[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jan 15 20:50:38 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2142cc44 by Salvatore Bonaccorso at 2026-01-15T21:49:59+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -5,11 +5,11 @@ CVE-2026-23746 (Entrust Instant Financial Issuance (IFI) On Premise software (fo
CVE-2026-23622 (Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and ...)
NOT-FOR-US: Easy!Appointments
CVE-2026-23527 (H3 is a minimal H(TTP) framework built for high performance and portab ...)
- TODO: check
+ NOT-FOR-US: H3
CVE-2026-23520 (Arcane provides modern docker management. Prior to 1.13.0, Arcane has ...)
- TODO: check
+ NOT-FOR-US: Arcane
CVE-2026-23519 (RustCrypto CMOV provides conditional move CPU intrinsics which are gua ...)
- TODO: check
+ NOT-FOR-US: RustCrypto CMOV
CVE-2026-23511 (ZITADEL is an open source identity management platform. Prior to 4.9.1 ...)
NOT-FOR-US: Zitadel
CVE-2026-23496 (Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases t ...)
@@ -51,11 +51,11 @@ CVE-2026-22907 (An attacker may gain unauthorized access to the host filesystem,
CVE-2026-22867 (LaSuite Doc is a collaborative note taking, wiki and documentation pla ...)
NOT-FOR-US: LaSuite Doc
CVE-2026-22803 (SvelteKit is a framework for rapidly developing robust, performant web ...)
- TODO: check
+ NOT-FOR-US: SvelteKit
CVE-2026-22775 (Svelte devalue is a JavaScript library that serializes values into str ...)
- TODO: check
+ NOT-FOR-US: Svelte devalue
CVE-2026-22774 (Svelte devalue is a JavaScript library that serializes values into str ...)
- TODO: check
+ NOT-FOR-US: Svelte devalue
CVE-2026-22646 (Certain error messages returned by the application expose internal sys ...)
NOT-FOR-US: SICK AG
CVE-2026-22645 (The application discloses all used components, versions and license in ...)
@@ -77,9 +77,9 @@ CVE-2026-22638 (A cross-site scripting (XSS) vulnerability exists in Grafana cau
CVE-2026-22637 (The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. ...)
NOT-FOR-US: SICK AG
CVE-2026-22265 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
- TODO: check
+ NOT-FOR-US: Roxy-WI
CVE-2026-22249 (Docmost is an open-source collaborative wiki and documentation softwar ...)
- TODO: check
+ NOT-FOR-US: Docmost
CVE-2026-20076 (A vulnerability in the web-based management interface of Cisco Identit ...)
NOT-FOR-US: Cisco
CVE-2026-20075 (A vulnerability in the web-based management interface of Cisco Evolved ...)
@@ -136,41 +136,41 @@ CVE-2025-70299 (A heap overflow in the avi_parse_input_file() function of GPAC v
CVE-2025-70298 (GPAC v2.4.0 was discovered to contain an out-of-bounds read in the ogg ...)
TODO: check
CVE-2025-67647 (SvelteKit is a framework for rapidly developing robust, performant web ...)
- TODO: check
+ NOT-FOR-US: SvelteKit
CVE-2025-67246 (A local information disclosure vulnerability exists in the Ludashi dri ...)
- TODO: check
+ NOT-FOR-US: Ludashi
CVE-2025-67084 (File upload vulnerability in InvoicePlane through 1.6.3 allows authent ...)
- TODO: check
+ NOT-FOR-US: InvoicePlane
CVE-2025-67083 (Directory traversal vulnerability in InvoicePlane through 1.6.3 allows ...)
- TODO: check
+ NOT-FOR-US: InvoicePlane
CVE-2025-67082 (An SQL injection vulnerability in InvoicePlane through 1.6.3 has been ...)
- TODO: check
+ NOT-FOR-US: InvoicePlane
CVE-2025-67081 (An SQL injection vulnerability in Itflow through 25.06 has been identi ...)
- TODO: check
+ NOT-FOR-US: Itflow
CVE-2025-67079 (File upload vulnerability in Omnispace Agora Project before 25.10 allo ...)
- TODO: check
+ NOT-FOR-US: Omnispace Agora Project
CVE-2025-67078 (Cross site scripting (XSS) vulnerability in Omnispace Agora Project be ...)
- TODO: check
+ NOT-FOR-US: Omnispace Agora Project
CVE-2025-67077 (File upload vulnerability in Omnispace Agora Project before 25.10 allo ...)
- TODO: check
+ NOT-FOR-US: Omnispace Agora Project
CVE-2025-67076 (Directory traversal vulnerability in Omnispace Agora Project before 25 ...)
- TODO: check
+ NOT-FOR-US: Omnispace Agora Project
CVE-2025-66417 (GLPI is a free asset and IT management software package. From 11.0.0, ...)
TODO: check
CVE-2025-66292 (DPanel is an open source server management panel written in Go. Prior ...)
- TODO: check
+ NOT-FOR-US: Dpanel
CVE-2025-65349 (A Stored Cross-Site Scripting (XSS) vulnerability in Web management in ...)
- TODO: check
+ NOT-FOR-US: Each Italy Wireless Mini Router WIRELESS-N 300M
CVE-2025-64516 (GLPI is a free asset and IT management software package. Prior to 10.0 ...)
TODO: check
CVE-2025-62193 (Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to rem ...)
- TODO: check
+ NOT-FOR-US: NOAA PMEL Live Access Server (LAS)
CVE-2025-61973 (A local privilege escalation vulnerability exists during the installat ...)
TODO: check
CVE-2025-36911 (In key-based pairing, there is a possible ID due to a logic error in t ...)
