[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sat Apr 25 00:10:17 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d92aa138 by Moritz Muehlenhoff at 2026-04-25T01:09:15+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -136,7 +136,7 @@ CVE-2026-41066 (lxml is a library for processing XML and HTML in the Python lang
NOTE: https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
NOTE: https://bugs.launchpad.net/lxml/+bug/2146291
CVE-2026-40897 (Math.js is an extensive math library for JavaScript and Node.js. From ...)
- TODO: check
+ NOT-FOR-US: Math.js
CVE-2026-40690 (The asset dependency graph did not restrict nodes by the viewer's DAG ...)
- airflow <itp> (bug #819700)
CVE-2026-40609
@@ -146,9 +146,9 @@ CVE-2026-3569 (The Liaison Site Prober plugin for WordPress is vulnerable to Inf
CVE-2026-3565 (The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Fo ...)
NOT-FOR-US: WordPress plugin
CVE-2026-39920 (BridgeHead FileStore versions prior to 24A (released in early 2024) ex ...)
- TODO: check
+ NOT-FOR-US: BridgeHead FileStore
CVE-2026-38743 (The authenticated /ui/dagsendpoint did not enforce per-DAG access cont ...)
- TODO: check
+ - airflow <itp> (bug #819700)
CVE-2026-33666 (Zserio is a framework for serializing structured data with a compact a ...)
NOT-FOR-US: Zserio
CVE-2026-33662 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...)
@@ -631,37 +631,37 @@ CVE-2026-40623 (A vulnerability inSenseLiveX3050's web management interface allo
CVE-2026-40620 (A vulnerability inSenseLiveX3050\u2019s embedded management service al ...)
NOT-FOR-US: SenseLive
CVE-2026-40431 (A vulnerability exists inSenseLiveX3050\u2019s web management interfac ...)
- TODO: check
+ NOT-FOR-US: SenseLive
CVE-2026-40254 (FreeRDP is a free implementation of the Remote Desktop Protocol. Versi ...)
TODO: check
CVE-2026-40099 (Kirby is an open-source content management system. Kirby's user permis ...)
NOT-FOR-US: Kirby CMS
CVE-2026-39462 (A vulnerability exists inSenseLive X3050\u2019s web management interfa ...)
- TODO: check
+ NOT-FOR-US: SenseLive
CVE-2026-35503 (A vulnerability inSenseLive X3050\u2019s web management interface allo ...)
- TODO: check
+ NOT-FOR-US: SenseLive
CVE-2026-35431 (Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement M ...)
NOT-FOR-US: Microsoft
CVE-2026-35064 (A vulnerability inSenseLiveX3050\u2019s management ecosystem allows un ...)
- TODO: check
+ NOT-FOR-US: SenseLive
CVE-2026-34587 (Kirby is an open-source content management system. Prior to versions 4 ...)
NOT-FOR-US: Kirby CMS
CVE-2026-33819 (Deserialization of untrusted data in Microsoft Bing allows an unauthor ...)
NOT-FOR-US: Microsoft
CVE-2026-33318 (Actual is a local-first personal finance tool. Prior to version 26.4.0 ...)
- TODO: check
+ NOT-FOR-US: Actual
CVE-2026-33317 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...)
TODO: check
CVE-2026-33208 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
- TODO: check
+ NOT-FOR-US: Roxy-WI
CVE-2026-33102 (Url redirection to untrusted site ('open redirect') in M365 Copilot al ...)
NOT-FOR-US: Microsoft
CVE-2026-33078 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
- TODO: check
+ NOT-FOR-US: Roxy-WI
CVE-2026-33077 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
- TODO: check
+ NOT-FOR-US: Roxy-WI
CVE-2026-33076 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
- TODO: check
+ NOT-FOR-US: Roxy-WI
CVE-2026-32952 (go-ntlmssp is a Go package that provides NTLM/Negotiate authentication ...)
TODO: check
CVE-2026-32870 (Kirby is an open-source content management system. Kirby's `Xml::value ...)
