[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Apr 4 08:19:33 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
5a51dbd6 by security tracker role at 2026-04-04T07:19:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,185 @@
+CVE-2026-5485 (OS command injection in the browser-based authentication component in ...)
+ TODO: check
+CVE-2026-5484 (A weakness has been identified in BookStackApp BookStack up to 26.03. ...)
+ TODO: check
+CVE-2026-3571 (The Pie Register \u2013 User Registration, Profiles & Content Restrict ...)
+ TODO: check
+CVE-2026-35616 (A improper access control vulnerability in Fortinet FortiClientEMS 7.4 ...)
+ TODO: check
+CVE-2026-35562 (Allocation of resources without limits in the parsing components in Am ...)
+ TODO: check
+CVE-2026-35561 (Insufficient authentication security controls in the browser-based aut ...)
+ TODO: check
+CVE-2026-35560 (Improper certificate validation in the identity provider connection co ...)
+ TODO: check
+CVE-2026-35559 (Out-of-bounds write in the query processing components in Amazon Athen ...)
+ TODO: check
+CVE-2026-35558 (Improper neutralization of special elements in the authentication comp ...)
+ TODO: check
+CVE-2026-35468 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of ...)
+ TODO: check
+CVE-2026-34990 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
+ TODO: check
+CVE-2026-34980 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
+ TODO: check
+CVE-2026-34979 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
+ TODO: check
+CVE-2026-34978 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
+ TODO: check
+CVE-2026-34955 (PraisonAI is a multi-agent teams system. Prior to version 4.5.97, Subp ...)
+ TODO: check
+CVE-2026-34954 (PraisonAI is a multi-agent teams system. Prior to version 1.5.95, File ...)
+ TODO: check
+CVE-2026-34953 (PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAut ...)
+ TODO: check
+CVE-2026-34952 (PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the ...)
+ TODO: check
+CVE-2026-34947 (Discourse is an open-source discussion platform. From versions 2026.1. ...)
+ TODO: check
+CVE-2026-34939 (PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPT ...)
+ TODO: check
+CVE-2026-34938 (PraisonAI is a multi-agent teams system. Prior to version 1.5.90, exec ...)
+ TODO: check
+CVE-2026-34937 (PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_ ...)
+ TODO: check
+CVE-2026-34936 (PraisonAI is a multi-agent teams system. Prior to version 4.5.90, pass ...)
+ TODO: check
+CVE-2026-34935 (PraisonAI is a multi-agent teams system. From version 4.5.15 to before ...)
+ TODO: check
+CVE-2026-34934 (PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the ...)
+ TODO: check
+CVE-2026-34933 (Avahi is a system which facilitates service discovery on a local netwo ...)
+ TODO: check
+CVE-2026-34824 (Mesop is a Python-based UI framework that allows users to build web ap ...)
+ TODO: check
+CVE-2026-34788 (Emlog is an open source website building system. In versions 2.6.2 and ...)
+ TODO: check
+CVE-2026-34787 (Emlog is an open source website building system. In versions 2.6.2 and ...)
+ TODO: check
+CVE-2026-34780 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34779 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34778 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34777 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34776 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34775 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34774 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34773 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34772 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34771 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34770 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34769 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34768 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34767 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34766 (Electron is a framework for writing cross-platform desktop application ...)
+ TODO: check
+CVE-2026-34612 (Kestra is an open-source, event-driven orchestration platform. Prior t ...)
+ TODO: check
+CVE-2026-34607 (Emlog is an open source website building system. In versions 2.6.2 and ...)
+ TODO: check
+CVE-2026-34511 (OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state p ...)
+ TODO: check
+CVE-2026-34229 (Emlog is an open source website building system. Prior to version 2.6. ...)
+ TODO: check
+CVE-2026-34228 (Emlog is an open source website building system. Prior to version 2.6. ...)
+ TODO: check
+CVE-2026-34061 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of ...)
+ TODO: check
+CVE-2026-34052 (LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Pr ...)
+ TODO: check
+CVE-2026-33709 (JupyterHub is software that allows one to create a multi-user server f ...)
