[Git][security-tracker-team/security-tracker][master] mongoose is in the archive now
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Apr 27 13:56:21 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
dae97778 by Moritz Muehlenhoff at 2026-04-27T14:55:21+02:00
mongoose is in the archive now
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -259,9 +259,9 @@ CVE-2026-6988 (A flaw has been found in Tenda HG10 HG7_HG9_HG10re_300001138_en_x
CVE-2026-6987 (A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an u ...)
NOT-FOR-US: PicoClaw
CVE-2026-6986 (A security vulnerability has been detected in Cesanta Mongoose up to 7 ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
CVE-2026-6985 (A weakness has been identified in Cesanta Mongoose up to 7.20. This vu ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
CVE-2026-6984 (A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22. ...)
NOT-FOR-US: AstrBotDevs AstrBot
CVE-2026-6983 (A vulnerability was identified in pagekit up to 1.0.18. Affected by th ...)
@@ -12697,11 +12697,11 @@ CVE-2026-5327 (A security flaw has been discovered in efforthye fast-filesystem-
CVE-2026-5326 (A vulnerability was identified in SourceCodester Leave Application Sys ...)
NOT-FOR-US: SourceCodester
CVE-2026-5246 (A vulnerability was determined in Cesanta Mongoose up to 7.20. Affecte ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
CVE-2026-5245 (A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
CVE-2026-5244 (A vulnerability has been found in Cesanta Mongoose up to 7.20. This af ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
CVE-2026-5032 (The W3 Total Cache plugin for WordPress is vulnerable to information e ...)
NOT-FOR-US: WordPress plugin
CVE-2026-4636 (A flaw was found in Keycloak. An authenticated user with the uma_prote ...)
@@ -27019,7 +27019,7 @@ CVE-2018-25196 (ServerZilla 1.0 contains an SQL injection vulnerability that all
CVE-2018-25194 (Nominas 0.27 contains an SQL injection vulnerability that allows unaut ...)
NOT-FOR-US: Nominas
CVE-2018-25193 (Mongoose Web Server 6.9 contains a denial of service vulnerability tha ...)
- NOT-FOR-US: Mongoose
+ NOTE: Bogus CVE for Mongoose
CVE-2018-25192 (GPS Tracking System 2.12 contains an SQL injection vulnerability that ...)
NOT-FOR-US: GPS Tracking System
CVE-2018-25191 (Facturation System 1.0 contains an SQL injection vulnerability that al ...)
@@ -32308,11 +32308,11 @@ CVE-2026-2970 (A vulnerability has been found in datapizza-labs datapizza-ai 0.0
CVE-2026-2969 (A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected i ...)
NOT-FOR-US: datapizza-labs datapizza-ai
CVE-2026-2968 (A vulnerability was detected in Cesanta Mongoose up to 7.20. This impa ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <unfixed>
CVE-2026-2967 (A security vulnerability has been detected in Cesanta Mongoose up to 7 ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <unfixed>
CVE-2026-2966 (A weakness has been identified in Cesanta Mongoose up to 7.20. The imp ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <unfixed>
CVE-2026-2965 (A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCR ...)
NOT-FOR-US: 07FLYCMS, 07FLY-CMS and 07FlyCRM
CVE-2026-2964 (A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1 ...)
@@ -70341,7 +70341,9 @@ CVE-2025-65998 (Apache Syncope can be configured to store the user password valu
CVE-2025-65503 (Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 a ...)
NOT-FOR-US: Redboltz async_mqtt
CVE-2025-65502 (Null pointer dereference in add_ca_certs() in Cesanta Mongoose before ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/3306
+ NOTE: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2 (7.20)
CVE-2025-65501 (Null pointer dereference in coap_dtls_info_callback() in OISM libcoap ...)
- libcoap3 4.3.5-2 (bug #1121415)
[trixie] - libcoap3 4.3.4-1.1+deb13u2
@@ -89189,7 +89191,9 @@ CVE-2025-56233 (Openindiana, kernel SunOS 5.11 has a denial of service vulnerabi
CVE-2025-55795 (The openml/openml.org web application version v2.0.20241110 uses incre ...)
NOT-FOR-US: openml/openml.org web application
CVE-2025-51495 (An integer overflow vulnerability exists in the WebSocket component of ...)
- NOT-FOR-US: Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/pull/3131
+ NOTE: https://github.com/cesanta/mongoose/commit/cdc439bc38570048541b2ac6b9c326da87bf4a0a (7.18)
CVE-2025-43400 (An out-of-bounds write issue was addressed with improved bounds checki ...)
NOT-FOR-US: Apple
CVE-2025-41252 (Description: VMware NSX contains a username enumeration vulnerability. ...)
