[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Jan 16 20:14:28 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8005eb53 by security tracker role at 2026-01-16T20:14:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,178 @@
-CVE-2025-60021
+CVE-2026-23731 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, Th ...)
+ TODO: check
+CVE-2026-23730 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an ...)
+ TODO: check
+CVE-2026-23729 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an ...)
+ TODO: check
+CVE-2026-23728 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an ...)
+ TODO: check
+CVE-2026-23727 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an ...)
+ TODO: check
+CVE-2026-23726 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An ...)
+ TODO: check
+CVE-2026-23725 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a ...)
+ TODO: check
+CVE-2026-23724 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a ...)
+ TODO: check
+CVE-2026-23723 (WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an ...)
+ TODO: check
+CVE-2026-23722 (WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a ...)
+ TODO: check
+CVE-2026-23645 (SiYuan is self-hosted, open source personal knowledge management softw ...)
+ TODO: check
+CVE-2026-23634 (Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to ...)
+ TODO: check
+CVE-2026-23535 (wlc is a Weblate command-line client using Weblate's REST API. Prior t ...)
+ TODO: check
+CVE-2026-23529 (Kafka Connect BigQuery Connector is an implementation of a sink connec ...)
+ TODO: check
+CVE-2026-23528 (Dask distributed is a distributed task scheduler for Dask. Prior to 20 ...)
+ TODO: check
+CVE-2026-23523 (Dive is an open-source MCP Host Desktop Application that enables integ ...)
+ TODO: check
+CVE-2026-23490 (pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial ...)
+ TODO: check
+CVE-2026-22876 (Path Traversal vulnerability exists in multiple Network Cameras TRIFOR ...)
+ TODO: check
+CVE-2026-22782 (RustFS is a distributed object storage system built in Rust. From >= 1 ...)
+ TODO: check
+CVE-2026-21625 (User provided uploads to the Easy Discuss component for Joomla aren't ...)
+ TODO: check
+CVE-2026-21624 (Lack of input filterung leads to a persistent XSS vulnerability in the ...)
+ TODO: check
+CVE-2026-21623 (Lack of input filterung leads to a persistent XSS vulnerability in the ...)
+ TODO: check
+CVE-2026-20894 (Cross-site scripting vulnerability exists in multiple Network Cameras ...)
+ TODO: check
+CVE-2026-20759 (OS Command Injection vulnerability exists in multiple Network Cameras ...)
+ TODO: check
+CVE-2026-1004 (The Essential Addons for Elementor plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2026-0949 (PEM versions prior to 9.8.1 are affected by a stored Cross-site Script ...)
+ TODO: check
+CVE-2026-0913 (The User Submitted Posts \u2013 Enable Users to Submit Posts from the ...)
+ TODO: check
+CVE-2026-0823
+ REJECTED
+CVE-2026-0696 (In ConnectWise PSA versions older than 2026.1, certain session cookies ...)
+ TODO: check
+CVE-2026-0695 (In ConnectWise PSA versions older than 2026.1, Time Entry notes stored ...)
+ TODO: check
+CVE-2026-0629 (Authentication bypass in the password recovery feature of the local we ...)
+ TODO: check
+CVE-2026-0616 (TheLibrarians web_fetch tool can be used to retrieve the Adminer inter ...)
+ TODO: check
+CVE-2026-0615 (The Librarian `supervisord` status page can be retrieved by the `web_f ...)
+ TODO: check
+CVE-2026-0613 (The Librarian contains an internal port scanning vulnerability, facili ...)
+ TODO: check
+CVE-2026-0612 (The Librarian contains a information leakage vulnerability through the ...)
+ TODO: check
+CVE-2025-71020 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in t ...)
+ TODO: check
+CVE-2025-70746 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in t ...)
+ TODO: check
+CVE-2025-69581 (An issue was discovered in Chamillo LMS 1.11.2. The Social Network /pe ...)
