[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Feb 17 20:16:46 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0ab99d26 by security tracker role at 2026-02-17T20:16:35+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,120 @@
-CVE-2026-25087 [Potential use-after-free when reading IPC file with pre-buffering]
+CVE-2026-2630 (A Command Injection vulnerability exists where an authenticated, remot ...)
+ TODO: check
+CVE-2026-2620 (A weakness has been identified in Huace Monitoring and Early Warning S ...)
+ TODO: check
+CVE-2026-2618 (A vulnerability was determined in Beetel 777VR1 up to 01.00.09. This i ...)
+ TODO: check
+CVE-2026-2617 (A vulnerability was found in Beetel 777VR1 up to 01.00.09. This affect ...)
+ TODO: check
+CVE-2026-2616 (A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The im ...)
+ TODO: check
+CVE-2026-2615 (A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affect ...)
+ TODO: check
+CVE-2026-2608 (The Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor pl ...)
+ TODO: check
+CVE-2026-2247 (SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in t ...)
+ TODO: check
+CVE-2026-26736 (TOTOLINK A3002RU_V3 V3.0.0-B20220304.1804 was discovered to contain a ...)
+ TODO: check
+CVE-2026-26732 (TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a sta ...)
+ TODO: check
+CVE-2026-26731 (TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a sta ...)
+ TODO: check
+CVE-2026-25903 (Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updatin ...)
+ TODO: check
+CVE-2026-24734 (Improper Input Validation vulnerability in Apache Tomcat Native, Apach ...)
+ TODO: check
+CVE-2026-24733 (Improper Input Validation vulnerability in Apache Tomcat. Tomcat did ...)
+ TODO: check
+CVE-2026-23861 (Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Im ...)
+ TODO: check
+CVE-2026-23648 (Glory RBG-100 recycler systems using the ISPK-08 software component co ...)
+ TODO: check
+CVE-2026-23647 (Glory RBG-100 recycler systems using the ISPK-08 software component co ...)
+ TODO: check
+CVE-2026-22769 (Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, ...)
+ TODO: check
+CVE-2026-22208 (OpenS100 (the reference implementation S-100 viewer) prior to commit 7 ...)
+ TODO: check
+CVE-2026-1452
+ REJECTED
+CVE-2026-1216 (The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cro ...)
+ TODO: check
+CVE-2026-0102 (Under specific conditions, a malicious webpage may trigger autofill po ...)
+ TODO: check
+CVE-2025-8303 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-7706 (Missing Authentication for Critical Function vulnerability in TUBITAK ...)
+ TODO: check
+CVE-2025-7631 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-70846 (lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on th ...)
+ TODO: check
+CVE-2025-70830 (A Server-Side Template Injection (SSTI) vulnerability in the Freemarke ...)
+ TODO: check
+CVE-2025-70829 (An information exposure vulnerability in Datart v1.0.0-rc.3 allows aut ...)
+ TODO: check
+CVE-2025-70828 (An issue in Datart v1.0.0-rc.3 allows attackers to execute arbitrary c ...)
+ TODO: check
+CVE-2025-70397 (jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and ...)
+ TODO: check
+CVE-2025-67905 (Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and perfo ...)
+ TODO: check
+CVE-2025-66614 (Improper Input Validation vulnerability. This issue affects Apache To ...)
+ TODO: check
+CVE-2025-65753 (An issue in the TLS certification mechanism of Guardian Gryphon v01.06 ...)
+ TODO: check
+CVE-2025-59793 (Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /ax ...)
+ TODO: check
+CVE-2025-36598 (Dell Avamar, versions prior to 19.12 with patch 338905, contains an Im ...)
+ TODO: check
+CVE-2025-36597 (Dell Avamar, versions prior to 19.12 with patch 338905, contains an Im ...)
+ TODO: check
+CVE-2025-36425 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...)
+ TODO: check
+CVE-2025-36247 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...)
+ TODO: check
+CVE-2025-36243 (IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request f ...)
+ TODO: check
+CVE-2025-36019 (IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to c ...)
+ TODO: check
+CVE-2025-36018 (IBM Concert 1.0.0 through 2.1.0 for Z hub componentis vulnerable to cr ...)
+ TODO: check
+CVE-2025-33130 (IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow ...)
+ TODO: check
+CVE-2025-33124 (IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow ...)
+ TODO: check
+CVE-2025-33101 (IBM Concert 1.0.0 through 2.1.0 could allow an attacker to obtain sens ...)
+ TODO: check
+CVE-2025-33089 (IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtai ...)
+ TODO: check
+CVE-2025-32355 (Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to h ...)
+ TODO: check
+CVE-2025-27904 (IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery E ...)
+ TODO: check
+CVE-2025-27903 (IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery E ...)
+ TODO: check
+CVE-2025-27901 (IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery E ...)
+ TODO: check
+CVE-2025-14689 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1 ...)
+ TODO: check
+CVE-2025-13867 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...)
+ TODO: check
+CVE-2025-13108 (IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow ...)
+ TODO: check
+CVE-2025-12755 (IBM MQ Operator (SC2 v3.2.0\u20133.8.1, LTS v2.0.0\u20132.0.29) and IB ...)
+ TODO: check
+CVE-2024-55271 (A Cross-Site Request Forgery (CSRF) vulnerability has been identified ...)
