[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Feb 27 20:14:13 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7f87a354 by security tracker role at 2026-02-27T20:14:03+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,161 @@
+CVE-2026-3327 (Authenticated Iframe Injection in Dato CMS Web Previews plugin. This v ...)
+ TODO: check
+CVE-2026-3304 (Multer is a node.js middleware for handling `multipart/form-data`. A v ...)
+ TODO: check
+CVE-2026-3277 (The OpenID Connect (OIDC) authentication configuration in PowerShell ...)
+ TODO: check
+CVE-2026-3223 (Arbitrary file write & potential privilege escalation exploiting zip s ...)
+ TODO: check
+CVE-2026-2880 (A vulnerability in @fastify/middie versions < 9.2.0 can result in auth ...)
+ TODO: check
+CVE-2026-2831 (The MailArchiver plugin for WordPress is vulnerable to SQL Injection v ...)
+ TODO: check
+CVE-2026-2751 (Blind SQL Injection via unsanitized array keys in Service Dependencies ...)
+ TODO: check
+CVE-2026-2750 (Improper Input Validation vulnerability in Centreon Centreon Open Tick ...)
+ TODO: check
+CVE-2026-2749 (Vulnerability in Centreon Centreon Open Tickets on Central Server on L ...)
+ TODO: check
+CVE-2026-2383 (The Simple Download Monitor plugin for WordPress is vulnerable to Stor ...)
+ TODO: check
+CVE-2026-2362 (The WP Accessibility plugin for WordPress is vulnerable to Stored DOM- ...)
+ TODO: check
+CVE-2026-2359 (Multer is a node.js middleware for handling `multipart/form-data`. A v ...)
+ TODO: check
+CVE-2026-2293 (A NestJS application using @nestjs/platform-fastify can allow bypass o ...)
+ TODO: check
+CVE-2026-2252 (An XML External Entity (XXE) vulnerability allows malicious user to pe ...)
+ TODO: check
+CVE-2026-2251 (Improper limitation of a pathname to a restricted directory (Path Trav ...)
+ TODO: check
+CVE-2026-28354 (ClipBucket v5 is an open source video sharing platform. Prior to versi ...)
+ TODO: check
+CVE-2026-27947 (Group-Office is an enterprise customer relationship management and gro ...)
+ TODO: check
+CVE-2026-27836 (phpMyFAQ is an open source FAQ web application. Prior to version 4.0.1 ...)
+ TODO: check
+CVE-2026-27832 (Group-Office is an enterprise customer relationship management and gro ...)
+ TODO: check
+CVE-2026-27824 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
+ TODO: check
+CVE-2026-27810 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
+ TODO: check
+CVE-2026-27793 (Seerr is an open-source media request and discovery manager for Jellyf ...)
+ TODO: check
+CVE-2026-27792 (Seerr is an open-source media request and discovery manager for Jellyf ...)
+ TODO: check
+CVE-2026-27758 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a c ...)
+ TODO: check
+CVE-2026-27757 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an ...)
+ TODO: check
+CVE-2026-27756 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a r ...)
+ TODO: check
+CVE-2026-27755 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a w ...)
+ TODO: check
+CVE-2026-27754 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cry ...)
+ TODO: check
+CVE-2026-27753 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an ...)
+ TODO: check
+CVE-2026-27752 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit au ...)
+ TODO: check
+CVE-2026-27751 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a d ...)
+ TODO: check
+CVE-2026-27734 (Beszel is a server monitoring platform. Prior to version 0.18.2, the h ...)
+ TODO: check
+CVE-2026-27707 (Seerr is an open-source media request and discovery manager for Jellyf ...)
+ TODO: check
+CVE-2026-27583
+ REJECTED
+CVE-2026-27582
+ REJECTED
+CVE-2026-27581
+ REJECTED
+CVE-2026-27580
+ REJECTED
+CVE-2026-27573
+ REJECTED
+CVE-2026-27501
+ REJECTED
+CVE-2026-27500
+ REJECTED
+CVE-2026-27201
+ REJECTED
+CVE-2026-27200
+ REJECTED
+CVE-2026-26997 (ClipBucket v5 is an open source video sharing platform. Prior to versi ...)