+ TODO: check
+CVE-2026-33184 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of ...)
+ TODO: check
+CVE-2026-33175 (OAuthenticator is software that allows OAuth2 identity providers to be ...)
+ TODO: check
+CVE-2026-32662 (Development and test API endpoints are present that mirror production ...)
+ TODO: check
+CVE-2026-32646 (A specific administrative endpoint is accessible without proper authen ...)
+ TODO: check
+CVE-2026-2949 (The Xpro Addons \u2014 140+ Widgets for Elementor plugin for WordPress ...)
+ TODO: check
+CVE-2026-2924 (The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem ...)
+ TODO: check
+CVE-2026-28798 (ZimaOS is a fork of CasaOS, an operating system for Zima devices and x ...)
+ TODO: check
+CVE-2026-28797 (RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. ...)
+ TODO: check
+CVE-2026-28767 (A specific administrative endpoint notifications is accessible without ...)
+ TODO: check
+CVE-2026-28766 (A specific endpoint exposes all user account information for registere ...)
+ TODO: check
+CVE-2026-27885 (Piwigo is an open source photo gallery application for the web. Prior ...)
+ TODO: check
+CVE-2026-27834 (Piwigo is an open source photo gallery application for the web. Prior ...)
+ TODO: check
+CVE-2026-27833 (Piwigo is an open source photo gallery application for the web. Prior ...)
+ TODO: check
+CVE-2026-27634 (Piwigo is an open source photo gallery application for the web. Prior ...)
+ TODO: check
+CVE-2026-27481 (Discourse is an open-source discussion platform. From versions 2026.1. ...)
+ TODO: check
+CVE-2026-27447 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
+ TODO: check
+CVE-2026-26058 (Zulip is an open-source team collaboration tool. From version 1.4.0 to ...)
+ TODO: check
+CVE-2026-25742 (Zulip is an open-source team collaboration tool. Prior to version 11.6 ...)
+ TODO: check
+CVE-2026-25726 (Cloudreve is a self-hosted file management and sharing system. Prior t ...)
+ TODO: check
+CVE-2026-25197 (A specific endpoint allows authenticated users to pivot to other user ...)
+ TODO: check
+CVE-2026-22665 (prompts.chat prior to commit 1464475 contains an identity confusion vu ...)
+ TODO: check
+CVE-2026-22664 (prompts.chat prior to commit 30a8f04 contains a server-side request fo ...)
+ TODO: check
+CVE-2026-22663 (prompts.chat prior to commit 7b81836 contains multiple authorization b ...)
+ TODO: check
+CVE-2026-22662 (prompts.chat prior to commit 1464475 contains a blind server-side requ ...)
+ TODO: check
+CVE-2026-22661 (prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnera ...)
+ TODO: check
+CVE-2025-10681 (Storage credentials are hardcoded in the mobile app and device firmwar ...)
+ TODO: check
+CVE-2022-4987 (Hirschmann Industrial HiVision version 08.1.03 prior to 08.1.04 and 08 ...)
+ TODO: check
+CVE-2021-4477 (Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypas ...)
+ TODO: check
+CVE-2020-37216 (Hirschmann HiOS devices versions prior to 08.1.00 and 07.1.01 contain ...)
+ TODO: check
+CVE-2018-25237 (Hirschmann HiSecOS devices versions prior to 05.3.03 contain a buffer ...)
+ TODO: check
+CVE-2018-25236 (Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, ...)
+ TODO: check
+CVE-2017-20238 (Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 0 ...)
+ TODO: check
+CVE-2017-20237 (Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 c ...)
+ TODO: check
+CVE-2017-20236 (ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways ...)
+ TODO: check
+CVE-2017-20235 (ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways c ...)
+ TODO: check
+CVE-2017-20234 (GarrettCom Magnum 6K and 10K managed switches contain an authenticatio ...)
+ TODO: check
+CVE-2017-20233 (Hirschmann HiLCOS products OpenBAT, BAT450, WLC, BAT867 contains a fir ...)
+ TODO: check
+CVE-2016-15058 (Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P ...)
