[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jan 22 21:37:23 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4df00e17 by Salvatore Bonaccorso at 2026-01-22T22:37:05+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -93,7 +93,7 @@ CVE-2026-24001 (jsdiff is a JavaScript text differencing implementation. Prior t
NOTE: Fixed by: https://github.com/kpdecker/jsdiff/commit/78017899c4c80d51db805b6e013079cadc6ed0ae (v5.2.1)
NOTE: Fixed by: https://github.com/kpdecker/jsdiff/commit/4568cae5ae7646962bf3c5641907d1fb5af90683 (v4.0.3)
CVE-2026-23996 (FastAPI Api Key provides a backend-agnostic library that provides an A ...)
- TODO: check
+ NOT-FOR-US: FastAPI Api Key
CVE-2026-23992 (go-tuf is a Go implementation of The Update Framework (TUF). Starting ...)
- golang-github-theupdateframework-go-tuf <unfixed>
NOTE: https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525
@@ -117,11 +117,11 @@ CVE-2026-23974 (Missing Authorization vulnerability in uxper Golo golo allows Ex
CVE-2026-23968 (Copier is a library and CLI app for rendering project templates. Prior ...)
NOT-FOR-US: Copier library and CLI app
CVE-2026-23967 (sm-crypto provides JavaScript implementations of the Chinese cryptogra ...)
- TODO: check
+ NOT-FOR-US: sm-crypto
CVE-2026-23966 (sm-crypto provides JavaScript implementations of the Chinese cryptogra ...)
- TODO: check
+ NOT-FOR-US: sm-crypto
CVE-2026-23965 (sm-crypto provides JavaScript implementations of the Chinese cryptogra ...)
- TODO: check
+ NOT-FOR-US: sm-crypto
CVE-2026-23964 (Mastodon is a free, open-source social network server based on Activit ...)
- mastodon <itp> (bug #859741)
CVE-2026-23963 (Mastodon is a free, open-source social network server based on Activit ...)
@@ -147,53 +147,53 @@ CVE-2026-23946 (Tendenci is an open source content management system built for n
CVE-2026-23893 (openCryptoki is a PKCS#11 library and provides tooling for Linux and A ...)
TODO: check
CVE-2026-23887 (Group-Office is an enterprise customer relationship management and gro ...)
- TODO: check
+ NOT-FOR-US: Group-Office
CVE-2026-23873 (hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ...)
- TODO: check
+ NOT-FOR-US: hustoj
CVE-2026-23764 (VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (vers ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23763 (VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0 ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23762 (VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (vers ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23761 (VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (vers ...)
- TODO: check
+ NOT-FOR-US: VB-Audio
CVE-2026-23760 (SmarterTools SmarterMail versions prior to build 9511 contain an authe ...)
- TODO: check
+ NOT-FOR-US: SmarterTools SmarterMail
CVE-2026-23737 (seroval facilitates JS value stringification, including complex struct ...)
- TODO: check
+ NOT-FOR-US: Seroval
CVE-2026-23736 (seroval facilitates JS value stringification, including complex struct ...)
- TODO: check
+ NOT-FOR-US: Seroval
CVE-2026-23699 (AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 conta ...)
- TODO: check
+ NOT-FOR-US: ruijie
CVE-2026-23630 (Docmost is open-source collaborative wiki and documentation software. ...)
- TODO: check
+ NOT-FOR-US: Docmost
CVE-2026-23526 (CVAT is an open source interactive video and image annotation tool for ...)
- TODO: check
+ NOT-FOR-US: Computer Vision Annotation Tool (CVAT)
CVE-2026-23524 (Laravel Reverb provides a real-time WebSocket communication backend fo ...)
- TODO: check
+ NOT-FOR-US: Laravel Reverb
CVE-2026-23518 (Fleet is open source device management software. In versions prior to ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23517 (Fleet is open source device management software. A broken access contr ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-23516 (CVAT is an open source interactive video and image annotation tool for ...)
- TODO: check
+ NOT-FOR-US: Computer Vision Annotation Tool (CVAT)
CVE-2026-23499 (Saleor is an e-commerce platform. Starting in version 3.0.0 and prior ...)
- TODO: check
+ NOT-FOR-US: Saleor
CVE-2026-22849 (Saleor is an e-commerce platform. Starting in version 3.0.0 and prior ...)
- TODO: check
+ NOT-FOR-US: Saleor
CVE-2026-22822 (External Secrets Operator reads information from a third-party service ...)
- TODO: check
+ NOT-FOR-US: External Secrets Operator
CVE-2026-22808 (fleetdm/fleet is open source device management software. Prior to vers ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-22807 (vLLM is an inference and serving engine for large language models (LLM ...)
TODO: check
CVE-2026-22793 (5ire is a cross-platform desktop artificial intelligence assistant and ...)
- TODO: check
+ NOT-FOR-US: 5ire
CVE-2026-22792 (5ire is a cross-platform desktop artificial intelligence assistant and ...)
