[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Feb 27 08:55:17 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
11d5e3e8 by Salvatore Bonaccorso at 2026-02-27T09:54:54+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -61,7 +61,7 @@ CVE-2026-3262 (A vulnerability has been found in go2ismail Asp.Net-Core-Inventor
 CVE-2026-3261 (A flaw has been found in itsourcecode School Management System 1.0. Th ...)
 	NOT-FOR-US: itsourcecode System
 CVE-2026-3037 (An OS command injection vulnerability exists in XWEB Pro version 1.12. ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-2428 (The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-28370 (In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0 ...)
@@ -75,15 +75,15 @@ CVE-2026-28364 (In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read
 CVE-2026-28363 (In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort  ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-28280 (osctrl is an osquery management solution. Prior to version 0.5.0, a st ...)
-	TODO: check
+	NOT-FOR-US: osctrl
 CVE-2026-28279 (osctrl is an osquery management solution. Prior to version 0.5.0, an O ...)
-	TODO: check
+	NOT-FOR-US: osctrl
 CVE-2026-28276 (Initiative is a self-hosted project management platform. An access con ...)
-	TODO: check
+	NOT-FOR-US: Initiative
 CVE-2026-28275 (Initiative is a self-hosted project management platform. Versions of t ...)
-	TODO: check
+	NOT-FOR-US: Initiative
 CVE-2026-28274 (Initiative is a self-hosted project management platform. Versions of t ...)
-	TODO: check
+	NOT-FOR-US: Initiative
 CVE-2026-28269 (Kiteworks is a private data network (PDN). Prior to version 9.2.0, avu ...)
 	NOT-FOR-US: Kiteworks
 CVE-2026-28230 (SteVe is an open-source EV charging station management system. In vers ...)
@@ -99,27 +99,27 @@ CVE-2026-28219 (Discourse is an open source discussion platform. Prior to versio
 CVE-2026-28218 (Discourse is an open source discussion platform. Prior to versions 202 ...)
 	NOT-FOR-US: Discourse
 CVE-2026-28217 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
-	TODO: check
+	NOT-FOR-US: hoppscotch
 CVE-2026-28216 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
-	TODO: check
+	NOT-FOR-US: hoppscotch
 CVE-2026-28215 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
-	TODO: check
+	NOT-FOR-US: hoppscotch
 CVE-2026-28213 (EverShop is a TypeScript-first eCommerce platform. Versions prior to 2 ...)
 	NOT-FOR-US: EverShop
 CVE-2026-28211 (The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to h ...)
-	TODO: check
+	NOT-FOR-US: NVDA Dev & Test Toolbox
 CVE-2026-28208 (Junrar is an open source java RAR archive library. Prior to version 7. ...)
-	TODO: check
+	NOT-FOR-US: Junrar
 CVE-2026-28207 (Zen C is a systems programming language that compiles to human-readabl ...)
 	TODO: check
 CVE-2026-27839 (wger is a free, open-source workout and fitness manager. In versions u ...)
-	TODO: check
+	NOT-FOR-US: wger
 CVE-2026-27838 (wger is a free, open-source workout and fitness manager. Five routine  ...)
-	TODO: check
+	NOT-FOR-US: wger
 CVE-2026-27835 (wger is a free, open-source workout and fitness manager. In versions u ...)
-	TODO: check
+	NOT-FOR-US: wger
 CVE-2026-27776 (IM-LogicDesigner module of intra-mart Accel Platform contains insecure ...)
-	TODO: check
+	NOT-FOR-US: IM-LogicDesigner module of intra-mart Accel Platform
 CVE-2026-27773 (Charging station authentication identifiers are publicly accessible vi ...)
 	TODO: check
 CVE-2026-27772 (WebSocket endpoints lack proper authentication mechanisms, enabling  a ...)
@@ -127,13 +127,13 @@ CVE-2026-27772 (WebSocket endpoints lack proper authentication mechanisms, enabl
 CVE-2026-27767 (WebSocket endpoints lack proper authentication mechanisms, enabling  a ...)
 	TODO: check
 CVE-2026-27653 (The installers for multiple products provided by Soliton Systems K.K.  ...)
-	TODO: check
+	NOT-FOR-US: Soliton
 CVE-2026-27652 (The WebSocket backend uses charging station identifiers to uniquely  a ...)
 	TODO: check
 CVE-2026-27647 (The WebSocket backend uses charging station identifiers to uniquely  a ...)
