[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Feb 26 21:13:20 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d1706c64 by Salvatore Bonaccorso at 2026-02-26T22:12:26+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,15 +1,15 @@
CVE-2026-3071 (Deserialization of untrusted data in the LanguageModel class of Flair ...)
NOT-FOR-US: LanguageModel class of Flair
CVE-2026-2680 (Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2679 (Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2678 (Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2677 (Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in ...)
- TODO: check
+ NOT-FOR-US: A3factura web platform
CVE-2026-2244 (A vulnerability in Google Cloud Vertex AI Workbench from7/21/2025 to 0 ...)
- TODO: check
+ NOT-FOR-US: Google Cloud Vertex AI Workbench
CVE-2026-28296 (A flaw was found in the FTP GVfs backend. A remote attacker could expl ...)
TODO: check
CVE-2026-28295 (A flaw was found in the FTP GVfs backend. A malicious FTP server can e ...)
@@ -47,13 +47,13 @@ CVE-2026-26934 (Improper Validation of Specified Quantity in Input (CWE-1284) in
CVE-2026-26932 (Improper Validation of Array Index (CWE-129) in the PostgreSQL protoco ...)
TODO: check
CVE-2026-26682 (An issue in fastCMS before v.0.1.6 allows a local attacker to execute ...)
- TODO: check
+ NOT-FOR-US: fastCMS
CVE-2026-26265 (Discourse is an open source discussion platform. Prior to versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-26228 (VideoLAN VLC for Android prior to version 3.7.0 contains a path traver ...)
- TODO: check
+ NOT-FOR-US: VideoLAN VLC for Android
CVE-2026-26227 (VideoLAN VLC for Android prior to version 3.7.0 contains an authentica ...)
- TODO: check
+ NOT-FOR-US: VideoLAN VLC for Android
CVE-2026-26207 (Discourse is an open source discussion platform. Prior to versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-26078 (Discourse is an open source discussion platform. Prior to versions 202 ...)
@@ -61,35 +61,35 @@ CVE-2026-26078 (Discourse is an open source discussion platform. Prior to versio
CVE-2026-26077 (Discourse is an open source discussion platform. Prior to versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-23939 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
- TODO: check
+ NOT-FOR-US: hexpm
CVE-2026-23750 (Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap ...)
- TODO: check
+ NOT-FOR-US: Golioth Pouch
CVE-2026-23749 (Golioth Firmware SDK version0.19.1prior to 0.22.0, fixed in commit0e78 ...)
- TODO: check
+ NOT-FOR-US: Golioth
CVE-2026-23748 (Golioth Firmware SDK version0.10.0 prior to 0.22.0, fixed in commitd7f ...)
- TODO: check
+ NOT-FOR-US: Golioth
CVE-2026-23747 (Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit48 ...)
- TODO: check
+ NOT-FOR-US: Golioth
CVE-2026-22722 (A malicious actor with authenticated user privileges on a Windows base ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-22715 (VMWare Workstation and Fusion contain a logic flaw in the management o ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-1565 (The User Frontend: AI Powered Frontend Posting, User Directory, Profil ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1241 (The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to ...)
- TODO: check
+ NOT-FOR-US: Pelco, Inc. Sarix Professional 3 Series Cameras
CVE-2026-1198 (SIMPLE.ERP is vulnerable to the SQL Injection in search functionality ...)
- TODO: check
+ NOT-FOR-US: SIMPLE.ERP
CVE-2025-71057 (Improper session management in D-Link Wireless N 300 ADSL2+ Modem Rout ...)
NOT-FOR-US: D-Link
CVE-2025-64999 (Improper neutralization of input in Checkmk versions 2.4.0 before 2.4. ...)
TODO: check
CVE-2025-56605 (A reflected Cross-Site Scripting (XSS) vulnerability exists in the reg ...)
- TODO: check
+ NOT-FOR-US: PuneethReddyHC Event Management System
CVE-2025-50857 (ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Travers ...)
- TODO: check
+ NOT-FOR-US: ZenTaoPMS
CVE-2025-14343 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
- TODO: check
+ NOT-FOR-US: okuzsoft Technology E-Commerce Product
CVE-2025-11384
REJECTED
CVE-2025-11383
@@ -216,7 +216,7 @@ CVE-2026-27837 (Dottie provides nested object access and manipulation in JavaScr
NOTE: Fixed by: https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14 (v2.0.7)
NOTE: CVE exists because of an incomplete fix for CVE-2023-26132.