@@ -173870,7 +173874,7 @@ CVE-2024-11029 (A flaw was found in the FreeIPA API audit, where it sends the wh
CVE-2024-10775 (The Piotnet Addons For Elementor plugin for WordPress is vulnerable to ...)
NOT-FOR-US: WordPress plugin
CVE-2025-23061 (Mongoose before 8.9.5 can improperly use a nested $where filter with a ...)
- NOT-FOR-US: Mongoose
+ NOT-FOR-US: Mongoosejs
CVE-2025-23013 (In Yubico pam-u2f before 1.3.1, local privilege escalation can sometim ...)
{DSA-5853-1 DLA-4040-1}
- pam-u2f 1.3.1-1
@@ -186556,7 +186560,7 @@ CVE-2024-53981 (python-multipart is a streaming multipart parser for Python. Whe
NOTE: Fixed by: https://github.com/Kludex/python-multipart/commit/9205a0ec8c646b9f705430a6bfb52bd957b76c19 (0.0.18)
NOTE: Fixed by: https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177 (0.0.19)
CVE-2024-53900 (Mongoose before 8.8.3 can improperly use $where in match, leading to s ...)
- NOT-FOR-US: Mongoose
+ NOT-FOR-US: Mongoosejs
CVE-2024-53862 (Argo Workflows is an open source container-native workflow engine for ...)
NOT-FOR-US: Argo Workflows
CVE-2024-53793 (Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Eas ...)
@@ -190795,25 +190799,25 @@ CVE-2024-43416 (GLPI is a free asset and IT management software package. Startin
NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7
NOTE: https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d
CVE-2024-42392 (Improper Neutralization of Delimiters vulnerability in Cesanta Mongoos ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42391 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42390 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42389 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42388 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42387 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42386 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42385 (Improper Neutralization of Delimiters vulnerability in Cesanta Mongoos ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42384 (Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web S ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-42383 (Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose W ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, no actionable information
CVE-2024-41974 (A low privileged remote attackermay modify the BACNet service properti ...)
NOT-FOR-US: WAGO
CVE-2024-41973 (A low privileged remote attacker canspecify an arbitrary file on the f ...)
@@ -235902,7 +235906,7 @@ CVE-2024-36016 (In the Linux kernel, the following vulnerability has been resolv
CVE-2024-35512 (hmq v1.5.5 is vulnerable to Denial of Service (DoS) due to a Null Poin ...)
NOT-FOR-US: hmq
CVE-2024-35492 (Cesanta Mongoose commit b316989 was discovered to contain a NULL point ...)
- NOT-FOR-US: Cesenta Mongoose
+ NOTE: Bogus CVE assignment for Cesenta Mongoose, never reported upstream and dead reference
CVE-2024-35434 (Irontec Sngrep v1.8.1 was discovered to contain a heap buffer overflow ...)
- sngrep <unfixed> (unimportant)
NOTE: https://github.com/inputzero/Security-Advisories/blob/main/CVE-XXXX-XXXX.md
@@ -304301,7 +304305,7 @@ CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software Found
- trafficserver 9.2.2+ds-1 (bug #1043430)
NOTE: https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_PUBLI ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with @MultipartConfig ...)
- undertow 2.3.18-1 (bug #1054893)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689
@@ -307359,7 +307363,7 @@ CVE-2015-10122 (A vulnerability was found in wp-donate Plugin up to 1.4 on WordP
CVE-2023-3700 (Authorization Bypass Through User-Controlled Key in GitHub repository ...)
NOT-FOR-US: easyappointments
CVE-2023-3696 (Prototype Pollution in GitHub repository automattic/mongoose prior to ...)
- NOT-FOR-US: Mongoose
+ NOT-FOR-US: Mongoosejs
CVE-2023-3695 (A vulnerability classified as critical has been found in Campcodes Bea ...)
NOT-FOR-US: Campcodes Beauty Salon Management System
CVE-2023-3694 (A vulnerability, which was classified as critical, has been found in S ...)
@@ -310440,7 +310444,8 @@ CVE-2023-34460 (Tauri is a framework for building binaries for all major desktop
CVE-2023-34203 (In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explo ...)
NOT-FOR-US: Progress OpenEdge OEM
CVE-2023-34188 (The HTTP server in Mongoose before 7.10 accepts requests containing ne ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f (7.10)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2023-34021 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moy ...)
NOT-FOR-US: WordPress plugin
@@ -380264,7 +380269,7 @@ CVE-2022-2566 (A heap out-of-bounds memory write exists in FFMPEG since version
CVE-2022-2565 (The Simple Payment Donations & Subscriptions WordPress plugin before 4 ...)
