[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Apr 30 20:13:47 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d1999ad5 by security tracker role at 2026-04-30T19:13:40+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,10 +1,150 @@
+CVE-2026-7500 (When Keycloak is started with `--features-disabled=account,account-api ...)
+ TODO: check
+CVE-2026-7461 (Improper neutralization of inputs used in an OS command in the FSx Win ...)
+ TODO: check
+CVE-2026-7402 (Improper Control of Interaction Frequency vulnerability in MeWare Soft ...)
+ TODO: check
+CVE-2026-7399 (Authorization bypass through User-Controlled key vulnerability in MeWa ...)
+ TODO: check
+CVE-2026-7382 (Exposure of Sensitive Information to an Unauthorized Actor, Exposure o ...)
+ TODO: check
+CVE-2026-7270 (An operator precedence bug in the kernel results in a scenario where a ...)
+ TODO: check
+CVE-2026-7246 (Pallets Click, versions 8.3.2 and below, contain a command injection v ...)
+ TODO: check
+CVE-2026-7164 (Incorrect packet validation allowed unbounded recursion parsing SCTP c ...)
+ TODO: check
+CVE-2026-7163 (A vulnerability in the assisted-service REST API, an optional Assisted ...)
+ TODO: check
+CVE-2026-6498 (The Five Star Restaurant Reservations plugin for WordPress is vulnerab ...)
+ TODO: check
+CVE-2026-5174 (Improper input validation vulnerability in Progress Software MOVEit Au ...)
+ TODO: check
+CVE-2026-5080 (Dancer::Session::Abstract versions through 1.3522 for Perl generates s ...)
+ TODO: check
+CVE-2026-4670 (Authentication bypass by primary weakness vulnerability in Progress So ...)
+ TODO: check
+CVE-2026-42800 (NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux ...)
+ TODO: check
+CVE-2026-42799 (Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows ...)
+ TODO: check
+CVE-2026-42798 (Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overfl ...)
+ TODO: check
+CVE-2026-42512 (As dhclient is building an environment to pass to dhclient-script, it ...)
+ TODO: check
+CVE-2026-42511 (The BOOTP file field is written to the lease file without escaping emb ...)
+ TODO: check
+CVE-2026-41882 (In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, ...)
+ TODO: check
+CVE-2026-41016 (Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMT ...)
+ TODO: check
+CVE-2026-40904 (Chartbrew is an open-source web application that can connect directly ...)
+ TODO: check
+CVE-2026-40603 (Chartbrew is an open-source web application that can connect directly ...)
+ TODO: check
+CVE-2026-40601 (Chartbrew is an open-source web application that can connect directly ...)
+ TODO: check
+CVE-2026-40600 (Chartbrew is an open-source web application that can connect directly ...)
+ TODO: check
+CVE-2026-40595 (Chartbrew is an open-source web application that can connect directly ...)
+ TODO: check
+CVE-2026-39457 (When exchanging data over a socket, libnv uses select(2) to wait for d ...)
+ TODO: check
+CVE-2026-38940 (Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 a ...)
+ TODO: check
+CVE-2026-38939 (Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 ...)
+ TODO: check
+CVE-2026-36960 (A Cross-Site Request Forgery (CSRF) vulnerability exists in the web ma ...)
+ TODO: check
+CVE-2026-36959 (U-SPEED N300 router V1.0.0 does not implement rate limiting or account ...)
+ TODO: check
+CVE-2026-36958 (A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wi ...)
+ TODO: check
+CVE-2026-36957 (Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable ...)
+ TODO: check
+CVE-2026-36956 (A Cross-Site Request Forgery (CSRF) vulnerability exists in the web ma ...)
+ TODO: check
+CVE-2026-36767 (A path traversal vulnerability in the /content/images/add endpoint of ...)
+ TODO: check
+CVE-2026-36766 (Multiple authenticated cross-site scripting (XSS) vulnerabilities in t ...)
+ TODO: check
+CVE-2026-36765 (An XML external entity (XXE) vulnerability in the /designer/loadReport ...)
+ TODO: check
+CVE-2026-36764 (A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testCo ...)
+ TODO: check
+CVE-2026-36763 (A stored cross-site scripting (XSS) vulnerability in the /api/blade-de ...)
+ TODO: check
+CVE-2026-36762 (An issue in the fileEntityId parameter in the /a/file/upload endpoint ...)
+ TODO: check
+CVE-2026-36761 (A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner ...)
+ TODO: check
+CVE-2026-36760 (An issue in the fileMd5 parameter in the /a/file/upload endpoint of Je ...)
+ TODO: check
+CVE-2026-36759 (A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-fro ...)
+ TODO: check
+CVE-2026-36758 (A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri ...)
