[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Apr 23 08:26:33 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
01a4292e by security tracker role at 2026-04-23T07:26:27+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,157 @@
+CVE-2026-6878 (A vulnerability was identified in ByteDance verl up to 0.7.0. Affected ...)
+	TODO: check
+CVE-2026-6874 (A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. Th ...)
+	TODO: check
+CVE-2026-6019 (http.cookies.Morsel.js_output() returns an inline <script> snippet and ...)
+	TODO: check
+CVE-2026-5935 (IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9 ...)
+	TODO: check
+CVE-2026-5926 (IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Secur ...)
+	TODO: check
+CVE-2026-4919 (IBM Guardium Data Protection 12.1 is vulnerable to cross-site scriptin ...)
+	TODO: check
+CVE-2026-4918 (IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site s ...)
+	TODO: check
+CVE-2026-4917 (IBM Guardium Data Protection 12.1 could allow an administrative user t ...)
+	TODO: check
+CVE-2026-4512 (The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sani ...)
+	TODO: check
+CVE-2026-4106 (The HT Mega Addons for Elementor  WordPress plugin before 3.0.7 contai ...)
+	TODO: check
+CVE-2026-4049
+	REJECTED
+CVE-2026-41988 (uuid before 14.0.0 can make unexpected writes when external output buf ...)
+	TODO: check
+CVE-2026-41679 (Paperclip is a Node.js server and React UI that orchestrates a team of ...)
+	TODO: check
+CVE-2026-41455 (WeKan before8.35 contains a server-side request forgery vulnerability  ...)
+	TODO: check
+CVE-2026-41454 (WeKan before8.35 contains a missing authorization vulnerability in the ...)
+	TODO: check
+CVE-2026-41314 (pypdf is a free and open-source pure-python PDF library. An attacker w ...)
+	TODO: check
+CVE-2026-41313 (pypdf is a free and open-source pure-python PDF library. An attacker w ...)
+	TODO: check
+CVE-2026-41312 (pypdf is a free and open-source pure-python PDF library. An attacker w ...)
+	TODO: check
+CVE-2026-41243 (OpenLearn is open-source educational forum software. Prior to commit 8 ...)
+	TODO: check
+CVE-2026-41233 (Froxlor is open source server administration software. Prior to versio ...)
+	TODO: check
+CVE-2026-41232 (Froxlor is open source server administration software. Prior to versio ...)
+	TODO: check
+CVE-2026-41231 (Froxlor is open source server administration software. Prior to versio ...)
+	TODO: check
+CVE-2026-41230 (Froxlor is open source server administration software. Prior to versio ...)
+	TODO: check
+CVE-2026-41229 (Froxlor is open source server administration software. Prior to versio ...)
+	TODO: check
+CVE-2026-41228 (Froxlor is open source server administration software. Prior to versio ...)
+	TODO: check
+CVE-2026-41211 (Vite+ is a unified toolchain and entry point for web development. Prio ...)
+	TODO: check
+CVE-2026-41208 (Paperclip is a Node.js server and React UI that orchestrates a team of ...)
+	TODO: check
+CVE-2026-41206 (PySpector is a static analysis security testing (SAST) Framework engin ...)
+	TODO: check
+CVE-2026-41200 (STIG Manager is an API and web client for managing  Security Technical ...)
+	TODO: check
+CVE-2026-41197 (Noir is a Domain Specific Language for SNARK proving systems that is d ...)
+	TODO: check
+CVE-2026-41196 (Luanti (formerly Minetest) is an open source voxel game-creation platf ...)
+	TODO: check
+CVE-2026-41182 (LangSmith Client SDKs provide SDK's for interacting with the LangSmith ...)
+	TODO: check
+CVE-2026-41180 (PsiTransfer is an open source, self-hosted file sharing solution. Prio ...)
+	TODO: check
+CVE-2026-41179 (Rclone is a command-line program to sync files and directories to and  ...)
+	TODO: check
+CVE-2026-41177 (Squidex is an open source headless content management system and conte ...)
+	TODO: check
+CVE-2026-41176 (Rclone is a command-line program to sync files and directories to and  ...)
+	TODO: check
+CVE-2026-41175 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+	TODO: check
+CVE-2026-41172 (Squidex is an open source headless content management system and conte ...)
+	TODO: check
+CVE-2026-41171 (Squidex is an open source headless content management system and conte ...)
+	TODO: check
+CVE-2026-41170 (Squidex is an open source headless content management system and conte ...)
+	TODO: check
+CVE-2026-41168 (pypdf is a free and open-source pure-python PDF library. An attacker w ...)
+	TODO: check
+CVE-2026-41167 (Jellystat is a free and open source Statistics App for Jellyfin. Prior ...)
+	TODO: check
+CVE-2026-41166 (OpenRemote is an open-source internet-of-things platform. Prior to ver ...)
+	TODO: check
+CVE-2026-41134 (Kiota is an OpenAPI based HTTP Client code generator. Versions prior t ...)
+	TODO: check
+CVE-2026-41040 (GROWI provided by GROWI, Inc. is vulnerable to a regular expression de ...)
+	TODO: check
+CVE-2026-40937 (RustFS is a distributed object storage system built in Rust. Prior to  ...)
+	TODO: check
+CVE-2026-40882 (OpenRemote is an open-source internet-of-things platform. Prior to ver ...)
+	TODO: check
+CVE-2026-40529 (CMS ALAYA provided by KANATA Limited contains an SQL injection vulnera ...)
+	TODO: check
+CVE-2026-40517 (radare2 prior to 6.1.4 contains a command injection vulnerability in t ...)