NOT-FOR-US: WordPress plugin
CVE-2022-2564 (Prototype Pollution in GitHub repository automattic/mongoose prior to ...)
- NOT-FOR-US: Mongoose
+ NOT-FOR-US: Mongoosejs
CVE-2022-2563 (The Tutor LMS WordPress plugin before 2.0.10 does not escape some cour ...)
NOT-FOR-US: WordPress plugin
CVE-2022-37008 (The recovery module has a vulnerability of bypassing the verification ...)
@@ -480911,13 +480916,19 @@ CVE-2021-26532
CVE-2021-26531
RESERVED
CVE-2021-26530 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compile ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/1204
+ NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2021-26529 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7- ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/1203
+ NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2021-26528 (The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/1203
+ NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2021-26527
RESERVED
@@ -514297,7 +514308,8 @@ CVE-2020-25889 (Online Bus Booking System Project Using PHP/MySQL version 1.0 ha
CVE-2020-25888
RESERVED
CVE-2020-25887 (Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when r ...)
- NOT-FOR-US: Cesenta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/1140
CVE-2020-25886
RESERVED
CVE-2020-25885
@@ -514631,7 +514643,8 @@ CVE-2020-25758 (An issue was discovered on D-Link DSR-250 3.17 devices. Insuffic
CVE-2020-25757 (A lack of input validation and access controls in Lua CGIs on D-Link D ...)
NOT-FOR-US: D-Link
CVE-2020-25756 (A buffer overflow vulnerability exists in the mg_get_http_header funct ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/1135
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2020-25755 (An issue was discovered on Enphase Envoy R3.x and D4.x (and other curr ...)
NOT-FOR-US: Enphase Envoy
@@ -576902,7 +576915,8 @@ CVE-2019-19308 (In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.
NOTE: https://gitlab.gnome.org/GNOME/sushi/-/commit/74e95963bd088b62f4f1de381c1e3ce45bbd5615
NOTE: Crash in GUI tool, no security impact
CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/issues/1055
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via m ...)
NOT-FOR-US: Zoho CRM Lead Magnet plugin for WordPress
@@ -598596,7 +598610,8 @@ CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata
NOTE: https://github.com/Exiv2/exiv2/pull/946 (complementary fix)
NOTE: https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff
CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer o ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/pull/1035
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-13502
RESERVED
@@ -600200,7 +600215,8 @@ CVE-2019-12953 (Dropbear 2011.54 through 2018.76 has an inconsistent failure del
CVE-2019-12952
RESERVED
CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
- NOT-FOR-US: Cesanta Mongoose
+ - mongoose <not-affected> (Fixed before or with initial upload)
+ NOTE: https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb (6.15)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...)
- teampass <itp> (bug #730180)
@@ -627323,19 +627339,19 @@ CVE-2018-20357 (A NULL pointer dereference was discovered in sbr_process_channel
NOTE: https://github.com/knik0/faad2/issues/28
NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c
CVE-2018-20356 (An invalid read of 8 bytes due to a use-after-free vulnerability in th ...)
- NOT-FOR-US: Cesanta Mongoose
+ NOTE: Historic bug report against Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2018-20355 (An invalid write of 8 bytes due to a use-after-free vulnerability in t ...)
- NOT-FOR-US: Cesanta Mongoose
+ NOTE: Historic bug report against Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2018-20354 (An invalid read of 8 bytes due to a use-after-free vulnerability durin ...)
- NOT-FOR-US: Cesanta Mongoose
+ NOTE: Historic bug report against Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2018-20353 (An invalid read of 8 bytes due to a use-after-free vulnerability durin ...)
- NOT-FOR-US: Cesanta Mongoose
+ NOTE: Historic bug report against Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2018-20352 (Use-after-free vulnerability in the mg_cgi_ev_handler function in mong ...)
- NOT-FOR-US: Cesanta Mongoose
+ NOTE: Historic bug report against Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2018-20351 (The Markdown component in Evernote (Chinese) before 8.3.2 on macOS all ...)
NOT-FOR-US: Evernote
@@ -635904,7 +635920,7 @@ CVE-2018-19589 (Incorrect Access Controls of Security Officer (SO) in PKCS11 R2
CVE-2018-19588 (Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control.)
NOT-FOR-US: Alarm.com ADC-V522IR 0100b9 devices
CVE-2018-19587 (In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_a ...)
- NOT-FOR-US: Cesanta Mongoose
+ NOTE: Historic bug report against Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2018-19586 (Silverpeas 5.15 through 6.0.2 is affected by an authenticated Director ...)
NOT-FOR-US: Silverpeas
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae977786f07abe8f1ae2f6bc6da4b3b1504a519
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae977786f07abe8f1ae2f6bc6da4b3b1504a519
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260427/e0c0f4e8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list