CVE-2026-27831 (rldns is an open source DNS server. Version 2.3 has a heap-based out-o ...)
- TODO: check
+ NOT-FOR-US: rldns
CVE-2026-27830 (c3p0, a JDBC Connection pooling library, is vulnerable to attack via m ...)
TODO: check
CVE-2026-27829 (Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in As ...)
@@ -260,7 +260,7 @@ CVE-2026-27710 (NanaZip is an open source file archive. Starting in version 5.0.
CVE-2026-27709 (NanaZip is an open source file archive. Starting in version 5.0.1252.0 ...)
NOT-FOR-US: NanaZip
CVE-2026-27635 (Manyfold is an open source, self-hosted web application for managing a ...)
- TODO: check
+ NOT-FOR-US: Manyfold
CVE-2026-27633 (TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Ver ...)
NOT-FOR-US: TinyWeb
CVE-2026-27630 (TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Ver ...)
@@ -292,49 +292,49 @@ CVE-2026-27148 (Storybook is a frontend workshop for building user interface com
CVE-2026-27116 (Vikunja is an open-source self-hosted task management platform. Prior ...)
NOT-FOR-US: Vikunja
CVE-2026-26985 (LORIS (Longitudinal Online Research and Imaging System) is a self-host ...)
- TODO: check
+ NOT-FOR-US: LORIS (Longitudinal Online Research and Imaging System)
CVE-2026-26984 (LORIS (Longitudinal Online Research and Imaging System) is a self-host ...)
- TODO: check
+ NOT-FOR-US: LORIS (Longitudinal Online Research and Imaging System)
CVE-2026-26186 (Fleet is open source device management software. A SQL injection vulne ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-25963 (Fleet is open source device management software. In versions prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-25736 (Rucio is a software framework that provides functionality to organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25735 (Rucio is a software framework that provides functionality to organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25734 (Rucio is a software framework that provides functionality to organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25733 (Rucio is a software framework that provides functionality to organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25191 (The installer of FinalCode Client provided by Digital Arts Inc. contai ...)
- TODO: check
+ NOT-FOR-US: Digital Arts
CVE-2026-24004 (Fleet is open source device management software. In versions prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23999 (Fleet is open source device management software. In versions prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23703 (The installer of FinalCode Client provided by Digital Arts Inc. contai ...)
- TODO: check
+ NOT-FOR-US: Digital Arts
CVE-2026-22728 (Bitnami Sealed Secretsis vulnerable to a scope-widening attack during ...)
- TODO: check
+ NOT-FOR-US: Bitnami Sealed Secrets
CVE-2026-22721 (VMware Aria Operations contains a privilege escalation vulnerability. ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-1779 (The User Registration & Membership plugin for WordPress is vulnerable ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1698 (A HTTP Host header attack vulnerability affects WebClient and the WebS ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1697 (The Secure and SameSite attribute are missing in the GraphicalData web ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1696 (Some HTTP security headers are not properly set by the web server when ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1695 (An XSS vulnerability affects the OAuth web services used by the WebVue ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1694 (HTTP headers are added by the default configuration of IIS and ASP.net ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1693 (The OAuth grant type Resource Owner Password Credentials (ROPC) flow i ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1692 (A missing origin validation in WebSockets vulnerability affects the Gr ...)
- TODO: check
+ NOT-FOR-US: PcVue
CVE-2026-1557 (The WP Responsive Images plugin for WordPress is vulnerable to Path Tr ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1311 (The Worry Proof Backup plugin for WordPress is vulnerable to Path Trav ...)
@@ -406,7 +406,7 @@ CVE-2026-2878 (In Progress\xae Telerik\xae UI for AJAX, versions prior to 2026.1
CVE-2026-2636 (This vulnerability is caused by a CWE\u2011159: "Improper Handling of ...)
NOT-FOR-US: Fortra
CVE-2026-2624 (Missing Authentication for Critical Function vulnerability in ePati Cy ...)
- TODO: check
+ NOT-FOR-US: Antikor Next Generation Firewall (NGFW)
CVE-2026-2479 (The Responsive Lightbox & Gallery plugin for WordPress is vulnerable t ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2416 (The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via ...)
@@ -468,7 +468,7 @@ CVE-2026-27699 (The `basic-ftp` FTP client library for Node.js contains a path t
NOTE: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
NOTE: https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9 (v5.2.0)
CVE-2026-27695 (zae-limiter is a rate limiting library using the token bucket algorith ...)
