a
one-byte st ...)
+ TODO: check
+CVE-2026-56114 (dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a
one-byte st ...)
+ TODO: check
+CVE-2026-56113 (dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a
heap use-af ...)
+ TODO: check
+CVE-2026-55736 (Improperly Controlled Modification of Dynamically-Determined
Object At ...)
+ TODO: check
+CVE-2026-55517 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-55450 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-55447 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-55446 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-55423 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-55255 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-55249 (@rtk-ai/rtk-rewrite transparently rewrites shell commands
executed via ...)
+ TODO: check
+CVE-2026-54892 (Inefficient algorithmic complexity in Plug's nested-parameter
decoder ...)
+ TODO: check
+CVE-2026-54324 (Daytona is a secure and elastic infrastructure runtime for
AI-generate ...)
+ TODO: check
+CVE-2026-54323 (Daytona is a secure and elastic infrastructure runtime for
AI-generate ...)
+ TODO: check
+CVE-2026-54322 (Daytona is a secure and elastic infrastructure runtime for
AI-generate ...)
+ TODO: check
+CVE-2026-54321 (Daytona is a secure and elastic infrastructure runtime for
AI-generate ...)
+ TODO: check
+CVE-2026-54320 (Daytona is a secure and elastic infrastructure runtime for
AI-generate ...)
+ TODO: check
+CVE-2026-54319 (Daytona is a secure and elastic infrastructure runtime for
AI-generate ...)
+ TODO: check
+CVE-2026-54318 (Home Assistant is open source home automation software that
puts local ...)
+ TODO: check
+CVE-2026-54317 (Home Assistant is open source home automation software that
puts local ...)
+ TODO: check
+CVE-2026-54316 (Claude Code is an agentic coding tool. From 0.2.54 until
2.1.163, bec ...)
+ TODO: check
+CVE-2026-54314 (n8n is an open source workflow automation platform. Prior to
2.24.0, t ...)
+ TODO: check
+CVE-2026-54313 (n8n is an open source workflow automation platform. Prior to
2.24.0, a ...)
+ TODO: check
+CVE-2026-54312 (n8n is an open source workflow automation platform. Prior to
2.24.0, a ...)
+ TODO: check
+CVE-2026-54311 (n8n is an open source workflow automation platform. Prior to
2.25.7 an ...)
+ TODO: check
+CVE-2026-54310 (n8n is an open source workflow automation platform. Prior to
2.25.7 an ...)
+ TODO: check
+CVE-2026-54309 (n8n is an open source workflow automation platform. Prior to
2.25.7 an ...)
+ TODO: check
+CVE-2026-54308 (n8n is an open source workflow automation platform. Prior to
2.25.7 an ...)
+ TODO: check
+CVE-2026-54307 (n8n is an open source workflow automation platform. Prior to
1.123.55, ...)
+ TODO: check
+CVE-2026-54306 (n8n is an open source workflow automation platform. Prior to
2.25.7 an ...)
+ TODO: check
+CVE-2026-54305 (n8n is an open source workflow automation platform. Prior to
1.123.55, ...)
+ TODO: check
+CVE-2026-54304 (n8n is an open source workflow automation platform. Prior to
1.123.55, ...)
+ TODO: check
+CVE-2026-54303 (n8n is an open source workflow automation platform. Prior to
2.24.0, a ...)
+ TODO: check
+CVE-2026-54302 (n8n is an open source workflow automation platform. Prior to
1.123.55, ...)
+ TODO: check
+CVE-2026-54301 (n8n is an open source workflow automation platform. Prior to
1.123.55, ...)
+ TODO: check
+CVE-2026-54257 (Electron is a framework for writing cross-platform desktop
application ...)
+ TODO: check
+CVE-2026-54157 (LobeHub is a work-and-lifestyle space to find, build, and
collaborate ...)
+ TODO: check
+CVE-2026-54022 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54021 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54019 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54018 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54016 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54015 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54014 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54013 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54012 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54011 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54010 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54009 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54008 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54007 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-54006 (Open WebUI is a self-hosted artificial intelligence platform
designed ...)