+ TODO: check
+CVE-2015-10148 (Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 an ...)
+ TODO: check
CVE-2026-5476 (A vulnerability was identified in NASA cFS up to 7.0.0 on 32-bit. Affe ...)
NOT-FOR-US: NASA cFS
CVE-2026-5475 (A vulnerability was determined in NASA cFS up to 7.0.0. This impacts t ...)
@@ -1067,7 +1249,7 @@ CVE-2024-40849 (A race condition was addressed with additional validation. This
NOT-FOR-US: Apple
CVE-2023-7342 (HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privil ...)
NOT-FOR-US: HiSecOS web server
-CVE-2026-27456 [util-linux: mount(8) TOCTOU symlink attack via loop device]
+CVE-2026-27456 (util-linux is a random collection of Linux utilities. Prior to version ...)
- util-linux 2.42-1
NOTE: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g
NOTE: Fixed by: https://github.com/util-linux/util-linux/commit/0ba0f14caa812349424df0da00ac2d97fee9d972 (v2.42)
@@ -50500,17 +50682,17 @@ CVE-2025-67728 (Fireshare facilitates self-hosted media and link sharing. Versio
CVE-2025-67727 (Parse Server is an open source backend that can be deployed to any inf ...)
NOT-FOR-US: Parse Server
CVE-2025-67726 (Tornado is a Python web framework and asynchronous networking library. ...)
- {DLA-4461-1}
+ {DSA-6195-1 DLA-4461-1}
- python-tornado 6.5.4-0.1 (bug #1122663)
NOTE: https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8
NOTE: Fixed by: https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd (v6.5.3)
CVE-2025-67725 (Tornado is a Python web framework and asynchronous networking library. ...)
- {DLA-4461-1}
+ {DSA-6195-1 DLA-4461-1}
- python-tornado 6.5.4-0.1 (bug #1122661)
NOTE: https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64
NOTE: Fixed by: https://github.com/tornadoweb/tornado/commit/68e81b4a3385161877408a7a49c7ed12b45a614d (v6.5.3)
CVE-2025-67724 (Tornado is a Python web framework and asynchronous networking library. ...)
- {DLA-4461-1}
+ {DSA-6195-1 DLA-4461-1}
- python-tornado 6.5.4-0.1 (bug #1122660)
NOTE: https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f
NOTE: Fixed by: https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 (v6.5.3)
@@ -98655,7 +98837,8 @@ CVE-2025-2329 (In high traffic environments, a Silicon Labs OpenThread RCP (see
NOT-FOR-US: Silicon Labs
CVE-2025-29631 (Gardyn Home Kit firmware before master.619, Home Kit Mobile Applicatio ...)
NOT-FOR-US: Gardyn
-CVE-2025-29630 (Gardyn Home Kit Firmware allows a remote attacker with the correspondi ...)
+CVE-2025-29630
+ REJECTED
NOT-FOR-US: Gardyn
CVE-2025-29629 (Gardyn Home Kit firmware before master.619, Home Kit Mobile Applicatio ...)
NOT-FOR-US: Gardyn
@@ -930088,7 +930271,7 @@ CVE-2006-10002 (XML::Parser versions through 2.45 for Perl could overflow the pr
NOTE: Additional improvement: https://github.com/cpan-authors/XML-Parser/commit/5361c2b7f48599718cdecbe50c5fdd88b28ffd79 (2.48)
NOTE: Issue was originally fixed in 2.34-4.2 but was lost with the 2.40-1 rebases.
CVE-2006-10003 (XML::Parser versions through 2.47 for Perl has an off-by-one heap buff ...)
- {DSA-6182-1}
+ {DSA-6182-1 DLA-4522-1}
- libxml-parser-perl 2.47-2 (bug #378412; medium)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/38106362/
NOTE: https://rt.cpan.org/Ticket/Display.html?id=19860
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a51dbd61296e1397f4b8ce14a3773db514b324d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a51dbd61296e1397f4b8ce14a3773db514b324d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260404/d289cb32/attachment.htm>
More information about the debian-security-tracker-commits
mailing list