 	TODO: check
 CVE-2026-27638 (Actual is a local-first personal finance tool. Prior to version 26.2.1 ...)
-	TODO: check
+	NOT-FOR-US: Actual
 CVE-2026-27457 (Weblate is a web based localization tool. Prior to version 5.16.1, the ...)
 	TODO: check
 CVE-2026-27449 (Umbraco Engage is a business intelligence platform. A vulnerability ha ...)
@@ -171,53 +171,53 @@ CVE-2026-25774 (Charging station authentication identifiers are publicly accessi
 CVE-2026-25741 (Zulip is an open-source team collaboration tool. Prior to commit bf28c ...)
 	TODO: check
 CVE-2026-25721 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25711 (The WebSocket backend uses charging station identifiers to uniquely  a ...)
 	TODO: check
 CVE-2026-25196 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25195 (An OS command injection     vulnerability exists in XWEB Pro version 1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25114 (The WebSocket Application Programming Interface lacks restrictions on  ...)
 	TODO: check
 CVE-2026-25113 (The WebSocket Application Programming Interface lacks restrictions on  ...)
 	TODO: check
 CVE-2026-25111 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25109 (An OS command injection    vulnerability exists in XWEB Pro version 1. ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25105 (An OS command injection       vulnerability exists in XWEB Pro version ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25085 (A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior,  ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-25037 (An OS command injection   vulnerability exists in XWEB Pro version 1.1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-24731 (WebSocket endpoints lack proper authentication mechanisms, enabling  a ...)
 	TODO: check
 CVE-2026-24695 (An OS command injection      vulnerability exists in XWEB Pro version  ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-24689 (An OS command injection   vulnerability exists in XWEB Pro version 1.1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-24663 (An OS command injection vulnerability exists in XWEB Pro version 1.12. ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-24517 (An OS command injection    vulnerability exists in XWEB Pro version 1. ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-24498 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
 	TODO: check
 CVE-2026-24497 (Stack-based Buffer Overflow vulnerability in SimTech Systems, Inc. Thi ...)
 	TODO: check
 CVE-2026-24452 (An OS command injection   vulnerability exists in XWEB Pro version 1.1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-24445 (The WebSocket Application Programming Interface lacks restrictions on  ...)
 	TODO: check
 CVE-2026-23702 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-22890 (Charging station authentication identifiers are publicly accessible vi ...)
 	TODO: check
 CVE-2026-22878 (Charging station authentication identifiers are publicly accessible vi ...)
 	TODO: check
 CVE-2026-22877 (An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-22207 (OpenViking through version 0.1.18, prior to commit0251c70,contains a b ...)
 	TODO: check
 CVE-2026-22206 (SPIP versions prior to 4.4.10 contain a SQL injection vulnerability th ...)
@@ -225,17 +225,17 @@ CVE-2026-22206 (SPIP versions prior to 4.4.10 contain a SQL injection vulnerabil
 CVE-2026-22205 (SPIP versions prior to 4.4.10 contain an authentication bypass vulnera ...)
 	TODO: check
 CVE-2026-21718 (An authentication bypass vulnerability exists in Copeland XWEB Pro  ve ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-21389 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-20910 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-20902 (An OS command injection     vulnerability exists in XWEB Pro version 1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-20895 (The WebSocket backend uses charging station identifiers to uniquely  a ...)
 	TODO: check
 CVE-2026-20797 (A stack based buffer overflow exists in an API route of XWEB Pro versi ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-20792 (The WebSocket Application Programming Interface lacks restrictions on  ...)
 	TODO: check
 CVE-2026-20791 (Charging station authentication identifiers are publicly accessible vi ...)
@@ -243,9 +243,9 @@ CVE-2026-20791 (Charging station authentication identifiers are publicly accessi
 CVE-2026-20781 (WebSocket endpoints lack proper authentication mechanisms, enabling  a ...)
 	TODO: check
 CVE-2026-20764 (An OS command injection  vulnerability exists in XWEB Pro version 1.12 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-20742 (An OS command injection   vulnerability exists in XWEB Pro version 1.1 ...)
-	TODO: check
+	NOT-FOR-US: XWEB Pro
 CVE-2026-20733 (Charging station authentication identifiers are publicly accessible vi ...)
 	TODO: check
 CVE-2026-1585 (An unquoted Windows service executable path vulnerability in IJ Scan U ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11d5e3e8752e89a6491509d2d28abb72d7558fc1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11d5e3e8752e89a6491509d2d28abb72d7558fc1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260227/eb3f75ce/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list