+ TODO: check
+CVE-2026-53755 (Crawl4AI is an open-source LLM friendly web crawler & scraper.
Prior t ...)
+ TODO: check
+CVE-2026-53754 (Crawl4AI is an open-source LLM friendly web crawler & scraper.
Prior t ...)
+ TODO: check
+CVE-2026-53753 (Crawl4AI is an open-source LLM friendly web crawler & scraper.
Prior t ...)
+ TODO: check
+CVE-2026-53662 (immich is a high performance self-hosted photo and video
management so ...)
+ TODO: check
+CVE-2026-52846 (Caddy is an extensible server platform that uses TLS by
default. Prior ...)
+ TODO: check
+CVE-2026-52845 (Caddy is an extensible server platform that uses TLS by
default. Prior ...)
+ TODO: check
+CVE-2026-52844 (Caddy is an extensible server platform that uses TLS by
default. Prior ...)
+ TODO: check
+CVE-2026-52673 (SQL Injection vulnerability in Cboard v.0.4.2 and before
allows a remo ...)
+ TODO: check
+CVE-2026-50574 (yt-dlp is a command-line audio/video downloader. Prior to
2026.06.09, ...)
+ TODO: check
+CVE-2026-50023 (yt-dlp is a command-line audio/video downloader. Prior to
2026.06.09, ...)
+ TODO: check
+CVE-2026-50019 (yt-dlp is a command-line audio/video downloader. From
2023.09.24 until ...)
+ TODO: check
+CVE-2026-4983 (Open VSX Registry does not sanitize SVG files uploaded as
extension ic ...)
+ TODO: check
+CVE-2026-4610 (The ProfileGrid \u2013 User Profiles, Groups and Communities
plugin fo ...)
+ TODO: check
+CVE-2026-49983 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49860 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49859 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49465 (n8n is an open source workflow automation platform. Prior to
1.123.48, ...)
+ TODO: check
+CVE-2026-49444 (n8n is an open source workflow automation platform. Prior to
1.123.48, ...)
+ TODO: check
+CVE-2026-49440 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49411 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49406 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49402 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-49401 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
Prior to 2. ...)
+ TODO: check
+CVE-2026-48520 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-48519 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-45732 (n8n is an open source workflow automation platform. Prior to
1.123.43, ...)
+ TODO: check
+CVE-2026-45692 (Caddy is an extensible server platform that uses TLS by
default. From ...)
+ TODO: check
+CVE-2026-45135 (Caddy is an extensible server platform that uses TLS by
default. From ...)
+ TODO: check
+CVE-2026-44792 (n8n is an open source workflow automation platform. Prior to
1.123.43, ...)
+ TODO: check
+CVE-2026-44791 (n8n is an open source workflow automation platform. Prior to
1.123.43, ...)
+ TODO: check
+CVE-2026-44790 (n8n is an open source workflow automation platform. Prior to
1.123.43, ...)
+ TODO: check
+CVE-2026-44789 (n8n is an open source workflow automation platform. Prior to
1.123.43, ...)
+ TODO: check
+CVE-2026-44726 (Deno is a JavaScript, TypeScript, and WebAssembly runtime.
From 2.0.0 ...)
+ TODO: check
+CVE-2026-44089 (TotolinkEX1200L router is vulnerable to Buffer Overflow in the
login f ...)
+ TODO: check
+CVE-2026-42867 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-35019 (NetComm NF20MESH routers running firmware R6B031 and earlier
contain a ...)
+ TODO: check
+CVE-2026-35018 (NetComm NF20MESH routers running firmware R6B031 and earlier
contain a ...)
+ TODO: check
+CVE-2026-33760 (Langflow is a tool for building and deploying AI-powered
agents and wo ...)
+ TODO: check
+CVE-2026-28496 (FOSSBilling is a free, open-source billing and client
management syste ...)
+ TODO: check
+CVE-2026-27604 (FOSSBilling is a free, open-source billing and client
management syste ...)
+ TODO: check
+CVE-2026-13007 (Tenable Identity Exposure contains multiple unauthenticated
API endpoi ...)
+ TODO: check
+CVE-2026-12969 (An out-of-bounds read vulnerability exists in dnsmasq's
find_soa() fun ...)
