[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Feb 27 20:35:30 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
68335166 by Salvatore Bonaccorso at 2026-02-27T21:35:07+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,13 +1,13 @@
CVE-2026-3327 (Authenticated Iframe Injection in Dato CMS Web Previews plugin. This v ...)
- TODO: check
+ NOT-FOR-US: Dato CMS Web Previews plugin
CVE-2026-3304 (Multer is a node.js middleware for handling `multipart/form-data`. A v ...)
- TODO: check
+ NOT-FOR-US: Node multer
CVE-2026-3277 (The OpenID Connect (OIDC) authentication configuration in PowerShell ...)
NOT-FOR-US: Devolutions
CVE-2026-3223 (Arbitrary file write & potential privilege escalation exploiting zip s ...)
- TODO: check
+ NOT-FOR-US: Google Web Designer
CVE-2026-2880 (A vulnerability in @fastify/middie versions < 9.2.0 can result in auth ...)
- TODO: check
+ NOT-FOR-US: fastify/middie
CVE-2026-2831 (The MailArchiver plugin for WordPress is vulnerable to SQL Injection v ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2751 (Blind SQL Injection via unsanitized array keys in Service Dependencies ...)
@@ -21,7 +21,7 @@ CVE-2026-2383 (The Simple Download Monitor plugin for WordPress is vulnerable to
CVE-2026-2362 (The WP Accessibility plugin for WordPress is vulnerable to Stored DOM- ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2359 (Multer is a node.js middleware for handling `multipart/form-data`. A v ...)
- TODO: check
+ NOT-FOR-US: Node multer
CVE-2026-2293 (A NestJS application using @nestjs/platform-fastify can allow bypass o ...)
TODO: check
CVE-2026-2252 (An XML External Entity (XXE) vulnerability allows malicious user to pe ...)
@@ -29,41 +29,41 @@ CVE-2026-2252 (An XML External Entity (XXE) vulnerability allows malicious user
CVE-2026-2251 (Improper limitation of a pathname to a restricted directory (Path Trav ...)
NOT-FOR-US: Xerox
CVE-2026-28354 (ClipBucket v5 is an open source video sharing platform. Prior to versi ...)
- TODO: check
+ NOT-FOR-US: ClipBucket
CVE-2026-27947 (Group-Office is an enterprise customer relationship management and gro ...)
- TODO: check
+ NOT-FOR-US: Group-Office
CVE-2026-27836 (phpMyFAQ is an open source FAQ web application. Prior to version 4.0.1 ...)
- TODO: check
+ NOT-FOR-US: phpMyFAQ
CVE-2026-27832 (Group-Office is an enterprise customer relationship management and gro ...)
- TODO: check
+ NOT-FOR-US: Group-Office
CVE-2026-27824 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
TODO: check
CVE-2026-27810 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
TODO: check
CVE-2026-27793 (Seerr is an open-source media request and discovery manager for Jellyf ...)
- TODO: check
+ NOT-FOR-US: Seerr
CVE-2026-27792 (Seerr is an open-source media request and discovery manager for Jellyf ...)
- TODO: check
+ NOT-FOR-US: Seerr
CVE-2026-27758 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a c ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27757 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27756 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a r ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27755 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a w ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27754 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cry ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27753 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27752 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit au ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27751 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a d ...)
- TODO: check
+ NOT-FOR-US: SODOLA SL902-SWTGW124AS firmware
CVE-2026-27734 (Beszel is a server monitoring platform. Prior to version 0.18.2, the h ...)
TODO: check
CVE-2026-27707 (Seerr is an open-source media request and discovery manager for Jellyf ...)
- TODO: check
+ NOT-FOR-US: Seerr
CVE-2026-27583
REJECTED
CVE-2026-27582
@@ -83,11 +83,11 @@ CVE-2026-27201
CVE-2026-27200
REJECTED
CVE-2026-26997 (ClipBucket v5 is an open source video sharing platform. Prior to versi ...)
- TODO: check
+ NOT-FOR-US: ClipBucket
CVE-2026-26862 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-base ...)
- TODO: check
+ NOT-FOR-US: CleverTap Web SDK
CVE-2026-26861 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Si ...)
- TODO: check
+ NOT-FOR-US: CleverTap Web SDK
CVE-2026-25147 (OpenEMR is a free and open source electronic health records and medica ...)
