[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jan 8 20:13:18 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ecf200d9 by security tracker role at 2026-01-08T20:13:12+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,297 @@
+CVE-2026-22587 (Ideagen DevonWay contains a stored cross site scripting vulnerability. ...)
+ TODO: check
+CVE-2026-22522 (Missing Authorization vulnerability in Munir Kamal Block Slider allows ...)
+ TODO: check
+CVE-2026-22521 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2026-22519 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2026-22518 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2026-22517 (Missing Authorization vulnerability in Passionate Brains GA4WP: Google ...)
+ TODO: check
+CVE-2026-22492 (Missing Authorization vulnerability in Nawawi Jamili Docket Cache allo ...)
+ TODO: check
+CVE-2026-22490 (Missing Authorization vulnerability in niklaslindemann Bulk Landing Pa ...)
+ TODO: check
+CVE-2026-22489 (Authorization Bypass Through User-Controlled Key vulnerability in Wpte ...)
+ TODO: check
+CVE-2026-22488 (Missing Authorization vulnerability in IdeaBox Creations Dashboard Wel ...)
+ TODO: check
+CVE-2026-22487 (Missing Authorization vulnerability in baqend Speed Kit allows Exploit ...)
+ TODO: check
+CVE-2026-22486 (Missing Authorization vulnerability in Hakob Re Gallery & Responsive P ...)
+ TODO: check
+CVE-2026-22257 (Salvo is a Rust web backend framework. Prior to version 0.88.1, the fu ...)
+ TODO: check
+CVE-2026-22256 (Salvo is a Rust web backend framework. Prior to version 0.88.1, the fu ...)
+ TODO: check
+CVE-2026-22255 (iccDEV provides a set of libraries and tools that allow for the intera ...)
+ TODO: check
+CVE-2026-22253 (Soft Serve is a self-hostable Git server for the command line. Prior t ...)
+ TODO: check
+CVE-2026-22246 (Mastodon is a free, open-source social network server based on Activit ...)
+ TODO: check
+CVE-2026-22245 (Mastodon is a free, open-source social network server based on Activit ...)
+ TODO: check
+CVE-2026-22244 (OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 ...)
+ TODO: check
+CVE-2026-22242 (CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4. ...)
+ TODO: check
+CVE-2026-22241 (The Open eClass platform (formerly known as GUnet eClass) is a complet ...)
+ TODO: check
+CVE-2026-22235 (OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit ...)
+ TODO: check
+CVE-2026-22234 (OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated a ...)
+ TODO: check
+CVE-2026-22233 (OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript ...)
+ TODO: check
+CVE-2026-22232 (OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript ...)
+ TODO: check
+CVE-2026-22231 (OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript ...)
+ TODO: check
+CVE-2026-22230 (OPEXUS eCASE Audit allows an authenticated attacker to modify client-s ...)
+ TODO: check
+CVE-2026-22043 (RustFS is a distributed object storage system built in Rust. In versio ...)
+ TODO: check
+CVE-2026-22042 (RustFS is a distributed object storage system built in Rust. Prior to ...)
+ TODO: check
+CVE-2026-22041 (Logging Redactor is a Python library designed to redact sensitive data ...)
+ TODO: check
+CVE-2026-22034 (Snuffleupagus is a module that raises the cost of attacks against webs ...)
+ TODO: check
+CVE-2026-22032 (Directus is a real-time API and App dashboard for managing SQL databas ...)
+ TODO: check
+CVE-2026-22028 (Preact, a lightweight web development framework, JSON serialization pr ...)
+ TODO: check
+CVE-2026-21896 (Kirby is an open-source content management system. From versions 5.0.0 ...)
+ TODO: check
+CVE-2026-21895 (The `rsa` crate is an RSA implementation written in rust. Prior to ver ...)
+ TODO: check
+CVE-2026-21894 (n8n is an open source workflow automation platform. In versions from 0 ...)
+ TODO: check
+CVE-2026-21892 (Parsl is a Python parallel scripting library. A SQL Injection vulnerab ...)
+ TODO: check
+CVE-2026-21891 (ZimaOS is a fork of CasaOS, an operating system for Zima devices and x ...)
+ TODO: check
+CVE-2026-21885 (Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Min ...)
+ TODO: check
+CVE-2026-21876 (The OWASP core rule set (CRS) is a set of generic attack detection rul ...)
+ TODO: check
+CVE-2026-21874 (NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1 ...)
+ TODO: check
+CVE-2026-21873 (NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, ...)
+ TODO: check
+CVE-2026-21872 (NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, ...)
+ TODO: check
+CVE-2026-21871 (NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, ...)