+ TODO: check
+CVE-2026-12958 (Missing symlink validation in Language Servers for AWS may
allow an ar ...)
+ TODO: check
+CVE-2026-12957 (Improper trust boundary enforcement in Language Servers for
AWS before ...)
+ TODO: check
+CVE-2026-11772 (DRIMO CMS is vulnerable to Reflected XSS via q parameter in
searching ...)
+ TODO: check
+CVE-2026-11374 (In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365
Manager ...)
+ TODO: check
+CVE-2026-10857 (Improper neutralization of input during web page generation
('cross-si ...)
+ TODO: check
+CVE-2026-10711 (Missing authentication for critical function vulnerability in
AKIN Sof ...)
+ TODO: check
+CVE-2026-10609 (A missing authorization flaw was found in the OpenShift
Cluster Loggin ...)
+ TODO: check
+CVE-2026-10521 (An high privileged remote attacker can access a hidden
configuration m ...)
+ TODO: check
+CVE-2026-0864 (When using the "configparser" module to write configuration
files cont ...)
+ TODO: check
+CVE-2025-71382 (MuPDF before 1.27.0-rc1 contains an uncontrolled recursion
vulnerabili ...)
+ TODO: check
+CVE-2025-71376 (picklescan before 0.0.29 fails to detect malicious pickle
files using ...)
+ TODO: check
+CVE-2025-71370 (picklescan before 0.0.28 fails to detect malicious
torch.jit.unsupport ...)
+ TODO: check
+CVE-2025-71365 (picklescan before 0.0.33 fails to detect malicious pickle
files that i ...)
+ TODO: check
+CVE-2025-71341 (picklescan before 0.0.29 fails to detect the
profile.Profile.runctx fu ...)
+ TODO: check
+CVE-2025-71337 (Flowise before 3.0.10 (affected versions 3.0.7 and earlier)
contains a ...)
+ TODO: check
+CVE-2025-62180 (Pega Platform versions 8.3.0 through Infinity 25.1.2 are
affected by a ...)
+ TODO: check
+CVE-2025-61029 (An issue in the sqlo_untry component of openlink
virtuoso-opensource v ...)
+ TODO: check
+CVE-2025-61028 (An issue in the time_t_to_dt component of openlink
virtuoso-opensource ...)
+ TODO: check
+CVE-2025-61027 (An issue in the t_set_push component of openlink
virtuoso-opensource v ...)
+ TODO: check
+CVE-2025-61025 (An issue in the sslr_qst_get component of openlink
virtuoso-opensource ...)
+ TODO: check
+CVE-2025-61024 (An issue in the sqlo_try_in_loop component of openlink
virtuoso-openso ...)
+ TODO: check
+CVE-2025-61023 (An issue in the st_compare component of openlink
virtuoso-opensource v ...)
+ TODO: check
+CVE-2025-61022 (An issue in the sqlo_tb_col_preds component of openlink
virtuoso-opens ...)
+ TODO: check
+CVE-2025-61021 (An issue in the sqlo_natural_join_cond component of openlink
virtuoso- ...)
+ TODO: check
+CVE-2025-61020 (An issue in the sqlo_strip_in_join component of openlink
virtuoso-open ...)
+ TODO: check
+CVE-2025-61019 (An issue in the sqlo_key_part_best component of openlink
virtuoso-open ...)
+ TODO: check
+CVE-2025-61018 (An issue in the sqlo_place_dt_set component of openlink
virtuoso-opens ...)
+ TODO: check
+CVE-2025-55639 (GPAC MP4Box v2.4 was discovered to contain a NULL pointer
dereference ...)
+ TODO: check
+CVE-2025-15619 (HCL Connections contains a broken access control vulnerability
that ma ...)
+ TODO: check
+CVE-2025-13162 (Uncontrolled Search Path Element vulnerability in ABB Control
Builder ...)
+ TODO: check
+CVE-2023-54365 (Traefik before 2.10.5 and 3.0.0-beta4 is affected by a
denial-of-servi ...)
