[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Apr 24 23:31:41 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4c1692df by Moritz Muehlenhoff at 2026-04-25T00:31:23+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7,7 +7,7 @@ CVE-2026-6272 (A client holding only a read JWT scope can still register itself
 CVE-2026-6043 (P4 Server versions prior to 2026.1 are configured with insecure defaul ...)
 	TODO: check
 CVE-2026-4313 (AdaptiveGRC is vulnerable to Stored XSS via text type fields across th ...)
-	TODO: check
+	NOT-FOR-US: AdaptiveGRC
 CVE-2026-4078 (The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scr ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-42095 (bookserver in KDE Arianna before 26.04.1 allows attackers to read file ...)
@@ -77,7 +77,7 @@ CVE-2026-41676 (rust-openssl provides OpenSSL bindings for the Rust programming
 	- rust-openssl <unfixed>
 	NOTE: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5
 CVE-2026-41492 (Dgraph is an open source distributed GraphQL database. Prior to 25.3.3 ...)
-	TODO: check
+	NOT-FOR-US: Dgraph
 CVE-2026-41416 (PJSIP is a free and open source multimedia communication library writt ...)
 	TODO: check
 CVE-2026-41415 (PJSIP is a free and open source multimedia communication library writt ...)
@@ -89,13 +89,13 @@ CVE-2026-41411 (Vim is an open source, command line text editor. Prior to 9.2.03
 	NOTE: https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
 	NOTE: https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb (v9.2.0357)
 CVE-2026-41328 (Dgraph is an open source distributed GraphQL database. Prior to 25.3.3 ...)
-	TODO: check
+	NOT-FOR-US: Dgraph
 CVE-2026-41327 (Dgraph is an open source distributed GraphQL database. Prior to 25.3.3 ...)
-	TODO: check
+	NOT-FOR-US: Dgraph
 CVE-2026-41322 (@astrojs/node allows Astro to deploy your SSR site to Node targets. Pr ...)
-	TODO: check
+	NOT-FOR-US: @astrojs/node
 CVE-2026-41321 (@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers  ...)
-	TODO: check
+	NOT-FOR-US: @astrojs/cloudflare
 CVE-2026-41140 (Poetry is a dependency manager for Python. Prior to 2.3.4, the extract ...)
 	TODO: check
 CVE-2026-41079 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
@@ -103,13 +103,13 @@ CVE-2026-41079 (OpenPrinting CUPS is an open source printing system for Linux an
 	NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-6wpw-g8g6-wvrv
 	NOTE: https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080 (v2.4.17)
 CVE-2026-41067 (Astro is a web framework. Prior to 6.1.6, the defineScriptVars functio ...)
-	TODO: check
+	NOT-FOR-US: Astro web framework
 CVE-2026-41066 (lxml is a library for processing XML and HTML in the Python language.  ...)
 	TODO: check
 CVE-2026-40897 (Math.js is an extensive math library for JavaScript and Node.js. From  ...)
 	TODO: check
 CVE-2026-40690 (The asset dependency graph did not restrict nodes by the viewer's DAG  ...)
-	TODO: check
+	- airflow <itp> (bug #819700)
 CVE-2026-40609
 	REJECTED
 CVE-2026-3569 (The Liaison Site Prober plugin for WordPress is vulnerable to Informat ...)
@@ -121,11 +121,11 @@ CVE-2026-39920 (BridgeHead FileStore versions prior to 24A (released in early 20
 CVE-2026-38743 (The authenticated /ui/dagsendpoint did not enforce per-DAG access cont ...)
 	TODO: check
 CVE-2026-33666 (Zserio is a framework for serializing structured data with a compact a ...)
-	TODO: check
+	NOT-FOR-US: Zserio
 CVE-2026-33662 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion  ...)
 	TODO: check
 CVE-2026-33524 (Zserio is a framework for serializing structured data with a compact a ...)
-	TODO: check
+	NOT-FOR-US: Zserio
 CVE-2026-31672 (In the Linux kernel, the following vulnerability has been resolved:  w ...)
 	TODO: check
 CVE-2026-31671 (In the Linux kernel, the following vulnerability has been resolved:  x ...)
@@ -405,29 +405,29 @@ CVE-2026-31535 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2026-31534 (In the Linux kernel, the following vulnerability has been resolved:  s ...)
 	TODO: check
 CVE-2026-31052 (An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attac ...)
-	TODO: check
+	NOT-FOR-US: Hostbill
 CVE-2026-31051 (An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attac ...)
-	TODO: check
+	NOT-FOR-US: Hostbill
 CVE-2026-31050 (Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-1 ...)
-	TODO: check
+	NOT-FOR-US: Hostbill
 CVE-2026-30368 (A client-side authorization flaw in Lightspeed Classroom v5.1.2.176377 ...)