- TODO: check
+ NOT-FOR-US: zae-limiter
CVE-2026-27692 (iccDEV provides a set of libraries and tools for working with ICC colo ...)
NOT-FOR-US: iccDEV
CVE-2026-27691 (iccDEV provides a set of libraries and tools for working with ICC colo ...)
@@ -506,9 +506,9 @@ CVE-2026-25220 (OpenEMR is a free and open source electronic health records and
CVE-2026-25164 (OpenEMR is a free and open source electronic health records and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-25138 (Rucio is a software framework that provides functionality to organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-25136 (Rucio is a software framework that provides functionality to organize, ...)
- TODO: check
+ NOT-FOR-US: Rucio
CVE-2026-24908 (OpenEMR is a free and open source electronic health records and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-24890 (OpenEMR is a free and open source electronic health records and medica ...)
@@ -516,15 +516,15 @@ CVE-2026-24890 (OpenEMR is a free and open source electronic health records and
CVE-2026-24487 (OpenEMR is a free and open source electronic health records and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-24005 (Kruise provides automated management of large-scale applications on Ku ...)
- TODO: check
+ NOT-FOR-US: Kruise
CVE-2026-23627 (OpenEMR is a free and open source electronic health records and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-22866 (Ethereum Name Service (ENS) is a distributed, open, and extensible nam ...)
TODO: check
CVE-2026-22720 (VMware Aria Operations contains a stored cross-site scripting vulnerab ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-22719 (VMware Aria Operations contains a command injection vulnerability. A m ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-21902 (An Incorrect Permission Assignment for Critical Resource vulnerability ...)
NOT-FOR-US: Juniper
CVE-2026-21725 (A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently d ...)
@@ -542,23 +542,23 @@ CVE-2026-20126 (A vulnerability in Cisco Catalyst SD-WAN Manager could allow an
CVE-2026-20122 (A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allo ...)
NOT-FOR-US: Cisco
CVE-2026-20107 (A vulnerability in the Object Model CLI component of Cisco Application ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20099 (A vulnerability in the web-based management interface of Cisco FXOS So ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20091 (A vulnerability in the web-based management interface of Cisco FXOS So ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20051 (A vulnerability with the Ethernet VPN (EVPN) Layer 2 ingress packet pr ...)
NOT-FOR-US: Cisco
CVE-2026-20048 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20037 (A vulnerability in the NX-OS CLI privilege levels of Cisco UCS Manager ...)
NOT-FOR-US: Cisco
CVE-2026-20036 (A vulnerability in the CLI and web-based management interface of Cisco ...)
NOT-FOR-US: Cisco
CVE-2026-20033 (A vulnerability in Cisco Nexus 9000 Series Fabric Switches in ACI mode ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-20010 (A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2026-1929 (The Advanced Woo Labels plugin for WordPress is vulnerable to Remote C ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1916 (The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable ...)
@@ -566,19 +566,19 @@ CVE-2026-1916 (The WPGSI: Spreadsheet Integration plugin for WordPress is vulner
CVE-2026-0704 (In affected version of Octopus Deploy it was possible to remove files ...)
NOT-FOR-US: Octopus Deploy
CVE-2025-69771 (An arbitrary file upload vulnerability in the subtitle loading functio ...)
- TODO: check
+ NOT-FOR-US: asbplayer
CVE-2025-67860 (A vulnerability has been identified in the NeuVector scanner where the ...)
- TODO: check
+ NOT-FOR-US: NeuVector
CVE-2025-67601 (A vulnerability has been identified within Rancher Manager, where usin ...)
NOT-FOR-US: SUSE
CVE-2025-62878 (A malicious user can manipulate the parameters.pathPatternto create Pe ...)
- TODO: check
+ NOT-FOR-US: Rancher
CVE-2025-50180 (esm.sh is a no-build content delivery network (CDN) for web developmen ...)
- TODO: check
+ NOT-FOR-US: esm.sh
CVE-2025-3525 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
- gitlab <unfixed>
CVE-2025-1242 (The administrative credentials can be extracted through application AP ...)
- TODO: check
+ NOT-FOR-US: Gardyn
CVE-2025-14742 (The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized ...)
NOT-FOR-US: WordPress plugin
CVE-2025-14103 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1706c649f7d675a94639e0b53c483bc8fe21307
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1706c649f7d675a94639e0b53c483bc8fe21307
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260226/b426344e/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list