+ TODO: check
+CVE-2025-68924 (In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can ...)
+ TODO: check
+CVE-2025-68921 (SteelSeries Nahimic 3 1.10.7 allows Directory traversal.)
+ TODO: check
+CVE-2025-59870 (HCL MyXalytics v6.7 is affected by improper management of a static JWT ...)
+ TODO: check
+CVE-2025-48647 (In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, t ...)
+ TODO: check
+CVE-2025-43508 (A logging issue was addressed with improved data redaction. This issue ...)
+ TODO: check
+CVE-2025-31186 (A permissions issue was addressed with additional restrictions. This i ...)
+ TODO: check
+CVE-2025-29943 (Write what were condition within AMD CPUs may allow an admin-privilege ...)
+ TODO: check
+CVE-2025-24090 (A permissions issue was addressed with additional restrictions. This i ...)
+ TODO: check
+CVE-2025-24089 (A permissions issue was addressed with additional restrictions. This i ...)
+ TODO: check
+CVE-2025-15104 (Nu Html Checker (validator.nu) contains a restriction bypass that allo ...)
+ TODO: check
+CVE-2025-15032 (Missing about:blank indicator in custom-sized new windows in Dia befor ...)
+ TODO: check
+CVE-2025-14894 (Livewire Filemanager, commonly used in Laravel applications, contains ...)
+ TODO: check
+CVE-2025-14844 (The Membership Plugin \u2013 Restrict Content plugin for WordPress is ...)
+ TODO: check
+CVE-2025-14822 (Mattermost versions 10.11.x <= 10.11.8 fail to validate input size bef ...)
+ TODO: check
+CVE-2025-14757 (The Cost Calculator Builder plugin for WordPress is vulnerable to Unau ...)
+ TODO: check
+CVE-2025-14510 (Incorrect Implementation of Authentication Algorithm vulnerability in ...)
+ TODO: check
+CVE-2025-14435 (Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11 ...)
+ TODO: check
+CVE-2025-12007 (There is a vulnerability in the Supermicro BMC firmware validation log ...)
+ TODO: check
+CVE-2025-12006 (There is a vulnerability in the Supermicro BMC firmware validation log ...)
+ TODO: check
+CVE-2024-54556 (This issue was addressed through improved state management. This issue ...)
+ TODO: check
+CVE-2024-44238 (The issue was addressed with improved bounds checks. This issue is fix ...)
+ TODO: check
+CVE-2024-44210 (This issue was addressed with improved permissions checking. This issu ...)
+ TODO: check
+CVE-2021-47847 (Disk Sorter Server 13.6.12 contains an unquoted service path vulnerabi ...)
+ TODO: check
+CVE-2021-47845 (Spy Emergency 25.0.650 contains an unquoted service path vulnerability ...)
+ TODO: check
+CVE-2021-47844 (Xmind 2020 contains a cross-site scripting vulnerability that allows a ...)
+ TODO: check
+CVE-2021-47842 (StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability ...)
+ TODO: check
+CVE-2021-47841 (SnipCommand 0.1.0 contains a cross-site scripting vulnerability that a ...)
+ TODO: check
+CVE-2021-47840 (Moeditor 0.2.0 contains a persistent cross-site scripting vulnerabilit ...)
+ TODO: check
+CVE-2021-47839 (Marky 0.0.1 contains a persistent cross-site scripting vulnerability t ...)
+ TODO: check
+CVE-2021-47838 (Markright 1.0 contains a persistent cross-site scripting vulnerability ...)
+ TODO: check
+CVE-2021-47837 (Markdownify 1.2.0 contains a persistent cross-site scripting vulnerabi ...)
+ TODO: check
+CVE-2021-47836 (Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability ...)
+ TODO: check
+CVE-2021-47835 (Freeter 1.2.1 contains a persistent cross-site scripting vulnerability ...)
+ TODO: check
+CVE-2021-47834 (Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerab ...)