-	TODO: check
+	NOT-FOR-US: Lightspeed Classroom
 CVE-2026-25660 (CodeChecker is an analyzer tooling, defect database and viewer extensi ...)
 	NOT-FOR-US: Ericsson
 CVE-2026-23902 (Incorrect Authorization vulnerability in Apache DolphinScheduler allow ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-21728 (Tempo queries with large limits can cause large memory allocations whi ...)
-	TODO: check
+	NOT-FOR-US: Grafana Tempo
 CVE-2026-21515 (Exposure of sensitive information to an unauthorized actor in Azure IO ...)
 	NOT-FOR-US: Microsoft
 CVE-2025-67259 (A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 wh ...)
-	TODO: check
+	NOT-FOR-US: ClassroomIO
 CVE-2025-62233 (Deserialization of Untrusted Data vulnerability in Apache DolphinSched ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2025-61872 (Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying result ...)
-	TODO: check
+	- mahara <removed>
 CVE-2025-59308 (In Mahara before 24.04.10 and 25 before 25.04.1, an institution admini ...)
-	TODO: check
+	- mahara <removed>
 CVE-2025-11762 (The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-40466 (Improper Input Validation, Improper Control of Generation of Code ('Co ...)
@@ -462,9 +462,9 @@ CVE-2026-6732 (A flaw was found in libxml2. This vulnerability occurs when the l
 CVE-2026-6393 (The BetterDocs plugin for WordPress is vulnerable to Missing Authoriza ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-6376 (A weakness in SpiceJet\u2019s public booking retrieval page permits fu ...)
-	TODO: check
+	NOT-FOR-US: SpiceJet
 CVE-2026-6375 (A vulnerability in SpiceJet\u2019s booking API allows unauthenticated  ...)
-	TODO: check
+	NOT-FOR-US: SpiceJet
 CVE-2026-5488 (The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugi ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-5428 (The Royal Elementor Addons plugin for WordPress is vulnerable to Store ...)
@@ -474,9 +474,9 @@ CVE-2026-5364 (The Drag and Drop File Upload for Contact Form 7 plugin for WordP
 CVE-2026-5347 (The HM Books Gallery plugin for WordPress is vulnerable to Missing Aut ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-41485 (Kyverno is a policy engine designed for cloud native platform engineer ...)
-	TODO: check
+	NOT-FOR-US: Kyverno
 CVE-2026-41430 (Press, a Frappe custom app that runs Frappe Cloud, manages infrastruct ...)
-	TODO: check
+	NOT-FOR-US: Press (Frapp app)
 CVE-2026-41361 (OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability  ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-41360 (OpenClaw before 2026.4.2 contains an approval integrity vulnerability  ...)
@@ -490,7 +490,7 @@ CVE-2026-41357 (OpenClaw before 2026.3.31 contains an environment variable leaka
 CVE-2026-41356 (OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-41355 (OpenShell before 2026.3.28 contains an arbitrary code execution vulner ...)
-	TODO: check
+	NOT-FOR-US: OpenClaw
 CVE-2026-41354 (OpenClaw before 2026.4.2 contains an insufficient scope vulnerability  ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-41353 (OpenClaw before 2026.3.22 contains an access control bypass vulnerabil ...)
@@ -542,9 +542,9 @@ CVE-2026-41325 (Kirby is an open-source content management system. Kirby's user
 CVE-2026-41324 (basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vu ...)
 	TODO: check
 CVE-2026-41323 (Kyverno is a policy engine designed for cloud native platform engineer ...)
-	TODO: check
+	NOT-FOR-US: Kyverno
 CVE-2026-41319 (MailKit is a cross-platform mail client library built on top of MimeKi ...)
-	TODO: check
+	NOT-FOR-US: MailKit
 CVE-2026-41318 (AnythingLLM is an application that turns pieces of content into contex ...)
 	NOT-FOR-US: AnythingLLM
 CVE-2026-41317 (Press, a Frappe custom app that runs Frappe Cloud, manages infrastruct ...)
@@ -552,7 +552,7 @@ CVE-2026-41317 (Press, a Frappe custom app that runs Frappe Cloud, manages infra
 CVE-2026-41316 (ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was  ...)
 	TODO: check
 CVE-2026-41309 (Open Source Social Network (OSSN) is open-source social networking sof ...)
-	TODO: check
+	NOT-FOR-US: Open Source Social Network (OSSN)
 CVE-2026-41305 (PostCSS takes a CSS file and provides an API to analyze and modify its ...)
 	TODO: check
 CVE-2026-41279 (Flowise is a drag & drop user interface to build a customized large la ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1692df60d012401b656170156dea6972972f09

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1692df60d012401b656170156dea6972972f09
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260424/f91663a4/attachment.htm>

More information about the debian-security-tracker-commits mailing list