[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jun 2 20:15:57 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3861223b by security tracker role at 2026-06-02T19:15:51+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,244 @@
-CVE-2026-41115
+CVE-2026-9844 (Use of default credentials vulnerability in Roche Diagnostics navify D ...)
+ TODO: check
+CVE-2026-9730 (The Remove NoFollow Commenter URL plugin for WordPress is vulnerable t ...)
+ TODO: check
+CVE-2026-9723 (The Google Plus One Bottom plugin for WordPress is vulnerable to Cross ...)
+ TODO: check
+CVE-2026-9722 (The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Reques ...)
+ TODO: check
+CVE-2026-9599 (The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Req ...)
+ TODO: check
+CVE-2026-9590 (Improper access control in the permission validation component in Devo ...)
+ TODO: check
+CVE-2026-9522 (Improper access control in the PAM account discovery feature in Devolu ...)
+ TODO: check
+CVE-2026-9234 (The JTL-Connector for WooCommerce plugin for WordPress is vulnerable t ...)
+ TODO: check
+CVE-2026-8993 (D.Launcher 2 component of Slovak eID client ecosystem contains Imprope ...)
+ TODO: check
+CVE-2026-8885 (The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to S ...)
+ TODO: check
+CVE-2026-8422 (The Remove meta boxes per user role plugin for WordPress is vulnerable ...)
+ TODO: check
+CVE-2026-7313 (CWE\u2011522: Insufficiently Protected Credentials in web services in ...)
+ TODO: check
+CVE-2026-7312 (CWE\u2011522: Insufficiently Protected Credentials in web services in ...)
+ TODO: check
+CVE-2026-7299 (Appsmith\u2019s SQL query editor\u2019s autocomplete functionality fai ...)
+ TODO: check
+CVE-2026-7201 (CWE-639: Authorization Bypass Through User-Controlled Key in web servi ...)
+ TODO: check
+CVE-2026-7198 (CWE-284: Improper Access Control in web services in Progress Sitefinit ...)
+ TODO: check
+CVE-2026-7195 (CWE-20: Improper Input Validation in web services in Progress Sitefini ...)
+ TODO: check
+CVE-2026-5422 (A path traversal vulnerability exists in jupyter-server version 2.17.0 ...)
+ TODO: check
+CVE-2026-5191 (The Tiled Gallery Carousel Without JetPack plugin for WordPress is vul ...)
+ TODO: check
+CVE-2026-4081 (The ZeM STL plugin for WordPress is vulnerable to Stored Cross-Site Sc ...)
+ TODO: check
+CVE-2026-4080 (The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2026-4071 (The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request ...)
+ TODO: check
+CVE-2026-49943 (CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-ba ...)
+ TODO: check
+CVE-2026-49782 (Missing Authorization vulnerability in Elementor Elementor Website Bui ...)
+ TODO: check
+CVE-2026-49754 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
+ TODO: check
+CVE-2026-49753 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response S ...)
+ TODO: check
+CVE-2026-48862 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
+ TODO: check
+CVE-2026-48861 (Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerabi ...)
+ TODO: check
+CVE-2026-47117 (OpenMed before 1.5.2 contains a remote code execution vulnerability in ...)
+ TODO: check
+CVE-2026-46718 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe ...)
+ TODO: check
+CVE-2026-45686 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45685 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45684 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45683 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45682 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45681 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45680 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45679 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45678 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45676 (OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based ...)
+ TODO: check
+CVE-2026-45554 (NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two F ...)
+ TODO: check
+CVE-2026-45553 (NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.re ...)
+ TODO: check
+CVE-2026-45080 (Klaw is a self-service Apache Kafka Topic Management/Governance tool/p ...)
+ TODO: check
+CVE-2026-44367 (Klaw is a self-service Apache Kafka Topic Management/Governance tool/p ...)
+ TODO: check
+CVE-2026-43965 (Path traversal vulnerability in Gleam's dependency management allows a ...)
+ TODO: check
+CVE-2026-42795 (Symlink following vulnerability in Gleam's Hex package export allows f ...)
+ TODO: check
+CVE-2026-42685 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2026-42684 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
+ TODO: check
+CVE-2026-42670 (Missing Authorization vulnerability in Etoile Web Design Incorporated ...)
+ TODO: check
+CVE-2026-42669 (Missing Authorization vulnerability in EventPrime allows Exploiting In ...)