+ TODO: check
CVE-2026-44517
- golang-github-containers-buildah <unfixed> (bug #1140619)
NOTE:
https://github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49
NOTE: Fixed by:
https://github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49
(v1.43.2)
-CVE-2026-11940
+CVE-2026-11940 (tarfile.extractall() with the 'data' or 'tar' filter could be
bypasse ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
- python3.11 <removed>
@@ -19,7 +325,7 @@ CVE-2026-55556
NOTE: https://www.openwall.com/lists/oss-security/2026/06/23/4
NOTE: imhttp rsyslog plugin not packaged in Debian
NOTE:
https://github.com/rsyslog/rsyslog/commit/acde2ba25ea33816694b787859f4a727a247b6d6
(v8.2604.0)
-CVE-2026-50221
+CVE-2026-50221 (In OpenStack Swift before 2.37.2, proxy-server does not strip
internal ...)
- swift <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2026/06/23/5
NOTE: https://bugs.launchpad.net/swift/+bug/2150261
@@ -217,7 +523,7 @@ CVE-2025-71344 (picklescan before 0.0.30 (affected versions
0.0.26 and earlier)
NOT-FOR-US: picklescan
CVE-2025-71339 (Picklescan before 0.0.33 fails to detect the
numpy.f2py.crackfortran._ ...)
NOT-FOR-US: picklescan
-CVE-2026-9733
+CVE-2026-9733 (Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17
for Perl ...)
NOT-FOR-US: Mojolicious::Plugin::Web::Auth::OAuth2 Perl module
CVE-2026-9610 (IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator
9.1.7, 9 ...)
NOT-FOR-US: IBM
@@ -1243,11 +1549,11 @@ CVE-2016-20086 (Vembu StoreGrid 4.0 contains an
unquoted service path vulnerabil
NOT-FOR-US: Vembu StoreGrid
CVE-2016-20085 (Realtek High Definition Audio Driver 6.0.1.6730 contains an
unquoted s ...)
NOT-FOR-US: Realtek
-CVE-2026-55568
+CVE-2026-55568 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in
certain c ...)
- guzzle 7.12.1-1
[trixie] - guzzle <no-dsa> (Minor issue)
NOTE:
https://github.com/guzzle/guzzle/security/advisories/GHSA-wpwq-4j6v-78m3
-CVE-2026-55767
+CVE-2026-55767 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.1,
CookieJar in ...)
- guzzle 7.12.1-1
[trixie] - guzzle <no-dsa> (Minor issue)
NOTE:
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwxw-98qj-8qjx
@@ -1408,7 +1714,7 @@ CVE-2026-2842
REJECTED
CVE-2026-25865 (Punto Switcher through 4.5.0.583 contains an unquoted search
path elem ...)
NOT-FOR-US: Punto Switcher
-CVE-2026-22674 (Hashgraph Guardian through 3.5.0, fixed in commit ba8c566,
contains a ...)
+CVE-2026-22674 (Hashgraph Guardian through 3.6.0, fixed in commit ba8c566,
contains a ...)
NOT-FOR-US: Hashgraph Guardian
CVE-2026-1856 (The Appointment Booking Calendar plugin for WordPress is
vulnerable to ...)
NOT-FOR-US: WordPress plugin
@@ -1453,7 +1759,7 @@ CVE-2025-15661 (libssh2 through 1.11.1, fixed in commit
2dae302, contains an out
NOTE: https://github.com/libssh2/libssh2/pull/1705
NOTE: https://github.com/libssh2/libssh2/pull/1717
NOTE: Fixed by:
https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d
-CVE-2026-55766
+CVE-2026-55766 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation
in PHP. ...)
- php-guzzlehttp-psr7 2.12.1-1
[trixie] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
NOTE:
https://github.com/guzzle/psr7/security/advisories/GHSA-vm85-hxw5-5432
@@ -3945,7 +4251,7 @@ CVE-2024-22451 (Dell Peripheral Manager, versions from
1.5.1 to 1.7.2, contain a
NOT-FOR-US: Dell / EMC
CVE-2024-22447 (Dell Peripheral Manager, versions prior to 1.7.3, contain an
uncontrol ...)