+ TODO: check
+CVE-2026-21860 (Werkzeug is a comprehensive WSGI web application library. Prior to ver ...)
+ TODO: check
+CVE-2026-21639 (A malicious actor in Wi-Fi range of the affected product could leverag ...)
+ TODO: check
+CVE-2026-21638 (A malicious actor in Wi-Fi range of the affected product could leverag ...)
+ TODO: check
+CVE-2026-0747 (Exposure of sensitive information in the TeamViewer entry dashboard co ...)
+ TODO: check
+CVE-2026-0719 (A flaw was found in libsoup's NTLM (NT LAN Manager) authentication mod ...)
+ TODO: check
+CVE-2026-0701 (A vulnerability was identified in code-projects Intern Membership Mana ...)
+ TODO: check
+CVE-2026-0676 (Missing Authorization vulnerability in G5Theme Zorka zorka allows Expl ...)
+ TODO: check
+CVE-2026-0675 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
+ TODO: check
+CVE-2026-0674 (Missing Authorization vulnerability in Campaign Monitor Campaign Monit ...)
+ TODO: check
+CVE-2026-0671 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2025-8307 (Asseco InfoMedica is a comprehensive solution used to manage both admi ...)
+ TODO: check
+CVE-2025-8306 (Asseco InfoMedica is a comprehensive solution used to manage both admi ...)
+ TODO: check
+CVE-2025-69260 (A message out-of-bounds read vulnerability in Trend Micro Apex Central ...)
+ TODO: check
+CVE-2025-69259 (A message unchecked NULL return value vulnerability in Trend Micro Ape ...)
+ TODO: check
+CVE-2025-69258 (A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow ...)
+ TODO: check
+CVE-2025-69169 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Bas ...)
+ TODO: check
+CVE-2025-68892 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68891 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68890 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68889 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68887 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68875 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68874 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68873 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68867 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-68715 (An issue was discovered in Panda Wireless PWRU0 devices with firmware ...)
+ TODO: check
+CVE-2025-68158 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
+ TODO: check
+CVE-2025-68151 (CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, ...)
+ TODO: check
+CVE-2025-67937 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-67936 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-67935 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-67934 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-67933 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67932 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67931 (Insertion of Sensitive Information Into Sent Data vulnerability in AIT ...)
+ TODO: check
+CVE-2025-67930 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67928 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-67927 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67926 (Missing Authorization vulnerability in Shahjahan Jewel Fluent Support ...)
+ TODO: check
+CVE-2025-67925 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-67924 (Unrestricted Upload of File with Dangerous Type vulnerability in zozot ...)
+ TODO: check
+CVE-2025-67922 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67921 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-67920 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-67919 (Authorization Bypass Through User-Controlled Key vulnerability in Woff ...)
+ TODO: check
+CVE-2025-67918 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67917 (Missing Authorization vulnerability in shinetheme Traveler traveler al ...)
+ TODO: check
+CVE-2025-67916 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-67915 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2025-67914 (Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov ...)
+ TODO: check
+CVE-2025-67913 (Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cach ...)
+ TODO: check
+CVE-2025-67911 (Deserialization of Untrusted Data vulnerability in Tribulant Software ...)
+ TODO: check
+CVE-2025-67910 (Unrestricted Upload of File with Dangerous Type vulnerability in conte ...)
+ TODO: check
+CVE-2025-67825 (An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34 ...)
+ TODO: check
+CVE-2025-67325 (Unrestricted file upload in the hotel review feature in QloApps versio ...)
+ TODO: check
+CVE-2025-67091 (An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerabl ...)
+ TODO: check
+CVE-2025-67090 (The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 ...)
+ TODO: check
+CVE-2025-67089 (A command injection vulnerability exists in the GL-iNet GL-AXT1800 rou ...)
+ TODO: check
+CVE-2025-66916 (The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, i ...)
+ TODO: check
+CVE-2025-66913 (JimuReport thru version 2.1.3 is vulnerable to remote code execution w ...)
+ TODO: check
+CVE-2025-66001 (NeuVector supports login authentication through OpenID Connect. Howeve ...)
+ TODO: check
+CVE-2025-65731 (An issue was discovered in D-Link Router DIR-605L (Hardware version F1 ...)
+ TODO: check
+CVE-2025-65518 (Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Deni ...)
+ TODO: check
+CVE-2025-63611 (Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user- ...)
+ TODO: check
+CVE-2025-62877 (Projects using the SUSE Virtualization (Harvester) environment mayexpo ...)
+ TODO: check
+CVE-2025-61550 (Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValu ...)