NOT-FOR-US: OpenEMR
CVE-2026-24488 (OpenEMR is a free and open source electronic health records and medica ...)
@@ -99,9 +99,9 @@ CVE-2026-24351 (PluXml CMS is vulnerable to Stored XSS in Static Pages editing f
CVE-2026-24350 (PluXml CMS is vulnerable to Stored XSS in file uploading functionality ...)
TODO: check
CVE-2026-22717 (Out-of-bound read vulnerability in VMware Workstation 25H1 and below o ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-22716 (Out-of-bound write vulnerability in VMware Workstation 25H1 and below ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-21660 (Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: P ...)
NOT-FOR-US: Johnson Controls
CVE-2026-21659 (Unauthenticated Remote Code Execution and Information Disclosure due t ...)
@@ -115,17 +115,17 @@ CVE-2026-21656 (Improper Control of Generation of Code ('Code Injection') vulner
CVE-2026-21654 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
NOT-FOR-US: Johnson Controls
CVE-2026-21619 (Uncontrolled Resource Consumption, Deserialization of Untrusted Data v ...)
- TODO: check
+ NOT-FOR-US: hexpm
CVE-2026-1627 (An attacker may exploit the use of outdated and weak MAC algorithms in ...)
NOT-FOR-US: SICK AG
CVE-2026-1626 (An attacker may exploit the use of weak CBC-based cipher suites in the ...)
NOT-FOR-US: SICK AG
CVE-2026-1434 (Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An a ...)
- TODO: check
+ NOT-FOR-US: Omega-PSIR
CVE-2026-1305 (The Japanized for WooCommerce plugin for WordPress is vulnerable to Im ...)
NOT-FOR-US: WordPress plugin
CVE-2025-69437 (PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploade ...)
- TODO: check
+ NOT-FOR-US: PublicCMS
CVE-2025-15498 (Pro3W CMS if vulnerable toSQL injection attacks.Improper neutralizatio ...)
TODO: check
CVE-2025-14142 (The Electric Enquiries plugin for WordPress is vulnerable to Stored Cr ...)
@@ -279,17 +279,17 @@ CVE-2026-27835 (wger is a free, open-source workout and fitness manager. In vers
CVE-2026-27776 (IM-LogicDesigner module of intra-mart Accel Platform contains insecure ...)
NOT-FOR-US: IM-LogicDesigner module of intra-mart Accel Platform
CVE-2026-27773 (Charging station authentication identifiers are publicly accessible vi ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-27772 (WebSocket endpoints lack proper authentication mechanisms, enabling a ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-27767 (WebSocket endpoints lack proper authentication mechanisms, enabling a ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-27653 (The installers for multiple products provided by Soliton Systems K.K. ...)
NOT-FOR-US: Soliton
CVE-2026-27652 (The WebSocket backend uses charging station identifiers to uniquely a ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-27647 (The WebSocket backend uses charging station identifiers to uniquely a ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-27638 (Actual is a local-first personal finance tool. Prior to version 26.2.1 ...)
NOT-FOR-US: Actual
CVE-2026-27457 (Weblate is a web based localization tool. Prior to version 5.16.1, the ...)
@@ -311,35 +311,35 @@ CVE-2026-27150 (Discourse is an open source discussion platform. Prior to versio
CVE-2026-27149 (Discourse is an open source discussion platform. Prior to versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-27028 (WebSocket endpoints lack proper authentication mechanisms, enabling a ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-27021 (Discourse is an open source discussion platform. Prior to versions 202 ...)
NOT-FOR-US: Discourse
CVE-2026-26305 (The WebSocket Application Programming Interface lacks restrictions on ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-26290 (The WebSocket backend uses charging station identifiers to uniquely a ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-25945 (The WebSocket Application Programming Interface lacks restrictions on ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-25851 (WebSocket endpoints lack proper authentication mechanisms, enabling a ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-25778 (The WebSocket backend uses charging station identifiers to uniquely a ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-25774 (Charging station authentication identifiers are publicly accessible vi ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-25741 (Zulip is an open-source team collaboration tool. Prior to commit bf28c ...)