+ TODO: check
+CVE-2026-36757 (A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-fr ...)
+ TODO: check
+CVE-2026-36756 (A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-ur ...)
+ TODO: check
+CVE-2026-36340 (An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote at ...)
+ TODO: check
+CVE-2026-35547 (When processing the header of an incoming message, libnv failed to pro ...)
+ TODO: check
+CVE-2026-35514 (Chartbrew is an open-source web application that can connect directly ...)
+ TODO: check
+CVE-2026-34998
+ REJECTED
+CVE-2026-34997
+ REJECTED
+CVE-2026-34996
+ REJECTED
+CVE-2026-34995
+ REJECTED
+CVE-2026-34994
+ REJECTED
+CVE-2026-32148 (Insufficient Verification of Data Authenticity vulnerability in hexpm ...)
+ TODO: check
+CVE-2026-31693 (In the Linux kernel, the following vulnerability has been resolved: c ...)
+ TODO: check
+CVE-2026-2892 (The Otter Blocks plugin for WordPress is vulnerable to Purchase Verifi ...)
+ TODO: check
+CVE-2026-22070 (ColorOS Assistant has an unauthenticated start-download channel, leadi ...)
+ TODO: check
+CVE-2026-1493 (LEX Baza Dokument\xf3w is vulnerable to DOM-based XSS in "em"cookie pa ...)
+ TODO: check
+CVE-2025-71284 (Synway SMG Gateway Management Software contains an OS command injectio ...)
+ TODO: check
+CVE-2025-51850
+ REJECTED
+CVE-2025-51849
+ REJECTED
+CVE-2025-51847
+ REJECTED
+CVE-2025-51846 (CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, un ...)
+ TODO: check
+CVE-2025-14576 (Insufficient validation of node IDs in Qt SVG module allows arbitrary ...)
+ TODO: check
+CVE-2025-14543 (Improper Restriction of XML External Entity Reference vulnerability in ...)
+ TODO: check
+CVE-2025-13890
+ REJECTED
+CVE-2024-39847 (Unauthenticated attackers can exploit a weakness in the XML parser fun ...)
+ TODO: check
+CVE-2024-13971 (Unauthenticated attackers can exploit a weakness in the XML parser fun ...)
+ TODO: check
+CVE-2022-50993 (Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an un ...)
+ TODO: check
+CVE-2022-50992 (Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitr ...)
+ TODO: check
CVE-2026-39402
- lxc <removed>
[trixie] - lxc <no-dsa> (Minor issue)
[bookworm] - lxc <no-dsa> (Minor issue)
NOTE: https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq
NOTE: https://github.com/lxc/lxc/pull/4678
-CVE-2026-31692 [rtnetlink: add missing netlink_ns_capable() check for peer netns]
+CVE-2026-31692 (In the Linux kernel, the following vulnerability has been resolved: r ...)
- linux 6.19.14-1
NOTE: https://git.kernel.org/linus/7b735ef81286007794a227ce2539419479c02a5f (7.0)
CVE-2026-42208
@@ -333,7 +473,7 @@ CVE-2018-25298 (Merge PACS 7.0 contains a cross-site request forgery vulnerabili
CVE-2026-5419
- gnutls28 <unfixed>
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-13
-CVE-2026-3832
+CVE-2026-3832 (A flaw was found in gnutls. A remote attacker could exploit this vulne ...)
- gnutls28 <unfixed>
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-12
CVE-2026-42015
@@ -354,13 +494,13 @@ CVE-2026-42012
CVE-2026-42011
- gnutls28 <unfixed>
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-6
-CVE-2026-3833
+CVE-2026-3833 (A flaw was found in gnutls. This vulnerability occurs because gnutls p ...)
- gnutls28 <unfixed>
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-5
CVE-2026-42010
- gnutls28 <unfixed>
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-4
-CVE-2026-33845
+CVE-2026-33845 (A flaw in GnuTLS DTLS handshake parsing allows malformed fragments wit ...)
- gnutls28 <unfixed>
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-3
CVE-2026-42009
@@ -911,27 +1051,27 @@ CVE-2026-23560
CVE-2026-23559
- xen-api <removed>
NOTE: https://xenbits.xen.org/xsa/advisory-489.html
-CVE-2026-7324 (Memory safety bugs present in Firefox 150.0.0. Some of these bugs show ...)
+CVE-2026-7324 (Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs ...)
- firefox 150.0.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-35/#CVE-2026-7324
-CVE-2026-7323 (Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0 ...)
- {DSA-6236-1}
+CVE-2026-7323 (Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird ...)
+ {DSA-6236-1 DLA-4555-1}
- firefox 150.0.1-1
- firefox-esr 140.10.1esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-35/#CVE-2026-7323
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/#CVE-2026-7323
-CVE-2026-7322 (Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10 ...)
