[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jan 14 10:18:50 GMT 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
76d25070 by Moritz Muehlenhoff at 2026-01-14T11:18:30+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7,15 +7,15 @@ CVE-2026-22870 (GuardDog is a CLI tool to identify malicious PyPI packages. Prio
 CVE-2026-22869 (Eigent is a multi-agent Workforce. A critical security vulnerability i ...)
 	NOT-FOR-US: Eigent
 CVE-2026-22868 (go-ethereum (geth) is a golang execution layer implementation of the E ...)
-	TODO: check
+	- golang-github-go-ethereum <itp> (bug #890541)
 CVE-2026-22862 (go-ethereum (geth) is a golang execution layer implementation of the E ...)
-	TODO: check
+	- golang-github-go-ethereum <itp> (bug #890541)
 CVE-2026-22861 (iccDEV provides a set of libraries and tools that allow for the intera ...)
 	NOT-FOR-US: iccDEV
 CVE-2026-22718 (The VSCode extension for Spring CLI are vulnerable to command injectio ...)
 	NOT-FOR-US: VSCode extension
 CVE-2026-22686 (Enclave is a secure JavaScript sandbox designed for safe AI agent code ...)
-	TODO: check
+	NOT-FOR-US: Node enclave-vm
 CVE-2026-21308 (Substance3D - Designer versions 15.0.3 and earlier are affected by an  ...)
 	NOT-FOR-US: Adobe
 CVE-2026-21307 (Substance3D - Designer versions 15.0.3 and earlier are affected by an  ...)
@@ -187,47 +187,47 @@ CVE-2025-12051 (The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT f
 CVE-2025-12050 (The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to ...)
 	NOT-FOR-US: Insyde
 CVE-2023-54341 (Webgrind 1.1 and before contains a reflected cross-site scripting vuln ...)
-	TODO: check
+	NOT-FOR-US: Webgrind
 CVE-2023-54340 (WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows ...)
-	TODO: check
+	NOT-FOR-US: WorkOrder CMS
 CVE-2023-54339 (Webgrind 1.1 contains a remote command execution vulnerability that al ...)
-	TODO: check
+	NOT-FOR-US: Webgrind
 CVE-2023-54338 (Tftpd32 SE 4.60 contains an unquoted service path vulnerability that a ...)
-	TODO: check
+	NOT-FOR-US: Tftpd32
 CVE-2023-54337 (Sysax Multi Server 6.95 contains a denial of service vulnerability in  ...)
-	TODO: check
+	NOT-FOR-US: Sysax Multi Server
 CVE-2023-54336 (Mediconta 3.7.27 contains an unquoted service path vulnerability in th ...)
-	TODO: check
+	NOT-FOR-US: Mediconta
 CVE-2023-54335 (eXtplorer 2.1.14 contains an authentication bypass vulnerability that  ...)
-	TODO: check
+	- extplorer <removed>
 CVE-2023-54334 (Explorer32++ 1.3.5.531 contains a buffer overflow vulnerability in Str ...)
-	TODO: check
+	NOT-FOR-US: Explorer32++
 CVE-2023-54333 (Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerabi ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2023-54332 (Jetpack 11.4 contains a cross-site scripting vulnerability in the cont ...)
-	TODO: check
+	NOT-FOR-US: Jetpack
 CVE-2023-54331 (Outline 1.6.0 contains an unquoted service path vulnerability that all ...)
-	TODO: check
+	NOT-FOR-US: Outline
 CVE-2023-54330 (Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based b ...)
-	TODO: check
+	NOT-FOR-US: Inbit Messenger
 CVE-2023-54329 (Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vuln ...)
-	TODO: check
+	NOT-FOR-US: Inbit Messenger
 CVE-2023-54328 (AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulne ...)
-	TODO: check
+	NOT-FOR-US: AimOne Video Converter
 CVE-2023-53985 (Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross ...)
-	TODO: check
+	NOT-FOR-US: Zippy CRM
 CVE-2023-53984 (Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulne ...)
-	TODO: check
+	NOT-FOR-US: Clevo HotKey Clipboard
 CVE-2022-50939 (e107 CMS version 3.2.1 contains a critical file upload vulnerability t ...)
-	TODO: check
+	NOT-FOR-US: e107 CMS
 CVE-2022-50938 (CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: CONTPAQi AdminPAQ
 CVE-2022-50937 (Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerabi ...)
-	TODO: check
+	NOT-FOR-US: Ametys CMS
 CVE-2022-50936 (WBCE CMS version 1.5.2 contains an authenticated remote code execution ...)
-	TODO: check
+	NOT-FOR-US: WBCE CMS
 CVE-2022-50935 (Flame II HSPA USB Modem contains an unquoted service path vulnerabilit ...)
-	TODO: check
+	NOT-FOR-US: Flame II HSPA USB Modem
 CVE-2022-50934 (Wing FTP Server versions 4.3.8 and below contain an authenticated remo ...)
 	TODO: check
 CVE-2022-50933 (Cain & Abel 4.9.56 contains an unquoted service path vulnerability tha ...)
@@ -680,7 +680,7 @@ CVE-2026-0404 (An insufficient input validation vulnerability in NETGEAR Orbi de
 CVE-2026-0403 (An insufficient input validation vulnerability in NETGEAR Orbi routers ...)
 	NOT-FOR-US: Netgear
 CVE-2026-0386 (Improper access control in Windows Deployment Services allows an unaut ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2025-9435 (Zohocorp ManageEngine ADManager Plus versions below7230are vulnerable  ...)
 	NOT-FOR-US: Zoho
 CVE-2025-9427 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76d250705d3a1c9e540eb6338d7c1b43651a876f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76d250705d3a1c9e540eb6338d7c1b43651a876f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260114/cde192d6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list