+ TODO: check
+CVE-2024-55270 (phpgurukul Student Management System 1.0 is vulnerable to SQL Injectio ...)
+ TODO: check
+CVE-2024-43178 (IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographi ...)
+ TODO: check
+CVE-2024-31118 (Missing Authorization vulnerability in Smartypants SP Project & Docume ...)
+ TODO: check
+CVE-2023-38265 (IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 c ...)
+ TODO: check
+CVE-2026-25087 (Use After Free vulnerability in Apache Arrow C++. This issue affects ...)
- apache-arrow 23.0.1-1
NOTE: https://github.com/apache/arrow/pull/48925
NOTE: https://www.openwall.com/lists/oss-security/2026/02/17/4
@@ -3111,6 +3227,7 @@ CVE-2026-1609
CVE-2025-11537 (A flaw was found in Keycloak. When the logging format is configured to ...)
- keycloak <itp> (bug #1088287)
CVE-2026-25646 (LIBPNG is a reference library for use in applications that read, creat ...)
+ {DLA-4481-1}
- libpng1.6 1.6.55-1 (bug #1127566)
NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3
NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88 (v1.6.55)
@@ -3262,11 +3379,13 @@ CVE-2026-23901 (Observable Timing Discrepancy vulnerability in Apache Shiro. Th
[bullseye] - shiro <postponed> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/02/08/2
CVE-2026-25916 (Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block rem ...)
+ {DSA-6137-1 DLA-4480-1}
- roundcube 1.6.13+dfsg-1 (bug #1127447)
NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8 (1.6.13)
NOTE: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
NOTE: https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
CVE-2026-26079 (Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading ...)
+ {DSA-6137-1 DLA-4480-1}
- roundcube 1.6.13+dfsg-1 (bug #1127447)
NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816 (1.6.13)
NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447 (1.6.13)
@@ -3368,7 +3487,7 @@ CVE-2026-22613 (The server identity check mechanism for firmware upgrade perform
NOT-FOR-US: Eaton
CVE-2026-1868 (GitLab has remediated a vulnerability in the Duo Workflow Service comp ...)
NOT-FOR-US: GitLab AI Gateway
-CVE-2026-1615 (All versions of the package jsonpath are vulnerable to Arbitrary Code ...)
+CVE-2026-1615 (Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitr ...)
NOT-FOR-US: Node jsonpath
CVE-2026-0870 (MacroHub developed by GIGABYTE has a Local Privilege Escalation vulner ...)
NOT-FOR-US: MacroHub
@@ -8790,7 +8909,7 @@ CVE-2026-24535 (Missing Authorization vulnerability in webdevstudios Automatic F
NOT-FOR-US: WordPress plugin or theme
CVE-2026-24534 (Missing Authorization vulnerability in uPress Booter booter-bots-crawl ...)
NOT-FOR-US: WordPress plugin or theme
-CVE-2026-24532 (Missing Authorization vulnerability in SiteLock SiteLock Security site ...)
+CVE-2026-24532 (Missing Authorization vulnerability in SiteLock SiteLock Security \u20 ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-24531 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
NOT-FOR-US: WordPress plugin or theme
@@ -14430,12 +14549,14 @@ CVE-2024-58339 (LlamaIndex (run-llama/llama_index) versions up to and including
CVE-2024-14021 (LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 ...)
NOT-FOR-US: LlamaIndex (run-llama/llama_index)
CVE-2026-22801 (LIBPNG is a reference library for use in applications that read, creat ...)
+ {DLA-4481-1}
- libpng1.6 1.6.54-1 (bug #1125444)
[trixie] - libpng1.6 <no-dsa> (Minor issue)
[bookworm] - libpng1.6 <no-dsa> (Minor issue)
NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
CVE-2026-22695 (LIBPNG is a reference library for use in applications that read, creat ...)
+ {DLA-4481-1}
- libpng1.6 1.6.54-1 (bug #1125443)
[trixie] - libpng1.6 <no-dsa> (Minor issue)
[bookworm] - libpng1.6 <no-dsa> (Minor issue)
@@ -73555,7 +73676,7 @@ CVE-2025-26476 (Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0,
NOT-FOR-US: Dell / EMC
CVE-2025-26065 (A cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2.2.9 ...)
NOT-FOR-US: Intelbras
-CVE-2025-21120 (Dell Avamar, versions prior to 19.12 with patch 338905, excluding vers ...)
+CVE-2025-21120 (Dell Avamar, versions prior to 19.10 SP1 with patch 338904, contains a ...)
NOT-FOR-US: Dell / EMC
CVE-2025-0932 (Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, ...)
NOT-FOR-US: ARM
@@ -331912,8 +332033,8 @@ CVE-2022-41656
RESERVED
CVE-2022-41655 (Auth. (subscriber+) Sensitive Data Exposure vulnerability in Phone Ord ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-41650
- RESERVED
+CVE-2022-41650 (Missing Authorization vulnerability in Paul Custom Content by Country ...)
+ TODO: check
CVE-2022-41647
RESERVED
CVE-2022-41643 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Acce ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ab99d267aa1bab65deb41bbe89b306b77746a1c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ab99d267aa1bab65deb41bbe89b306b77746a1c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260217/317ca312/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list