+ TODO: check
+CVE-2025-61549 (Cross-Site Scripting (XSS) is present on the LoginID parameter on the ...)
+ TODO: check
+CVE-2025-61548 (SQL Injection is present on the hfInventoryDistFormID parameter in the ...)
+ TODO: check
+CVE-2025-61547 (Cross-Site Request Forgery (CSRF) is present on all functions in edu B ...)
+ TODO: check
+CVE-2025-61546 (There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice e ...)
+ TODO: check
+CVE-2025-61246 (indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injecti ...)
+ TODO: check
+CVE-2025-59470 (This vulnerability allows a Backup Operator to perform remote code exe ...)
+ TODO: check
+CVE-2025-59469 (This vulnerability allows a Backup or Tape Operator to write files as ...)
+ TODO: check
+CVE-2025-59468 (This vulnerability allows a Backup Administrator to perform remote cod ...)
+ TODO: check
+CVE-2025-56425 (An issue was discovered in the AppConnector component version 10.10.0. ...)
+ TODO: check
+CVE-2025-56424 (An issue in Insiders Technologies GmbH e-invoice pro before release 1 ...)
+ TODO: check
+CVE-2025-55125 (This vulnerability allows a Backup or Tape Operator to perform remote ...)
+ TODO: check
+CVE-2025-50334 (An issue in Technitium DNS Server v.13.5 allows a remote attacker to c ...)
+ TODO: check
+CVE-2025-4596 (Asseco ADMX system is used for processing medical records. It allows l ...)
+ TODO: check
+CVE-2025-27004 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-27002 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-23993 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-23504 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2025-22728 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-22726 (Server-Side Request Forgery (SSRF) vulnerability in _nK nK Themes Help ...)
+ TODO: check
+CVE-2025-22725 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-22715 (Missing Authorization vulnerability in loopus WP Attractive Donations ...)
+ TODO: check
+CVE-2025-22713 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2025-22712 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-22708 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-22707 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-22509 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-14984 (The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross ...)
+ TODO: check
+CVE-2025-14431 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-14430 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-14429 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-14360 (Missing Authorization vulnerability in Kaira Blockons blockons allows ...)
+ TODO: check
+CVE-2025-14359 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-14358 (Missing Authorization vulnerability in sizam REHub Framework rehub-fra ...)
+ TODO: check
+CVE-2025-13504 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-12551 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2025-12550 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-12549 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
CVE-2026-22581
REJECTED
CVE-2026-22580
@@ -18,7 +312,7 @@ CVE-2026-22187 (Bio-Formats versions up to and including 8.3.0 perform unsafe Ja
NOT-FOR-US: Bio-Formats
CVE-2026-22186 (Bio-Formats versions up to and including 8.3.0 contain an XML External ...)
NOT-FOR-US: Bio-Formats
-CVE-2026-22185 (OpenLDAP Lightning Memory-Mapped Database (LMDB) mdb_load contains a h ...)
+CVE-2026-22185 (OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and in ...)
- openldap <unfixed>
NOTE: https://seclists.org/fulldisclosure/2026/Jan/5
CVE-2026-22184 (zlib versions up to and including 1.3.1.2 contain a global buffer over ...)
@@ -457,12 +751,12 @@ CVE-2025-12030 (The ACF to REST API plugin for WordPress is vulnerable to Insecu
NOT-FOR-US: WordPress plugin
CVE-2025-11877 (The User Activity Log plugin is vulnerable to a limited options update ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-67603 [Add PolicyKit authorization to D-Bus methods]
+CVE-2025-67603 (A Improper Authorization vulnerability in Foomuurillows arbitrary user ...)
{DSA-6095-1}
- foomuuri 0.31-1
NOTE: Fixed by: https://github.com/FoobarOy/foomuuri/commit/5944a428f53a132fc343ff6792b1b7539f1c990e (v0.31)
NOTE: https://www.openwall.com/lists/oss-security/2026/01/07/9
-CVE-2025-67858 [Verify interface input parameter on D-Bus methods]
+CVE-2025-67858 (A Improper Neutralization of Argument Delimiters vulnerability in Foom ...)
{DSA-6095-1}
- foomuuri 0.31-1
NOTE: Fixed by: https://github.com/FoobarOy/foomuuri/commit/d1961f420600d133e5f1d3125deb17445e7745ac (v0.31)
@@ -629,19 +923,19 @@ CVE-2025-0980 (Nokia SR Linux is vulnerable to an authentication vulnerability a
NOT-FOR-US: Nokia
CVE-2024-14020 (A weakness has been identified in carboneio carbone up to fbcd349077ad ...)
NOT-FOR-US: carboneio carbone
-CVE-2025-15224 [libssh key passphrase bypass without agent set]
+CVE-2025-15224 (When doing SSH-based transfers using either SCP or SFTP, and asked to ...)
- curl 8.18.0-1 (unimportant)
NOTE: https://curl.se/docs/CVE-2025-15224.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa (curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend
-CVE-2025-15079 [libssh global knownhost override]
+CVE-2025-15079 (When doing SSH-based transfers using either SCP or SFTP, and setting t ...)
- curl 8.18.0~rc3-1 (unimportant)
NOTE: https://curl.se/docs/CVE-2025-15079.html
NOTE: Introduced with: https://github.com/curl/curl/commit/c92d2e14cfb0db662f958effd2ac86f995cf1b5a (curl-7_58_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479 (rc-8_18_0-3, curl-8_18_0)
NOTE: Debian builds with libssh2 for SSH backend
-CVE-2025-14819 [OpenSSL partial chain store policy bypass]
+CVE-2025-14819 (When doing TLS related transfers with reused easy or multi handles and ...)
- curl 8.18.0~rc3-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
@@ -649,7 +943,7 @@ CVE-2025-14819 [OpenSSL partial chain store policy bypass]
NOTE: https://curl.se/docs/CVE-2025-14819.html
NOTE: Introduced with: https://github.com/curl/curl/commit/3c16697ebd796f799227be293e8689aec5f8190d (curl-7_87_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d (rc-8_18_0-3, curl-8_18_0)
-CVE-2025-14524 [bearer token leak on cross-protocol redirect]
+CVE-2025-14524 (When an OAuth2 bearer token is used for an HTTP(S) transfer, and that ...)
- curl 8.18.0~rc2-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
@@ -657,13 +951,13 @@ CVE-2025-14524 [bearer token leak on cross-protocol redirect]
NOTE: https://curl.se/docs/CVE-2025-14524.html
NOTE: Introduced with: https://github.com/curl/curl/commit/06c1bea72faabb6fad4b7ef818aafaa336c9a7aa (curl-7_33_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640 (rc-8_18_0-2, curl-8_18_0)
-CVE-2025-14017 [broken TLS options for threaded LDAPS]
+CVE-2025-14017 (When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl ...)
- curl 8.18.0~rc2-1 (unimportant)
NOTE: https://curl.se/docs/CVE-2025-14017.html
NOTE: Introduced with: https://github.com/curl/curl/commit/ccba0d10b6baf5c73cae8cf4fb3f29f0f55c5a34 (curl-7_17_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d (rc-8_18_0-1, curl-8_18_0)
NOTE: Built with OpenLDAP (only affects the legacy LDAP support)
-CVE-2025-13034 [No QUIC certificate pinning with GnuTLS]
+CVE-2025-13034 (When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedp ...)
- curl 8.18.0~rc2-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <not-affected> (Vulnerable code introduced later)
@@ -874,7 +1168,7 @@ CVE-2026-21439 (badkeys is a tool and library for checking cryptographic public
NOT-FOR-US: badkeys
CVE-2026-21411 (Authentication bypass issue exists in OpenBlocks series versions prior ...)
NOT-FOR-US: OpenBlocks IoT DX1
-CVE-2026-0625 (Multiple D-Link DSL gateway devices contain a command injection vulner ...)
+CVE-2026-0625 (Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass a ...)
NOT-FOR-US: D-Link
CVE-2026-0621 (Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 con ...)
NOT-FOR-US: Anthropic MCP TypeScript SDK
@@ -13328,7 +13622,7 @@ CVE-2024-2105 (An unauthorised attacker within bluetooth range may use an improp
NOT-FOR-US: JBL
CVE-2024-2104 (Due to improper BLE security configurations on the device's GATT serve ...)
NOT-FOR-US: JBL
-CVE-2025-66003
+CVE-2025-66003 (An External Control of File Name or Path vulnerability in smb4k allows ...)
{DSA-6092-1}
- smb4k 4.0.5-1 (bug #1122381)
NOTE: https://www.openwall.com/lists/oss-security/2025/12/10/6
@@ -13337,7 +13631,7 @@ CVE-2025-66003
NOTE: Bugfix: https://invent.kde.org/network/smb4k/-/commit/ffc6da7beb1879a968a8181372587ff71f247c1b (4.0.5)
NOTE: Bugfix: https://invent.kde.org/network/smb4k/-/commit/55c535cbab6843c88cac033a21e43206b5eefbd0 (4.0.5)
NOTE: bugfix: https://invent.kde.org/network/smb4k/-/commit/35f8cf121bfab276b739d4b8a866f8f3cdc0f7d1 (4.0.5)
-CVE-2025-66002
+CVE-2025-66002 (An Improper Neutralization of Argument Delimiters in a Command ('Argu ...)