NOT-FOR-US: Dell / EMC
-CVE-2026-57053 [ToUnicode read-out-bounds]
+CVE-2026-57053 (GNU libidn before 1.44 is prone to out-of-bounds reads
ofuninitialized ...)
- libidn 1.44-1
[trixie] - libidn <no-dsa> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/help-libidn/2026-06/msg00001.html
@@ -4596,7 +4902,8 @@ CVE-2025-56814 (A code injection vulnerability in the
wxExecute() function of Op
TODO: check
CVE-2025-10262 (Nokia SR Linux is vulnerable to local privilege escalation
vulnerabili ...)
NOT-FOR-US: Nokia
-CVE-2026-56968 [NTLM client: Avoid use-of-unitialized-value inside libntlm]
+CVE-2026-56968 (GNU SASL before 2.2.4 lacks sanitization of a short challenge
in _gsas ...)
+ {DSA-6348-1}
- gsasl 2.2.4-1
NOTE:
https://lists.gnu.org/archive/html/help-gsasl/2026-06/msg00000.html
CVE-2026-53704 (A flaw was found in GStreamer's RealMedia demuxer in the
gst-plugins-u ...)
@@ -4616,6 +4923,7 @@ CVE-2026-53703 (A vulnerability was found in the
GStreamer RealMedia demuxer (gs
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11831 (1.26
branch)
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11832 (1.24
branch)
CVE-2026-52719 (An out-of-bounds read vulnerability was found in the VA JPEG
decoder i ...)
+ {DSA-6362-1}
- gst-plugins-bad1.0 1.28.4-1
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0040.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11805
@@ -4623,6 +4931,7 @@ CVE-2026-52719 (An out-of-bounds read vulnerability was
found in the VA JPEG dec
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/987278d3b2c01c5bf387181a120bec5856aba82c
(1.26 branch)
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c5f9c5bee5f2139157c0ce0a160f0a1173b7ce94
(1.24 branch)
CVE-2026-52718 (A denial of service vulnerability was found in GStreamer's AV1
codec p ...)
+ {DSA-6362-1}
- gst-plugins-bad1.0 1.28.4-1
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0039.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11803
@@ -5929,6 +6238,7 @@ CVE-2026-53702 (A stack buffer overflow flaw was found in
the GStreamer H.265 co
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890aa461742661a1f5a67b69ba608f61e779c23c
(1.28.3)
NOTE: Backport for 1.26:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11341
CVE-2026-53701 (An out-of-bounds write vulnerability was found in GStreamer's
H.266/VV ...)
+ {DSA-6362-1}
- gst-plugins-bad1.0 1.28.3-1
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0026.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11581
@@ -9413,7 +9723,7 @@ CVE-2021-47983 (WordPress Plugin Stripe Payments 2.0.39
contains a stored cross-
NOT-FOR-US: WordPress plugin
CVE-2021-47982 (WordPress Plugin WP-Paginate 2.1.3 contains a stored
cross-site script ...)
NOT-FOR-US: WordPress plugin
-CVE-2026-49494 (Comodo Internet Security's firewall driver Inspect.sys
contains an int ...)
+CVE-2026-49494 (Xcitium Client Security (XCS) before 13.8.2.10019 and Comodo
Internet ...)
NOT-FOR-US: Comodo Internet Security
CVE-2026-36229
REJECTED
@@ -21438,17 +21748,17 @@ CVE-2026-39827 (An authenticated SSH client that
repeatedly opened channels whic
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/35127
-CVE-2026-34917
+CVE-2026-34917 (Low\u2011privileged session IDs generated for the web admin
console co ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-34916
+CVE-2026-34916 (A missing validation of user input when saving delivery
limitations in ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-34915
+CVE-2026-34915 (A missing sanitisation of user input in the zone-include.php
script of ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-34914
+CVE-2026-34914 (A missing sanitisation of user input in the zone-include.php
script of ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-34913
+CVE-2026-34913 (A missing access control check when linking trackers to
campaigns thro ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-34912
+CVE-2026-34912 (A missing access control check when linking banners or
campaigns to a ...)
NOT-FOR-US: Revive Adserver
CVE-2026-34911 (A malicious actor with access to the network and low
privileges could ...)