+ TODO: check
+CVE-2021-47833 (WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in ...)
+ TODO: check
+CVE-2021-47832 (Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability i ...)
+ TODO: check
+CVE-2021-47831 (Sandboxie 5.49.7 contains a denial of service vulnerability that allow ...)
+ TODO: check
+CVE-2021-47829 (DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerabil ...)
+ TODO: check
+CVE-2021-47828 (BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability ...)
+ TODO: check
+CVE-2021-47827 (WebSSH for iOS 14.16.10 contains a denial of service vulnerability in ...)
+ TODO: check
+CVE-2021-47826 (Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnera ...)
+ TODO: check
+CVE-2021-47825 (Acer Updater Service 1.2.3500.0 contains an unquoted service path vuln ...)
+ TODO: check
+CVE-2021-47824 (iDailyDiary 4.30 contains a denial of service vulnerability that allow ...)
+ TODO: check
+CVE-2021-47823 (Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerabil ...)
+ TODO: check
+CVE-2021-47822 (DiskBoss Service 12.2.18 contains an unquoted service path vulnerabili ...)
+ TODO: check
+CVE-2021-47821 (RarmaRadio 2.72.8 contains a denial of service vulnerability that allo ...)
+ TODO: check
+CVE-2021-47820 (Ubee EVW327 contains a cross-site request forgery vulnerability that a ...)
+ TODO: check
+CVE-2021-47818 (DupTerminator 1.4.5639.37199 contains a denial of service vulnerabilit ...)
+ TODO: check
+CVE-2021-47816 (Thecus N4800Eco NAS Server Control Panel contains a command injection ...)
+ TODO: check
+CVE-2025-60021 (Remote command injection vulnerability in heap profiler builtin servic ...)
- brpc <itp> (bug #1060006)
CVE-2025-15497
- openvpn 2.7.0~rc5-1
@@ -323,9 +497,9 @@ CVE-2025-61728 [archive/zip: denial of service when parsing arbitrary ZIP archiv
NOTE: https://github.com/golang/go/issues/77102
NOTE: Fixed by: https://github.com/golang/go/commit/9d497df196d66553ae844c22a53fb86cd422e80c (go1.25.6)
NOTE: Fixed by: https://github.com/golang/go/commit/3235ef3db85c2d7e797b976822a7addaf6d5ca2a (go1.24.12)
-CVE-2025-68675
+CVE-2025-68675 (In Apache Airflow versions before 3.1.6, the proxies and proxy fields ...)
- airflow <itp> (bug #819700)
-CVE-2025-68438
+CVE-2025-68438 (In Apache Airflow versions before 3.1.6, when rendered template fields ...)
- airflow <itp> (bug #819700)
CVE-2026-0988
[experimental] - glib2.0 2.87.1-1
@@ -1278,7 +1452,8 @@ CVE-2022-50913 (ITeC ITeCProteccioAppServer contains an unquoted service path vu
NOT-FOR-US: ITeC ITeCProteccioAppServer
CVE-2022-50912 (ImpressCMS 1.4.4 contains a file upload vulnerability with weak extens ...)
NOT-FOR-US: ImpressCMS
-CVE-2022-50911 (Bitrix24 contains an authenticated remote code execution vulnerability ...)
+CVE-2022-50911
+ REJECTED
NOT-FOR-US: Bitrix24
CVE-2022-50910 (Beehive Forum 1.5.2 contains a host header injection vulnerability in ...)
NOT-FOR-US: Beehive Forum
@@ -2950,7 +3125,7 @@ CVE-2020-36875 (AccessAlly WordPress plugin versions prior to3.3.2 contain an un
NOT-FOR-US: WordPress plugin
CVE-2025-14459
NOT-FOR-US: Red Hat virt-cdi-controller
-CVE-2025-51602 [vlc MMS out of bounds read]
+CVE-2025-51602 (mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bo ...)