- TODO: check
+ NOT-FOR-US: 5ire
CVE-2026-22598 (ManageIQ is an open-source management platform. A flaw was found in th ...)
- TODO: check
+ NOT-FOR-US: ManageIQ
CVE-2026-22483 (Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-22482 (Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspide ...)
@@ -283,13 +283,13 @@ CVE-2026-22279 (Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insu
CVE-2026-22278 (Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper ...)
NOT-FOR-US: Dell / EMC
CVE-2026-21852 (Claude Code is an agentic coding tool. Prior to version 2.0.65, vulner ...)
- TODO: check
+ NOT-FOR-US: Claude Code
CVE-2026-1332 (MeetingHub developed by HAMASTAR Technology has a Missing Authenticati ...)
- TODO: check
+ NOT-FOR-US: MeetingHub
CVE-2026-1331 (MeetingHub developed by HAMASTAR Technology has an Arbitrary File Uplo ...)
- TODO: check
+ NOT-FOR-US: MeetingHub
CVE-2026-1330 (MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read ...)
- TODO: check
+ NOT-FOR-US: MeetingHub
CVE-2026-1329 (A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is ...)
NOT-FOR-US: Tenda
CVE-2026-1328 (A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910 ...)
@@ -299,11 +299,11 @@ CVE-2026-1327 (A security vulnerability has been detected in Totolink NR1800X 9.
CVE-2026-1326 (A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B202109 ...)
NOT-FOR-US: TOTOLINK
CVE-2026-1325 (A security flaw has been discovered in Sangfor Operation and Maintenan ...)
- TODO: check
+ NOT-FOR-US: Sangfor Operation and Maintenance Security Management System
CVE-2026-1324 (A vulnerability was identified in Sangfor Operation and Maintenance Ma ...)
- TODO: check
+ NOT-FOR-US: Sangfor Operation and Maintenance Security Management System
CVE-2026-1260 (Invalid memory access in Sentencepiece versions less than 0.2.1 when u ...)
- TODO: check
+ NOT-FOR-US: Sentencepiece
CVE-2026-1225 (ACE vulnerability in configuration file processing by QOS.CH logback- ...)
TODO: check
CVE-2026-1036 (The Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery plugin ...)
@@ -321,17 +321,17 @@ CVE-2025-71176 (pytest through 9.0.2 on UNIX relies on directories with the /tmp
CVE-2025-70899 (PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Fo ...)
NOT-FOR-US: PHPGurukul
CVE-2025-69828 (File Upload vulnerability in TMS Global Software TMS Management Consol ...)
- TODO: check
+ NOT-FOR-US: TMS Global Software TMS Management Console
CVE-2025-69822 (An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.3 ...)
- TODO: check
+ NOT-FOR-US: Atomberg
CVE-2025-69821 (An issue in Beat XP VEGA Smartwatch (Firmware Version - RB303ATV006229 ...)
- TODO: check
+ NOT-FOR-US: Beat XP VEGA Smartwatch
CVE-2025-69820 (Directory Traversal vulnerability in Beam beta9 v.0.1.552 allows a rem ...)
- TODO: check
+ NOT-FOR-US: Beam beta9
CVE-2025-69764 (Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow ...)
NOT-FOR-US: Tenda
CVE-2025-69612 (A path traversal vulnerability exists in TMS Management Console (versi ...)
- TODO: check
+ NOT-FOR-US: TMS Management Console
CVE-2025-69321 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-69320 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -361,7 +361,7 @@ CVE-2025-69293 (Incorrect Privilege Assignment vulnerability in e-plugins Final
CVE-2025-69292 (Incorrect Privilege Assignment vulnerability in e-plugins WP Membershi ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-69285 (SQLBot is an intelligent data query system based on a large language m ...)
- TODO: check
+ NOT-FOR-US: SQLBot
CVE-2025-69193 (Missing Authorization vulnerability in e-plugins WP Membership wp-memb ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-69192 (Missing Authorization vulnerability in e-plugins Real Estate Pro real- ...)
@@ -697,9 +697,9 @@ CVE-2025-67938 (Improper Control of Filename for Include/Require Statement in PH
CVE-2025-67923 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-67684 (Quick.Cart is vulnerable to Local File Inclusion and Path Traversal is ...)
- TODO: check
+ NOT-FOR-US: Quick.Cart
CVE-2025-67683 (Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An ...)
- TODO: check
+ NOT-FOR-US: Quick.Cart
CVE-2025-67626 (Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-67620 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -715,9 +715,9 @@ CVE-2025-67615 (Improper Control of Filename for Include/Require Statement in PH
CVE-2025-67614 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-67221 (The orjson.dumps function in orjson thru 3.11.4 does not limit recursi ...)
- TODO: check
+ NOT-FOR-US: orjson
CVE-2025-66428 (An issue with WordPress directory names in WebPros WordPress Toolkit b ...)
- TODO: check
+ NOT-FOR-US: WordPress Toolkit
CVE-2025-66143 (Missing Authorization vulnerability in merkulove Crumber crumber-eleme ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-66142 (Missing Authorization vulnerability in merkulove Comparimager for Elem ...)
@@ -737,11 +737,11 @@ CVE-2025-66136 (Missing Authorization vulnerability in merkulove Carter for Elem
CVE-2025-66135 (Missing Authorization vulnerability in merkulove Imager for Elementor ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-65098 (Typebot is an open-source chatbot builder. In versions prior to 3.13.2 ...)
- TODO: check
+ NOT-FOR-US: Typebot
CVE-2025-64252 (Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-64097 (NervesHub is a web service that allows users to manage over-the-air (O ...)
- TODO: check
+ NOT-FOR-US: NervesHub
CVE-2025-63051 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-63026 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -767,9 +767,9 @@ CVE-2025-62050 (Unrestricted Upload of File with Dangerous Type vulnerability in
CVE-2025-5805 (Missing Authorization vulnerability in Ninetheme Electron electron all ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-56590 (An issue was discovered in the InsertFromURL() function of the Apryse ...)
- TODO: check
+ NOT-FOR-US: Apryse HTML2PDF SDK
CVE-2025-56589 (A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) ...)
- TODO: check
+ NOT-FOR-US: Apryse HTML2PDF SDK
CVE-2025-54003 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-54002 (Missing Authorization vulnerability in Jthemes xSmart xsmart allows Ex ...)
@@ -793,9 +793,9 @@ CVE-2025-50003 (Improper Control of Filename for Include/Require Statement in PH
CVE-2025-50002 (Unrestricted Upload of File with Dangerous Type vulnerability in Faros ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-4764 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
- TODO: check
+ NOT-FOR-US: Hotel Guest Hotspot
CVE-2025-4763 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
- TODO: check
+ NOT-FOR-US: Hotel Guest Hotspot
CVE-2025-49994 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-49375 (Missing Authorization vulnerability in cozythemes HomeLancer homelance ...)
@@ -835,19 +835,19 @@ CVE-2025-36588 (Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an
CVE-2025-32123 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-32057 (The Infotainment ECU manufactured by Bosch which is installed in Nissa ...)
- TODO: check
+ NOT-FOR-US: Infotainment ECU (Bosch)
CVE-2025-32056 (The anti-theft protection mechanism can be bypassed by attackers due t ...)
- TODO: check
+ NOT-FOR-US: Nissan Leaf ZE1
CVE-2025-31413 (Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pa ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-27380 (HTML injection in Project Release in Altium Enterprise Server (AES) 7. ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27379 (A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27378 (AES contains a SQL injection vulnerability due to an inactive configur ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27377 (Altium Designer version 24.9.0 does not validate self-signed server ce ...)
- TODO: check
+ NOT-FOR-US: Altium
CVE-2025-27005 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-15523 (MacOS version of Inkscape bundles a Python interpreter that inherits t ...)
@@ -857,11 +857,11 @@ CVE-2025-14295 (Storing Passwords in a Recoverable Format vulnerability in Autom
CVE-2025-12738 (Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are v ...)
TODO: check
CVE-2025-10856 (Unrestricted Upload of File with Dangerous Type vulnerability in Solve ...)
- TODO: check
+ NOT-FOR-US: Teknoera
CVE-2025-10855 (Authorization Bypass Through User-Controlled Key vulnerability in Solv ...)
- TODO: check
+ NOT-FOR-US: Teknoera
CVE-2025-10024 (Authorization Bypass Through User-Controlled Key vulnerability in EXER ...)
- TODO: check
+ NOT-FOR-US: Education Management System
CVE-2024-53252
REJECTED
CVE-2024-53251
@@ -897,7 +897,7 @@ CVE-2024-36988
CVE-2024-22166
REJECTED
CVE-2023-7335 (EduSoho versions prior to 22.4.7 contain an arbitrary file read vulner ...)
- TODO: check
+ NOT-FOR-US: EduSoho
CVE-2023-32720
REJECTED
CVE-2023-32719
@@ -1088,7 +1088,7 @@ CVE-2021-47778 (GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code i
CVE-2021-47770 (OpenPLC v3 contains an authenticated remote code execution vulnerabili ...)
NOT-FOR-US: OpenPLC
CVE-2021-47748 (Hasura GraphQL 1.3.3 contains a remote code execution vulnerability th ...)
- TODO: check
+ NOT-FOR-US: Hasura GraphQL
CVE-2021-47746 (NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerabili ...)
NOT-FOR-US: NodeBB Plugin Emoji
CVE-2026-22977 (In the Linux kernel, the following vulnerability has been resolved: n ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df00e17b28028a11259395e9b9955af43fad827
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df00e17b28028a11259395e9b9955af43fad827
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260122/f19a64a9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list