NOT-FOR-US: UniFi
@@ -25390,6 +25700,7 @@ CVE-2026-44432 (urllib3 is an HTTP client library for
Python. From 2.6.0 to befo
NOTE:
https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j
NOTE: Fixed by:
https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb5cc48a8662425e35e15adfe6a
(2.7.0)
CVE-2026-44431 (urllib3 is an HTTP client library for Python. From 1.23 to
before 2.7. ...)
+ {DSA-6363-1}
- python-urllib3 <unfixed> (bug #1136653)
NOTE:
https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
NOTE: Fixed by:
https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc
(2.7.0)
@@ -58909,17 +59220,17 @@ CVE-2026-4519 (The webbrowser.open() API would accept
leading dashes in the URL
NOTE: https://github.com/python/cpython/pull/148517 (3.13)
NOTE:
https://github.com/python/cpython/commit/d6d68494be70bdbda20f89f83801ba52ec37daa4
(3.13)
NOTE:
https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
(3.11)
-CVE-2026-44961
+CVE-2026-44961 (The XML\u2011RPC API addUser method has a validation bypass
introduced ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-44960
+CVE-2026-44960 (A stored XSS can be exploited by leveraging the usernames as
an attack ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-44959
+CVE-2026-44959 (A missing validation of user input exists when saving delivery
limitat ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-44958
+CVE-2026-44958 (An access control bypass allows an advertiser\u2011level user
to activ ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-44957
+CVE-2026-44957 (A missing access control check when invoking various modify
methods in ...)
NOT-FOR-US: Revive Adserver
-CVE-2026-44956
+CVE-2026-44956 (Low\u2011privileged users could use their Full Name as a
vector for a ...)
NOT-FOR-US: Revive Adserver
CVE-2026-4505 (A vulnerability has been found in eosphoros-ai DB-GPT up to
0.7.5. Thi ...)
NOT-FOR-US: eosphoros-ai DB-GPT
@@ -151280,7 +151591,7 @@ CVE-2025-38352 (In the Linux kernel, the following
vulnerability has been resolv
NOTE: https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/
NOTE: https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/
NOTE: https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/
-CVE-2025-7962 (In Jakarta Mail 2.0.2 it is possible to preform a SMTP
Injection by ut ...)
+CVE-2025-7962 (In Jakarta Mail versions prior to 2.0.2 it is possible to
perform an S ...)
- jakarta-mail <unfixed> (bug #1109804)
[trixie] - jakarta-mail <no-dsa> (Minor issue)
[bookworm] - jakarta-mail <no-dsa> (Minor issue)
@@ -593740,12 +594051,12 @@ CVE-2020-9715 (Adobe Acrobat and Reader versions
2020.009.20074 and earlier, 202
NOT-FOR-US: Adobe
CVE-2020-9714 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
NOT-FOR-US: Adobe
-CVE-2020-9713
- RESERVED
+CVE-2020-9713 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
+ TODO: check
CVE-2020-9712 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
NOT-FOR-US: Adobe
-CVE-2020-9711
- RESERVED
+CVE-2020-9711 (Acrobat Reader versions 2020.009.20074, 2020.001.30002,
2017.011.30171 ...)
+ TODO: check
CVE-2020-9710 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
NOT-FOR-US: Adobe
CVE-2020-9709
@@ -593776,8 +594087,8 @@ CVE-2020-9697 (Adobe Acrobat and Reader versions
2020.009.20074 and earlier, 202
NOT-FOR-US: Adobe
CVE-2020-9696 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
NOT-FOR-US: Adobe
-CVE-2020-9695
- RESERVED
+CVE-2020-9695 (Acrobat Reader versions 2020.009.20074, 2020.001.30002,
2017.011.30171 ...)
+ TODO: check
CVE-2020-9694 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
NOT-FOR-US: Adobe
CVE-2020-9693 (Adobe Acrobat and Reader versions 2020.009.20074 and earlier,
2020.001 ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ccf34b7289772c547791444ceff259f1e5fc76c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ccf34b7289772c547791444ceff259f1e5fc76c
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits