[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Apr 23 12:46:34 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5fb03265 by Salvatore Bonaccorso at 2026-04-23T13:45:37+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -119,11 +119,11 @@ CVE-2026-41168 (pypdf is a free and open-source pure-python PDF library. An atta
 	NOTE: https://github.com/py-pdf/pypdf/pull/3733
 	NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/62338e9d36419cf193ccec7331784f45df1d70b3 (6.10.1)
 CVE-2026-41167 (Jellystat is a free and open source Statistics App for Jellyfin. Prior ...)
-	TODO: check
+	NOT-FOR-US: Jellystat
 CVE-2026-41166 (OpenRemote is an open-source internet-of-things platform. Prior to ver ...)
 	NOT-FOR-US: OpenRemote
 CVE-2026-41134 (Kiota is an OpenAPI based HTTP Client code generator. Versions prior t ...)
-	TODO: check
+	NOT-FOR-US: Kiota
 CVE-2026-41040 (GROWI provided by GROWI, Inc. is vulnerable to a regular expression de ...)
 	NOT-FOR-US: GROWI
 CVE-2026-40937 (RustFS is a distributed object storage system built in Rust. Prior to  ...)
@@ -139,9 +139,9 @@ CVE-2026-40062 (A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 an
 CVE-2026-3844 (The Breeze Cache plugin for WordPress is vulnerable to arbitrary file  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-3837 (An authenticated attacker can persist crafted values in multiple field ...)
-	TODO: check
+	NOT-FOR-US: Frappe
 CVE-2026-3673 (An authenticated attacker can store a crafted tag value in _user_tags  ...)
-	TODO: check
+	NOT-FOR-US: Frappe
 CVE-2026-3621 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 I ...)
 	NOT-FOR-US: IBM
 CVE-2026-3361 (The WP Store Locator plugin for WordPress is vulnerable to Stored Cros ...)
@@ -149,7 +149,7 @@ CVE-2026-3361 (The WP Store Locator plugin for WordPress is vulnerable to Stored
 CVE-2026-3007 (Successful exploitation of the stored cross-site scripting (XSS) vulne ...)
 	TODO: check
 CVE-2026-34488 (IP Setting Software contains an issue with the DLL search path, which  ...)
-	TODO: check
+	NOT-FOR-US: IP Setting Software
 CVE-2026-34068 (nimiq-transaction provides the transaction primitive to be used in Nim ...)
 	TODO: check
 CVE-2026-34067 (nimiq-transaction provides the transaction primitive to be used in Nim ...)
@@ -165,13 +165,13 @@ CVE-2026-34063 (Nimiq's network-libp2p is a Nimiq network implementation based o
 CVE-2026-34062 (nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior  ...)
 	TODO: check
 CVE-2026-33733 (EspoCRM is an open source customer relationship management application ...)
-	TODO: check
+	NOT-FOR-US: EspoCRM
 CVE-2026-33656 (EspoCRM is an open source customer relationship management application ...)
-	TODO: check
+	NOT-FOR-US: EspoCRM
 CVE-2026-33471 (nimiq-block contains block primitives to be used in Nimiq's Rust imple ...)
 	TODO: check
 CVE-2026-32679 (The installers of LiveOn Meet Client for Windows (Downloader5Installer ...)
-	TODO: check
+	NOT-FOR-US: LiveOn Meet Client for Windows
 CVE-2026-2951 (The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-29198 (In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11 ...)
@@ -576,7 +576,7 @@ CVE-2026-33256 (An attacker can send a web request that causes unlimited memory
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33256-unbounded-memory-allocation-by-internal-web-server
 CVE-2026-32885 (DDEV is an open-source tool for running local web development environm ...)
-	TODO: check
+	NOT-FOR-US: DDEV
 CVE-2026-31530 (In the Linux kernel, the following vulnerability has been resolved:  c ...)
 	- linux 6.19.11-1
 	[bookworm] - linux <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fb03265124c8fc8e0ff58be2434a4021454c033

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fb03265124c8fc8e0ff58be2434a4021454c033
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260423/0d2006e7/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list