+ TODO: check
+CVE-2026-26862 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-base ...)
+ TODO: check
+CVE-2026-26861 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Si ...)
+ TODO: check
+CVE-2026-25147 (OpenEMR is a free and open source electronic health records and medica ...)
+ TODO: check
+CVE-2026-24488 (OpenEMR is a free and open source electronic health records and medica ...)
+ TODO: check
+CVE-2026-24352 (PluXml CMS allows a user's session identifier to be set before authent ...)
+ TODO: check
+CVE-2026-24351 (PluXml CMS is vulnerable to Stored XSS in Static Pages editing functio ...)
+ TODO: check
+CVE-2026-24350 (PluXml CMS is vulnerable to Stored XSS in file uploading functionality ...)
+ TODO: check
+CVE-2026-22717 (Out-of-bound read vulnerability in VMware Workstation 25H1 and below o ...)
+ TODO: check
+CVE-2026-22716 (Out-of-bound write vulnerability in VMware Workstation 25H1 and below ...)
+ TODO: check
+CVE-2026-21660 (Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: P ...)
+ TODO: check
+CVE-2026-21659 (Unauthenticated Remote Code Execution and Information Disclosure due t ...)
+ TODO: check
+CVE-2026-21658 (Unauthenticated Remote Code Execution i.e Improper Control of Generati ...)
+ TODO: check
+CVE-2026-21657 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
+ TODO: check
+CVE-2026-21656 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
+ TODO: check
+CVE-2026-21654 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
+ TODO: check
+CVE-2026-21619 (Uncontrolled Resource Consumption, Deserialization of Untrusted Data v ...)
+ TODO: check
+CVE-2026-1627 (An attacker may exploit the use of outdated and weak MAC algorithms in ...)
+ TODO: check
+CVE-2026-1626 (An attacker may exploit the use of weak CBC-based cipher suites in the ...)
+ TODO: check
+CVE-2026-1434 (Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An a ...)
+ TODO: check
+CVE-2026-1305 (The Japanized for WooCommerce plugin for WordPress is vulnerable to Im ...)
+ TODO: check
+CVE-2025-69437 (PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploade ...)
+ TODO: check
+CVE-2025-15498 (Pro3W CMS if vulnerable toSQL injection attacks.Improper neutralizatio ...)
+ TODO: check
+CVE-2025-14142 (The Electric Enquiries plugin for WordPress is vulnerable to Stored Cr ...)
+ TODO: check
+CVE-2025-11950 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-11252 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-11251 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2024-10938 (The OVRI Payment plugin for WordPress contains malicious .htaccess fil ...)
+ TODO: check
+CVE-2019-25497 (osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows ...)
+ TODO: check
+CVE-2019-25496 (osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows ...)
+ TODO: check
+CVE-2019-25495 (osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows ...)
+ TODO: check
+CVE-2019-25494 (Homey BNB V4 contains an SQL injection vulnerability in the administra ...)
+ TODO: check
+CVE-2019-25493 (Homey BNB V4 contains an SQL injection vulnerability that allows unaut ...)
+ TODO: check
+CVE-2019-25492 (Homey BNB V4 contains an SQL injection vulnerability that allows unaut ...)
+ TODO: check
+CVE-2019-25491 (Homey BNB V4 contains an SQL injection vulnerability that allows unaut ...)
+ TODO: check
+CVE-2019-25490 (Homey BNB V4 contains a SQL injection vulnerability that allows unauth ...)
+ TODO: check
+CVE-2019-25489 (Homey BNB V4 contains a SQL injection vulnerability that allows unauth ...)
+ TODO: check
CVE-2026-3302 (A weakness has been identified in SourceCodester Doctor Appointment Sy ...)
NOT-FOR-US: SourceCodester
CVE-2026-3301 (A security flaw has been discovered in Totolink N300RH 6.1c.1353_B2019 ...)