- zulip-server <itp> (bug #800052)
CVE-2026-25721 (An OS command injection vulnerability exists in XWEB Pro version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25711 (The WebSocket backend uses charging station identifiers to uniquely a ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-25196 (An OS command injection vulnerability exists in XWEB Pro version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25195 (An OS command injection vulnerability exists in XWEB Pro version 1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25114 (The WebSocket Application Programming Interface lacks restrictions on ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-25113 (The WebSocket Application Programming Interface lacks restrictions on ...)
- TODO: check
+ NOT-FOR-US: SWITCH EV
CVE-2026-25111 (An OS command injection vulnerability exists in XWEB Pro version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-25109 (An OS command injection vulnerability exists in XWEB Pro version 1. ...)
@@ -351,7 +351,7 @@ CVE-2026-25085 (A vulnerability exists in Copeland XWEB Pro version 1.12.1 and p
CVE-2026-25037 (An OS command injection vulnerability exists in XWEB Pro version 1.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24731 (WebSocket endpoints lack proper authentication mechanisms, enabling a ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-24695 (An OS command injection vulnerability exists in XWEB Pro version ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24689 (An OS command injection vulnerability exists in XWEB Pro version 1.1 ...)
@@ -361,23 +361,23 @@ CVE-2026-24663 (An OS command injection vulnerability exists in XWEB Pro version
CVE-2026-24517 (An OS command injection vulnerability exists in XWEB Pro version 1. ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24498 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- TODO: check
+ NOT-FOR-US: IpTIME
CVE-2026-24497 (Stack-based Buffer Overflow vulnerability in SimTech Systems, Inc. Thi ...)
- TODO: check
+ NOT-FOR-US: SimTech Systems
CVE-2026-24452 (An OS command injection vulnerability exists in XWEB Pro version 1.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-24445 (The WebSocket Application Programming Interface lacks restrictions on ...)
- TODO: check
+ NOT-FOR-US: EV Energy
CVE-2026-23702 (An OS command injection vulnerability exists in XWEB Pro version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-22890 (Charging station authentication identifiers are publicly accessible vi ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-22878 (Charging station authentication identifiers are publicly accessible vi ...)
- TODO: check
+ NOT-FOR-US: Mobility46
CVE-2026-22877 (An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-22207 (OpenViking through version 0.1.18, prior to commit0251c70,contains a b ...)
- TODO: check
+ NOT-FOR-US: OpenViking
CVE-2026-22206 (SPIP versions prior to 4.4.10 contain a SQL injection vulnerability th ...)
- spip <unfixed>
NOTE: https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-10.html
@@ -393,27 +393,27 @@ CVE-2026-20910 (An OS command injection vulnerability exists in XWEB Pro versio
CVE-2026-20902 (An OS command injection vulnerability exists in XWEB Pro version 1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20895 (The WebSocket backend uses charging station identifiers to uniquely a ...)
- TODO: check
+ NOT-FOR-US: EV2GO
CVE-2026-20797 (A stack based buffer overflow exists in an API route of XWEB Pro versi ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20792 (The WebSocket Application Programming Interface lacks restrictions on ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-20791 (Charging station authentication identifiers are publicly accessible vi ...)
- TODO: check
+ NOT-FOR-US: Chargemap
CVE-2026-20781 (WebSocket endpoints lack proper authentication mechanisms, enabling a ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-20764 (An OS command injection vulnerability exists in XWEB Pro version 1.12 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20742 (An OS command injection vulnerability exists in XWEB Pro version 1.1 ...)
NOT-FOR-US: XWEB Pro
CVE-2026-20733 (Charging station authentication identifiers are publicly accessible vi ...)
- TODO: check
+ NOT-FOR-US: CloudCharge
CVE-2026-1585 (An unquoted Windows service executable path vulnerability in IJ Scan U ...)
NOT-FOR-US: Canon
CVE-2026-1558 (The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure ...)
NOT-FOR-US: WordPress plugin
CVE-2026-1442 (Since the encryption algorithm used to protect firmware updates is its ...)
- TODO: check
+ NOT-FOR-US: Unitree
CVE-2025-15567 (Insufficient protection mechanisms in the Health Module may lead to pa ...)
TODO: check
CVE-2025-15509 (TheSmartRemote module has insufficient restrictions on loading URLs, w ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6833516600672242540c684ca11a3b3bc64de942
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6833516600672242540c684ca11a3b3bc64de942
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260227/0423d310/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list