[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Nov 7 08:34:01 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7b081a52 by Moritz Muehlenhoff at 2025-11-07T09:33:38+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,84 +1,84 @@
 CVE-2025-64346 (archives is a Go library for extracting archives (tar, zip, etc.). Ver ...)
-	TODO: check
+	NOT-FOR-US: jaredallard/archives Go library
 CVE-2025-64343 ((conda) Constructor is a tool that enables users to create installers  ...)
-	TODO: check
+	NOT-FOR-US: conda
 CVE-2025-64339 (ClipBucket v5 is an open source video sharing platform. In versions 5. ...)
-	TODO: check
+	NOT-FOR-US: ClipBucket
 CVE-2025-64338
 	REJECTED
 CVE-2025-64336 (ClipBucket v5 is an open source video sharing platform. In versions 5. ...)
-	TODO: check
+	NOT-FOR-US: ClipBucket
 CVE-2025-64329 (containerd is an open-source container runtime. Versions 1.7.28 and be ...)
 	- containerd <unfixed>
 	NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
 	NOTE: https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df (v2.2.0)
 	NOTE: https://github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7 (v1.7.29)
 CVE-2025-64328 (FreePBX Endpoint Manager is a module for managing telephony endpoints  ...)
-	TODO: check
+	NOT-FOR-US: FreePBX Endpoint Manager
 CVE-2025-64327 (ThinkDashboard is a self-hosted bookmark dashboard built with Go and v ...)
-	TODO: check
+	NOT-FOR-US: ThinkDashboard
 CVE-2025-64326 (Weblate is a web based localization tool. In versions 5.14 and below,  ...)
-	TODO: check
+	- weblate <itp> (bug #745661)
 CVE-2025-64323 (kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and belo ...)
-	TODO: check
+	NOT-FOR-US: kgateway
 CVE-2025-64302 (Insufficient input sanitization in the dashboard label or path can all ...)
-	TODO: check
+	NOT-FOR-US: Advantech
 CVE-2025-64187 (OctoPrint provides a web interface for controlling consumer 3D printer ...)
-	TODO: check
+	- octoprint <itp> (bug #718591)
 CVE-2025-64184 (Dosage is a comic strip downloader and archiver. When downloading comi ...)
-	TODO: check
+	NOT-FOR-US: Dosage
 CVE-2025-64180 (Manager-io/Manager is accounting software. In Manager Desktop and Serv ...)
-	TODO: check
+	NOT-FOR-US: DosageManager-io/Manager
 CVE-2025-64179 (lakeFS is an open-source tool that transforms object storage into a Gi ...)
-	TODO: check
+	NOT-FOR-US: lakeFS
 CVE-2025-64178 (Jellysweep is a cleanup tool for the Jellyfin media server. In version ...)
-	TODO: check
+	NOT-FOR-US: Jellysweep
 CVE-2025-64177 (ThinkDashboard is a self-hosted bookmark dashboard built with Go and v ...)
-	TODO: check
+	NOT-FOR-US: ThinkDashboard
 CVE-2025-64176 (ThinkDashboard is a self-hosted bookmark dashboard built with Go and v ...)
-	TODO: check
+	NOT-FOR-US: ThinkDashboard
 CVE-2025-64174 (Magento-lts is a long-term support alternative to Magento Community Ed ...)
-	TODO: check
+	NOT-FOR-US: Magento LTS (alternative to Magento Community Edition)
 CVE-2025-64173 (Apollo Router Core is a configurable graph router written in Rust to r ...)
-	TODO: check
+	NOT-FOR-US: Apollo Router Core
 CVE-2025-62630 (Due to insufficient sanitization, an attacker can upload a specially   ...)
-	TODO: check
+	NOT-FOR-US: Advantech
 CVE-2025-5483 (The LC Wizard plugin for WordPress is vulnerable to Privilege Escalati ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-59171 (Due to insufficient sanitization, an attacker can upload a specially   ...)
-	TODO: check
+	NOT-FOR-US: Advantech
 CVE-2025-58423 (Due to insufficient sanitization, an attacker can upload a specially   ...)
-	TODO: check
+	NOT-FOR-US: Advantech
 CVE-2025-52662 (A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. ...)
-	TODO: check
+	NOT-FOR-US: Nuxt DevTools
 CVE-2025-4522 (The IDonate \u2013 Blood Donation, Request And Donor Management System ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-4519 (The IDonate \u2013 Blood Donation, Request And Donor Management System ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-48985 (A vulnerability in Vercel\u2019s AI SDK has been fixed in versions 5.0 ...)
-	TODO: check
+	NOT-FOR-US: Vercel AI SDK
 CVE-2025-33110 (IBM OpenPages 9.1, and 9.0 with Watson is vulnerable to HTML injection ...)
 	NOT-FOR-US: IBM
 CVE-2025-12636 (The Ubia camera ecosystem fails to adequately secure API credentials,  ...)
-	TODO: check
+	NOT-FOR-US: Ubia
 CVE-2025-12527 (The Page & Post Notes plugin for WordPress is vulnerable to unauthoriz ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-12520 (The WP Airbnb Review Slider plugin for WordPress is vulnerable to Stor ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-12490 (Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulne ...)
-	TODO: check
+	NOT-FOR-US: Netgate pfSene
 CVE-2025-12489 (evernote-mcp-server openBrowser Command Injection Privilege Escalation ...)
-	TODO: check
+	NOT-FOR-US: evernote-mcp-server
 CVE-2025-12488 (oobabooga text-generation-webui trust_remote_code Reliance on Untruste ...)
-	TODO: check
+	NOT-FOR-US: oobabooga text-generation-webui
 CVE-2025-12487 (oobabooga text-generation-webui trust_remote_code Reliance on Untruste ...)
-	TODO: check
+	NOT-FOR-US: oobabooga text-generation-webui
 CVE-2025-12486 (Heimdall Data Database Proxy Cross-Site Scripting Remote Code Executio ...)
-	TODO: check
+	NOT-FOR-US: Heimdall
 CVE-2025-12352 (The Gravity Forms plugin for WordPress is vulnerable to arbitrary file ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-11546 (CLUSTERPRO X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 and EXPRESSCLUS ...)
-	TODO: check
+	NOT-FOR-US: CLUSTERPRO X
 CVE-2025-12790 (A flaw was found in Rubygem MQTT. By default, the package used to not  ...)
 	NOT-FOR-US: Rubygem MQTT
 CVE-2025-12789 (A flaw was found in Red Hat Single Sign-On. This issue is an Open Redi ...)
@@ -576,7 +576,7 @@ CVE-2025-60753 (An issue was discovered in libarchive bsdtar before version 3.8.
 CVE-2025-5770 (A reflected cross-site scripting (XSS) vulnerability exists in the aut ...)
 	NOT-FOR-US: WSO2
 CVE-2025-59716 (ownCloud Guests before 0.12.5 allows unauthenticated user enumeration  ...)
-	TODO: check
+	NOT-FOR-US: ownCloud Guests
 CVE-2025-58337 (An attacker with a valid read-only account can bypass Doris MCP Server ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2025-57244 (OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scr ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b081a5214a54d4b28f31854545e64be678006b1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b081a5214a54d4b28f31854545e64be678006b1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251107/d5dc0a27/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list