- {DSA-6236-1}
+CVE-2026-7322 (Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird ...)
+ {DSA-6236-1 DLA-4555-1}
- firefox 150.0.1-1
- firefox-esr 140.10.1esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-35/#CVE-2026-7322
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/#CVE-2026-7322
CVE-2026-7321 (Sandbox escape due to incorrect boundary conditions in the WebRTC: Net ...)
- {DSA-6236-1}
+ {DSA-6236-1 DLA-4555-1}
- firefox-esr 140.10.1esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/#CVE-2026-7321
CVE-2026-7320 (Information disclosure due to incorrect boundary conditions in the Aud ...)
- {DSA-6236-1}
+ {DSA-6236-1 DLA-4555-1}
- firefox 150.0.1-1
- firefox-esr 140.10.1esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-35/#CVE-2026-7320
@@ -1104,7 +1244,7 @@ CVE-2026-23557
- xen <unfixed> (unimportant)
NOTE: https://xenbits.xen.org/xsa/advisory-484.html
NOTE: Debian uses the ocaml-based xenstored
-CVE-2026-31786
+CVE-2026-31786 (In the Linux kernel, the following vulnerability has been resolved: B ...)
- linux <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-485.html
CVE-2026-23558
@@ -1113,7 +1253,7 @@ CVE-2026-23558
[bookworm] - xen <no-dsa> (Minor issue)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
NOTE: https://xenbits.xen.org/xsa/advisory-486.html
-CVE-2026-31787
+CVE-2026-31787 (In the Linux kernel, the following vulnerability has been resolved: x ...)
- linux <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-487.html
CVE-2026-41636 (Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings ...)
@@ -30336,7 +30476,7 @@ CVE-2026-21424 (Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9
NOT-FOR-US: Dell / EMC
CVE-2026-21423 (Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0. ...)
NOT-FOR-US: Dell / EMC
-CVE-2026-21422 (Dell PowerScale OneFS, versions 9.10.0.0 through 9.10.1.5 and versions ...)
+CVE-2026-21422 (Dell PowerScale OneFS, versions 9.10.0.0 through 9.13.1.0, contains an ...)
NOT-FOR-US: Dell / EMC
CVE-2026-21421 (Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0. ...)
NOT-FOR-US: Dell / EMC
@@ -840357,7 +840497,7 @@ CVE-2013-1817 (MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an erro
CVE-2013-1816 (MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attacke ...)
- mediawiki 1:1.19.4-1
[squeeze] - mediawiki <end-of-life>
-CVE-2013-1815 (PackStack 2012.2.3 in Red Hat OpenStack Essex and Folsom can create th ...)
+CVE-2013-1815 (A flaw was found in PackStack. This vulnerability allows a local user ...)
NOT-FOR-US: OpenStack PackStack
CVE-2013-1814 (The users/get program in the User RPC API in Apache Rave 0.11 through ...)
NOT-FOR-US: Apache Rave
@@ -845186,7 +845326,7 @@ CVE-2013-0268 (The msr_open function in arch/x86/kernel/msr.c in the Linux kerne
- linux-2.6 2.6.32-48squeeze1
CVE-2013-0267 (The Privileges portion of the web GUI and the XMLRPC API in Apache VCL ...)
NOT-FOR-US: Apache VCL
-CVE-2013-0266 (manifests/base.pp in the puppetlabs-cinder module, as used in PackStac ...)
+CVE-2013-0266 (A flaw was found in the `puppetlabs-cinder` module, as used in PackSta ...)
NOT-FOR-US: Openstack Packstack
CVE-2013-0265 (The redirect_stderr function in xnbd_common.c in xnbd-server and xndb- ...)
- xnbd 0.1.0-pre-hg20-e75b93a47722-3 (low)
@@ -845203,7 +845343,7 @@ CVE-2013-0262 (rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x be
- ruby-rack 1.4.1-2.1 (bug #700173)
- librack-ruby <not-affected> (Introduced in 1.4.0, see #700226)
NOTE: Patches in git, commit 6f237e4c9fab649d3750482514f0fde76c56ab30
-CVE-2013-0261 ((1) installer/basedefs.py and (2) modules/ospluginutils.py in PackStac ...)
+CVE-2013-0261 (A flaw was found in PackStack. A local user could exploit a symlink at ...)
NOT-FOR-US: Openstack Packstack
CVE-2013-0260 (Unspecified vulnerability in the Drush Debian Packaging module for Dru ...)
NOT-FOR-US: Drupal module debuild
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1999ad55a6997bce45ed63e7ad135579e782788
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1999ad55a6997bce45ed63e7ad135579e782788
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260430/3db2aefa/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list