{DSA-6082-1}
- vlc 3.0.22-1
NOTE: https://www.videolan.org/security/sb-vlc3022.html
@@ -30905,7 +31080,8 @@ CVE-2025-10151 (Improper locking vulnerability in Softing Industrial Automation
NOT-FOR-US: Softing
CVE-2025-10150 (Webserver crash caused by scanning on TCP port 80 in Softing Industria ...)
NOT-FOR-US: Softing
-CVE-2025-10145 (The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is ...)
+CVE-2025-10145
+ REJECTED
NOT-FOR-US: WordPress plugin
CVE-2025-12343
{DSA-6007-1}
@@ -31215,7 +31391,7 @@ CVE-2023-49440 (AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "previe
NOT-FOR-US: AhnLab EPP
CVE-2023-37749 (Incorrect access control in the REST API endpoint of HubSpot v1.29441 ...)
NOT-FOR-US: HubSpot
-CVE-2025-62291
+CVE-2025-62291 (In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a ...)
{DSA-6041-1 DLA-4359-1}
- strongswan 6.0.3-1 (bug #1120004)
NOTE: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html
@@ -32148,7 +32324,7 @@ CVE-2025-9158 (The Request Tracker software is vulnerable to a Stored XSS vulner
[trixie] - request-tracker5 5.0.7+dfsg-4+deb13u1
[bookworm] - request-tracker5 <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://github.com/bestpractical/rt/commit/04b5694e6cd150492aa51b8edaba75f5997ea40c (rt-5.0.9)
-CVE-2025-61873
+CVE-2025-61873 (Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 all ...)
{DSA-6032-1 DSA-6031-1 DLA-4349-1}
- request-tracker5 5.0.7+dfsg-5
- request-tracker4 <unfixed> (bug #1120003)
@@ -87853,7 +88029,7 @@ CVE-2024-8973 (An issue has been discovered in GitLab CE/EE affecting all versio
- gitlab <unfixed>
CVE-2025-0549 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
- gitlab <unfixed>
-CVE-2025-43904
+CVE-2025-43904 (In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting ...)
{DSA-5961-1}
- slurm-wlm 24.11.5-1 (bug #1104929)
[bullseye] - slurm-wlm <end-of-life> (see #1071127)
@@ -98278,7 +98454,7 @@ CVE-2025-30195 (An attacker can publish a zone containing specific Resource Reco
[bullseye] - pdns-recursor <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/1
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-01.html
-CVE-2025-31510 [XSS/HTML Injection through tab parameter when using "Choice" authentication module]
+CVE-2025-31510 (In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XS ...)
{DSA-5897-1 DLA-4119-1}
- lemonldap-ng 2.21.0+ds-1
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341
@@ -119523,7 +119699,7 @@ CVE-2024-12133 (A flaw in libtasn1 causes inefficient handling of specific certi
NOTE: https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a (v4.20.0)
NOTE: https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d (v4.20.0)
NOTE: https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00001.html
-CVE-2025-24531 [Possible Authentication Bypass in Error Situations]
+CVE-2025-24531 (In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly retu ...)
{DSA-5864-1}
- pam-pkcs11 0.6.13-1 (bug #1095402)
[bullseye] - pam-pkcs11 <not-affected> (Vulnerable code not present)
@@ -121495,7 +121671,7 @@ CVE-2024-12163 (The goodlayers-core WordPress plugin before 2.1.3 allows users w
NOT-FOR-US: WordPress plugin
CVE-2024-10309 (The Tracking Code Manager WordPress plugin before 2.4.0 does not sanit ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-24528 [Prevent overflow when calculating ulog block size]
+CVE-2025-24528 (In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation ...)
{DLA-4065-1}
- krb5 1.21.3-5 (bug #1094730)
[bookworm] - krb5 1.20.1-2+deb12u3
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8005eb53ae92702bd3f6feedaa6d8a1991861849
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8005eb53ae92702bd3f6feedaa6d8a1991861849
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260116/11ca6335/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list