{DSA-6092-1}
- smb4k 4.0.5-1 (bug #1122381)
NOTE: https://www.openwall.com/lists/oss-security/2025/12/10/6
@@ -16648,7 +16942,7 @@ CVE-2023-53734 (dawa-pharma-1.0 allows unauthenticated attackers to execute SQL
NOT-FOR-US: dawa-pharma-1.0
CVE-2016-20023 (In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users c ...)
TODO: check
-CVE-2025-14025
+CVE-2025-14025 (A flaw was found in Ansible Automation Platform (AAP). Read-only scope ...)
NOT-FOR-US: Ansible Automation Platform
CVE-2025-9127 (A vulnerability exists in PX Enterprise whereby sensitive information ...)
NOT-FOR-US: Pure Storage
@@ -23220,7 +23514,7 @@ CVE-2025-64518 (The CycloneDX core module provides a model representation of the
CVE-2025-64513 (Milvus is an open-source vector database built for generative AI appli ...)
NOT-FOR-US: Milvus
CVE-2025-64512 (Pdfminer.six is a community maintained fork of the original PDFMiner, ...)
- {DSA-6062-1 DLA-4374-1}
+ {DSA-6062-1 DLA-4374-2 DLA-4374-1}
- pdfminer <unfixed> (bug #1120642)
NOTE: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
NOTE: Fixed by: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 (20251107)
@@ -26611,7 +26905,7 @@ CVE-2025-58711 (Missing Authorization vulnerability in solwin Blog Designer PRO
NOT-FOR-US: WordPress plugin or theme
CVE-2025-57227 (An unquoted service path in Kingosoft Technology Ltd Kingo ROOT v1.5.8 ...)
NOT-FOR-US: Kingosoft Technology Ltd Kingo ROOT
-CVE-2025-56558 (An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticat ...)
+CVE-2025-56558 (The Dyson MQTT server (2022 and possibly later) allows publications an ...)
NOT-FOR-US: Dyson App
CVE-2025-54384 (CKAN is an open-source DMS (data management system) for powering data ...)
NOT-FOR-US: CKAN
@@ -45946,7 +46240,7 @@ CVE-2025-10200 (Use after free in Serviceworker in Google Chrome on Desktop prio
{DSA-5996-1}
- chromium 140.0.7339.127-1
[bullseye] - chromium <end-of-life> (see #1061268)
-CVE-2025-9086 (1. A cookie is set using the `secure` keyword for `https://target` 2. ...)
+CVE-2025-9086 (1. A cookie is set using the `secure` keyword for `https://target` 2 ...)
{DLA-4432-1}
- curl 8.16.0~rc2-1
[trixie] - curl 8.14.1-2+deb13u1
@@ -52241,7 +52535,8 @@ CVE-2025-9229 (Information disclosure vulnerability in error handling in MiR sof
NOT-FOR-US: MiR software
CVE-2025-9228 (MiR software versions prior to version 3.0.0 have insufficient authori ...)
NOT-FOR-US: MiR software
-CVE-2025-9173 (A weakness has been identified in Emlog Pro up to 2.5.18. This issue a ...)
+CVE-2025-9173
+ REJECTED
NOT-FOR-US: Emlog Pro
CVE-2025-9074 (A vulnerability was identified in Docker Desktop that allows local run ...)
NOT-FOR-US: Docker products not packaged in Debian
@@ -174871,9 +175166,9 @@ CVE-2024-22277 (VMware Cloud Director Availability contains an HTML injection vu
NOT-FOR-US: VMware
CVE-2024-1574 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe ...)
NOT-FOR-US: Mitsubishi
-CVE-2024-1573 (Improper Authentication vulnerability in the mobile monitoring feature ...)
+CVE-2024-1573 (Missing Authentication for Critical Function vulnerability in the mobi ...)
NOT-FOR-US: Mitsubishi
-CVE-2024-1182 (Uncontrolled Search Path Element vulnerability in ICONICS GENESIS64 al ...)
+CVE-2024-1182 (Uncontrolled Search Path Element vulnerability in Mitsubishi Electric ...)
NOT-FOR-US: Mitsubishi
CVE-2024-6464
REJECTED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecf200d9844f13a50aae060b103b89b064b2c7b0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecf200d9844f13a50aae060b103b89b064b2c7b0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260108/d1144a7b/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list