+	TODO: check
+CVE-2026-40062 (A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 and earl ...)
+	TODO: check
+CVE-2026-3844 (The Breeze Cache plugin for WordPress is vulnerable to arbitrary file  ...)
+	TODO: check
+CVE-2026-3837 (An authenticated attacker can persist crafted values in multiple field ...)
+	TODO: check
+CVE-2026-3673 (An authenticated attacker can store a crafted tag value in _user_tags  ...)
+	TODO: check
+CVE-2026-3621 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 I ...)
+	TODO: check
+CVE-2026-3361 (The WP Store Locator plugin for WordPress is vulnerable to Stored Cros ...)
+	TODO: check
+CVE-2026-3007 (Successful exploitation of the stored cross-site scripting (XSS) vulne ...)
+	TODO: check
+CVE-2026-34488 (IP Setting Software contains an issue with the DLL search path, which  ...)
+	TODO: check
+CVE-2026-34068 (nimiq-transaction provides the transaction primitive to be used in Nim ...)
+	TODO: check
+CVE-2026-34067 (nimiq-transaction provides the transaction primitive to be used in Nim ...)
+	TODO: check
+CVE-2026-34066 (nimiq-blockchain provides persistent block storage for Nimiq's Rust im ...)
+	TODO: check
+CVE-2026-34065 (nimiq-primitives contains primitives (e.g., block, account, transactio ...)
+	TODO: check
+CVE-2026-34064 (nimiq-account contains account primitives to be used in Nimiq's Rust i ...)
+	TODO: check
+CVE-2026-34063 (Nimiq's network-libp2p is a Nimiq network implementation based on libp ...)
+	TODO: check
+CVE-2026-34062 (nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior  ...)
+	TODO: check
+CVE-2026-33733 (EspoCRM is an open source customer relationship management application ...)
+	TODO: check
+CVE-2026-33656 (EspoCRM is an open source customer relationship management application ...)
+	TODO: check
+CVE-2026-33471 (nimiq-block contains block primitives to be used in Nimiq's Rust imple ...)
+	TODO: check
+CVE-2026-32679 (The installers of LiveOn Meet Client for Windows (Downloader5Installer ...)
+	TODO: check
+CVE-2026-2951 (The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg ...)
+	TODO: check
+CVE-2026-29198 (In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11 ...)
+	TODO: check
+CVE-2026-1923 (The Social Rocket \u2013 Social Sharing Plugin plugin for WordPress is ...)
+	TODO: check
+CVE-2026-1726 (IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5. ...)
+	TODO: check
+CVE-2026-1352 (IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UN ...)
+	TODO: check
+CVE-2026-1274 (IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to a B ...)
+	TODO: check
+CVE-2026-1272 (IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Sec ...)
+	TODO: check
+CVE-2025-36074 (IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM  ...)
+	TODO: check
+CVE-2025-10549 (EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnera ...)
+	TODO: check
 CVE-2026-40215
 	- openvpn 2.7.2-1
 	NOTE: https://community.openvpn.net/Security%20Announcements/CVE-2026-40215
@@ -1001,7 +1155,7 @@ CVE-2026-35334 [strongswan: gmp plugin crash]
 	NOTE: https://github.com/strongswan/strongswan/releases/tag/6.0.6
 	NOTE: https://www.strongswan.org/blog/2026/04/22/strongswan-vulnerability-(cve-2026-35334).html
 CVE-2026-41651 (PackageKit is a a D-Bus abstraction layer that allows the user to mana ...)
-	{DSA-6226-1}
+	{DSA-6226-1 DLA-4545-1}
 	- packagekit 1.3.5-1
 	NOTE: https://lists.freedesktop.org/archives/packagekit/2026-April/026513.html
 	NOTE: https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
@@ -1013,12 +1167,12 @@ CVE-2026-4367
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/21/3
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/5448e1bd
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/31
-CVE-2026-41989 [libgcrypt ECDH buffer overwrite with zeroes]
+CVE-2026-41989 (Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow  ...)
 	- libgcrypt20 1.12.2-1
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/21/1
 	NOTE: https://dev.gnupg.org/T8211
 	NOTE: Fixed by: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2d3d732c9bf87cc10729f69678dd9e6862f99fa3 (libgcrypt-1.12.2)
-CVE-2026-41990 [libgcrypt missing bounds check to the Dilithium context handling]
+CVE-2026-41990 (Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a stat ...)
 	- libgcrypt20 1.12.2-1
 	[trixie] - libgcrypt20 <not-affected> (Vulnerable code not present)
 	[bookworm] - libgcrypt20 <not-affected> (Vulnerable code not present)
@@ -37635,7 +37789,7 @@ CVE-2025-47911 (The html.Parse function in golang.org/x/net/html has quadratic p
 	NOTE: Fixed by: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d (v0.45.0)
 CVE-2025-15557 (An Improper Certificate Validation vulnerability in TP-Link Tapo H100  ...)
 	NOT-FOR-US: TP-Link
-CVE-2025-15551 (The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N  ...)
+CVE-2025-15551 (The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL- ...)
 	NOT-FOR-US: TP-Link
 CVE-2025-15343 (Tanium addressed an incorrect default permissions vulnerability in Enf ...)
 	NOT-FOR-US: Tanium



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01a4292e54756d99eb3e926e35d0a3c0e279243f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01a4292e54756d99eb3e926e35d0a3c0e279243f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260423/19b11639/attachment.htm>

More information about the debian-security-tracker-commits mailing list