@@ -514,7 +672,7 @@ CVE-2026-27837 (Dottie provides nested object access and manipulation in JavaScr
NOTE: https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
NOTE: Fixed by: https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14 (v2.0.7)
NOTE: CVE exists because of an incomplete fix for CVE-2023-26132.
-CVE-2026-27831 (rldns is an open source DNS server. Version 2.3 has a heap-based out-o ...)
+CVE-2026-27831 (rldns is an open source DNS server. Version 1.3 has a heap-based out-o ...)
NOT-FOR-US: rldns
CVE-2026-27830 (c3p0, a JDBC Connection pooling library, is vulnerable to attack via m ...)
- c3p0 <unfixed>
@@ -1492,6 +1650,7 @@ CVE-2026-2777 (Privilege escalation in the Messaging System component. This vuln
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/#CVE-2026-2777
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/#CVE-2026-2777
CVE-2026-2776 (Sandbox escape due to incorrect boundary conditions in the Telemetry c ...)
+ {DSA-6148-1}
- firefox <unfixed>
- firefox-esr 140.8.0esr-1
- thunderbird <unfixed>
@@ -6365,7 +6524,7 @@ CVE-2025-15520 (The RegistrationMagic WordPress plugin before 6.0.7.2 checks no
NOT-FOR-US: WordPress plugin
CVE-2024-21961 (Improper restriction of operations within the bounds of a memory buffe ...)
NOT-FOR-US: AMD
-CVE-2020-37167 (ClamAV ClamBC bytecode interpreter contains a vulnerability in functio ...)
+CVE-2020-37167 (ClamAV versions prior to 0.102.0, fixed in 0.103.0-rc, ClamBC bytecode ...)
- clamav <undetermined>
NOTE: https://www.exploit-db.com/exploits/47687
TODO: check upstream status
@@ -47644,7 +47803,7 @@ CVE-2025-62727 (Starlette is a lightweight ASGI framework/toolkit. Starting in v
[bullseye] - starlette <postponed> (minor issue; DoS)
NOTE: https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
NOTE: Fixed by: https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5 (0.49.1)
-CVE-2025-12150
+CVE-2025-12150 (A flaw was found in Keycloak\u2019s WebAuthn registration component. T ...)
- keycloak <itp> (bug #1088287)
CVE-2025-9313 (An unauthenticated user can connect to a publicly accessible database ...)
NOT-FOR-US: Asseco mMedica
@@ -50582,7 +50741,7 @@ CVE-2025-60500 (QDocs Smart School Management System 7.1 allows authenticated us
NOT-FOR-US: QDocs Smart School Management System
CVE-2025-60427 (LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken ...)
NOT-FOR-US: LibreTime
-CVE-2025-60344 (An unauthenticated Local File Inclusion (LFI) vulnerability in D-Link ...)
+CVE-2025-60344 (A path traversal (directory traversal) vulnerability in D-Link DSR ser ...)
NOT-FOR-US: D-Link
CVE-2025-60280 (Cross-Site Scripting (XSS) vulnerability in Bang Resto v1.0 could allo ...)
NOT-FOR-US: Bang Resto
@@ -167227,7 +167386,7 @@ CVE-2024-50408 (Deserialization of Untrusted Data vulnerability in Kiboko Labs N
NOT-FOR-US: WordPress plugin
CVE-2024-49771 (MPXJ is an open source library to read and write project plans from a ...)
NOT-FOR-US: Packwood MPXJ
-CVE-2025-10990
+CVE-2025-10990 (A flaw was found in REXML. A remote attacker could exploit inefficient ...)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2398216
NOTE: check if RedHat specific incomplete fix for CVE-2024-49761 and for us a NFU
CVE-2024-49761 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReD ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f87a354c4222f06182804dac5639897964caa03
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f87a354c4222f06182804dac5639897964caa03
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260227/37bdca17/attachment.htm>
More information about the debian-security-tracker-commits
mailing list