NOT-FOR-US: Google devices
CVE-2025-15265 (An SSR XSS exists in async hydration when attacker\u2011controlled key ...)
- TODO: check
+ NOT-FOR-US: Svelte
CVE-2025-13859 (The AffiliateX \u2013 Amazon Affiliate Plugin plugin for WordPress is ...)
NOT-FOR-US: WordPress plugin
CVE-2025-13845 (CWE-416: Use After Free vulnerability that could cause remote code exe ...)
@@ -182,65 +182,65 @@ CVE-2025-13062 (The Supreme Modules Lite plugin for WordPress is vulnerable to a
CVE-2025-12895 (The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPr ...)
NOT-FOR-US: WordPress plugin
CVE-2024-48077 (An issue in nanomq v0.22.7 allows attackers to cause a Denial of Servi ...)
- TODO: check
+ NOT-FOR-US: NanoMQ
CVE-2021-47843 (Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability tha ...)
- TODO: check
+ NOT-FOR-US: Tagstoo
CVE-2021-47819 (ProjeQtOr Project Management 9.1.4 contains a file upload vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: ProjeQtOr Project Management
CVE-2021-47799 (Visual Tools DVR VX16 version 4.2.28 contains a local privilege escala ...)
- TODO: check
+ NOT-FOR-US: Visual Tools DVR VX16
CVE-2021-47784 (Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability ...)
- TODO: check
+ NOT-FOR-US: Cyberfox Web Browser
CVE-2021-47781 (Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability ...)
- TODO: check
+ NOT-FOR-US: Cmder Console Emulator
CVE-2021-47777 (Build Smart ERP 21.0817 contains an unauthenticated SQL injection vuln ...)
- TODO: check
+ NOT-FOR-US: Build Smart ERP
CVE-2021-47776 (Umbraco CMS v8.14.1 contains a server-side request forgery vulnerabili ...)
NOT-FOR-US: Umbraco CMS
CVE-2021-47775 (YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 ...)
- TODO: check
+ NOT-FOR-US: YouTube Video Grabber
CVE-2021-47774 (Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Kingdia CD Extractor
CVE-2021-47773 (Dynojet Power Core 2.3.0 contains an unquoted service path vulnerabili ...)
- TODO: check
+ NOT-FOR-US: Dynojet Power Core
CVE-2021-47772 (10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overfl ...)
- TODO: check
+ NOT-FOR-US: 10-Strike Network Inventory Explorer Pro
CVE-2021-47771 (RDP Manager 4.9.9.3 contains a denial of service vulnerability in conn ...)
- TODO: check
+ NOT-FOR-US: RDP Manager
CVE-2021-47769 (Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vu ...)
- TODO: check
+ NOT-FOR-US: Isshue Shopping Cart
CVE-2021-47768 (ImportExportTools NG 10.0.4 contains a persistent HTML injection vulne ...)
- TODO: check
+ NOT-FOR-US: ImportExportTools NG
CVE-2021-47767 (10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted ser ...)
- TODO: check
+ NOT-FOR-US: 10-Strike Network Inventory Explorer Pro
CVE-2021-47766 (Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerabilit ...)
TODO: check
CVE-2021-47765 (AbsoluteTelnet 11.24 contains a denial of service vulnerability that a ...)
- TODO: check
+ NOT-FOR-US: AbsoluteTelnet
CVE-2021-47764 (AbsoluteTelnet 11.24 contains a denial of service vulnerability that a ...)
- TODO: check
+ NOT-FOR-US: AbsoluteTelnet
CVE-2021-47763 (Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json ...)
- TODO: check
+ NOT-FOR-US: Aimeos
CVE-2021-47762 (HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability t ...)
- TODO: check
+ NOT-FOR-US: HTTPDebuggerPro
CVE-2021-47761 (MilleGPG5 5.7.2 contains a local privilege escalation vulnerability th ...)
- TODO: check
+ NOT-FOR-US: MilleGPG5
CVE-2021-47760 (TestLink versions 1.16 through 1.19 contain an unauthenticated file do ...)
- TODO: check
+ NOT-FOR-US: TestLink
CVE-2021-47759 (MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerabi ...)
- TODO: check
+ NOT-FOR-US: MTPutty
CVE-2021-47758 (Chikitsa Patient Management System 2.0.2 contains an authenticated rem ...)
- TODO: check
+ NOT-FOR-US: Chikitsa Patient Management System
CVE-2021-47757 (Chikitsa Patient Management System 2.0.2 contains an authenticated rem ...)
- TODO: check
+ NOT-FOR-US: Chikitsa Patient Management System
CVE-2021-47755 (Oliver Library Server v5 contains a file download vulnerability that a ...)
- TODO: check
+ NOT-FOR-US: Oliver Library Server
CVE-2021-47754 (Arunna 1.0.0 contains a cross-site request forgery vulnerability that ...)
- TODO: check
+ NOT-FOR-US: Arunna
CVE-2021-47753 (phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnera ...)
- TODO: check
+ NOT-FOR-US: phpKF CMS
CVE-2021-47752 (AWebServer GhostBuilding 18 contains a denial of service vulnerability ...)
- TODO: check
+ NOT-FOR-US: AWebServer GhostBuilding
CVE-2026-22797 [Privilege Escalation via Identity Headers in External OAuth2 Tokens]
- python-keystonemiddleware <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2026/01/15/1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2142cc44eed15f0b8f19da25da2649cbcff47101
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2142cc44eed15f0b8f19da25da2649cbcff47101
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260115/fc73aae9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list