@@ -683,21 +683,21 @@ CVE-2026-2028 (The MaxiBlocks Builder plugin for WordPress is vulnerable to arbi
CVE-2026-29197 (In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, ...)
TODO: check
CVE-2026-29051 (melange allows users to build apk packages using declarative pipelines ...)
- TODO: check
+ NOT-FOR-US: melange
CVE-2026-29050 (melange allows users to build apk packages using declarative pipelines ...)
- TODO: check
+ NOT-FOR-US: melange
CVE-2026-28525 (SWUpdate contains an integer underflow vulnerability in the multipart ...)
TODO: check
CVE-2026-27843 (A vulnerability exists inSenseLive X3050's web management interface th ...)
- TODO: check
+ NOT-FOR-US: SenseLive
CVE-2026-27841 (A vulnerability inSenseLiveX3050's web management interface allows sta ...)
- TODO: check
+ NOT-FOR-US: SenseLive
CVE-2026-26210 (KTransformers through 0.5.3 contains an unsafe deserialization vulnera ...)
TODO: check
CVE-2026-26150 (Server-side request forgery (ssrf) in Microsoft Purview allows an unau ...)
NOT-FOR-US: Microsoft
CVE-2026-25874 (LeRobot through 0.5.1 contains an unsafe deserialization vulnerability ...)
- TODO: check
+ NOT-FOR-US: LeRobot
CVE-2026-25775 (A vulnerability inSenseLiveX3050\u2019s remote management service allo ...)
NOT-FOR-US: SenseLive
CVE-2026-25720 (A vulnerability exists inSenseLive X3050\u2019s web management interf ...)
@@ -777,25 +777,25 @@ CVE-2026-40891 (OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.
CVE-2026-40886 (Argo Workflows is an open source container-native workflow engine for ...)
NOT-FOR-US: Argo
CVE-2026-40472 (In hackage-server, user-controlled metadata from .cabal files are rend ...)
- TODO: check
+ NOT-FOR-US: hackage-server
CVE-2026-40471 (hackage-server lacked Cross-Site Request Forgery (CSRF) protection acr ...)
- TODO: check
+ NOT-FOR-US: hackage-server
CVE-2026-40470 (A critical XSS vulnerability affected hackage-server and hackage.haske ...)
- TODO: check
+ NOT-FOR-US: hackage-server
CVE-2026-40182 (OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to b ...)
NOT-FOR-US: OpenTelemetry dotnet
CVE-2026-3960 (A critical remote code execution vulnerability exists in the unauthent ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3er
CVE-2026-3259 (A Generation of Error Message Containing Sensitive Information vulnera ...)
- TODO: check
+ NOT-FOR-US: BigQuery
CVE-2026-39440 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-39087 (An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to exe ...)
- TODO: check
+ NOT-FOR-US: ntfy.sh
CVE-2026-35225 (An unauthenticated remote attacker is able to exhaust all available TC ...)
NOT-FOR-US: CODESYS
CVE-2026-33694 (This vulnerability allows an attacker to create a junction, enabling t ...)
- TODO: check
+ NOT-FOR-US: Nessus
CVE-2026-31533 (In the Linux kernel, the following vulnerability has been resolved: n ...)
- linux 6.19.13-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
@@ -849,9 +849,9 @@ CVE-2026-31159 (An issue was discovered in ToToLink A3300R firmware v17.0.0cu.55
CVE-2026-28040 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-23751 (Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (o ...)
- TODO: check
+ NOT-FOR-US: Kofax Capture
CVE-2025-70994 (Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a ...)
- TODO: check
+ NOT-FOR-US: Yadea T5 Electric Bicycles
CVE-2025-66286 (An API design flaw in WebKitGTK and WPE WebKit allows untrusted web co ...)
TODO: check
CVE-2025-62373 (Pipecat is an open-source Python framework for building real-time voic ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d92aa13818dadb96673884057eea9ec792b2f50e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d92aa13818dadb96673884057eea9ec792b2f50e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260424/6cff6977/attachment.htm>
More information about the debian-security-tracker-commits
mailing list