+ TODO: check
+CVE-2026-42654 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2026-42074 (OpenClaude is an open-source coding-agent command line interface for c ...)
+ TODO: check
+CVE-2026-42073 (OpenClaude is an open-source coding-agent command line interface for c ...)
+ TODO: check
+CVE-2026-41918 (A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA ...)
+ TODO: check
+CVE-2026-40780 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2026-40715 (Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Im ...)
+ TODO: check
+CVE-2026-40713 (Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Im ...)
+ TODO: check
+CVE-2026-40619 (A high security vulnerability affecting Security Center main server in ...)
+ TODO: check
+CVE-2026-40571 (NamelessMC is website software for Minecraft servers. In version 2.2.4 ...)
+ TODO: check
+CVE-2026-40314 (NamelessMC is website software for Minecraft servers. In version 2.2.4 ...)
+ TODO: check
+CVE-2026-3620 (The Word Replacer plugin for WordPress is vulnerable to Stored Cross-S ...)
+ TODO: check
+CVE-2026-3514 (In version 3.6.19 of prefecthq/prefect, an authentication bypass vulne ...)
+ TODO: check
+CVE-2026-39555 (Deserialization of Untrusted Data vulnerability in Elated-Themes Askka ...)
+ TODO: check
+CVE-2026-39553 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2026-39552 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2026-39551 (Deserialization of Untrusted Data vulnerability in Elated-Themes T\xf6 ...)
+ TODO: check
+CVE-2026-39550 (Deserialization of Untrusted Data vulnerability in Elated-Themes Aperi ...)
+ TODO: check
+CVE-2026-38978 (transmission through 4.1.1 was found to have a clickjacking weakness i ...)
+ TODO: check
+CVE-2026-35718 (A path traversal vulnerability in the /admin/downloadMedias.cgi endpoi ...)
+ TODO: check
+CVE-2026-35717 (A stack-based buffer overflow in the export_language.cgi binary in VIV ...)
+ TODO: check
+CVE-2026-35716 (A stack-based buffer overflow in the motion_privacy.cgi binary in VIVO ...)
+ TODO: check
+CVE-2026-35447 (NamelessMC is website software for Minecraft servers. In version 2.2.4 ...)
+ TODO: check
+CVE-2026-35443 (NamelessMC is website software for Minecraft servers. In version 2.2.4 ...)
+ TODO: check
+CVE-2026-34907 (Wirtualna Uczelnia is vulnerable to Reflected Cross\u2011Site Scriptin ...)
+ TODO: check
+CVE-2026-34906 (Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an ...)
+ TODO: check
+CVE-2026-34460 (NamelessMC is website software for Minecraft servers. In versions 2.2. ...)
+ TODO: check
+CVE-2026-33398 (NamelessMC is website software for Minecraft servers. In version 2.2.4 ...)
+ TODO: check
+CVE-2026-33244 (React Router is a router for React. In versions 7.5.1 through 7.13.1, ...)
+ TODO: check
+CVE-2026-32685 (Path traversal vulnerability in Gleam's handling of custom documentati ...)
+ TODO: check
+CVE-2026-32250 (NamelessMC is website software for Minecraft servers. A Reflected Cros ...)
+ TODO: check
+CVE-2026-30652 (A remote buffer overflow vulnerability exists in the /cgi-bin/dido/set ...)
+ TODO: check
+CVE-2026-30650 (A post-authentication remote buffer overflow vulnerability exists in t ...)
+ TODO: check
+CVE-2026-30649 (Buffer Overflow vulnerability in VIVOTEK INC FD8136-VVTK-0300a allows ...)
+ TODO: check
+CVE-2026-2425 (The hiWeb Migration Simple plugin for WordPress is vulnerable to Refle ...)
+ TODO: check
+CVE-2026-2382 (The FPW Category Thumbnails plugin for WordPress is vulnerable to Stor ...)
+ TODO: check
+CVE-2026-28116 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2026-27351 (Missing Authorization vulnerability in Sekander Badsha Crew HRM allows ...)
+ TODO: check
+CVE-2026-24237 (NVIDIA NVTabular contains a vulnerability where an attacker could caus ...)
+ TODO: check
+CVE-2026-24221 (NVIDIA NVTabular contains a vulnerability where an attacker could caus ...)
+ TODO: check
+CVE-2026-1871 (TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RT ...)
+ TODO: check
+CVE-2026-1784 (The Route OpenShift resource allows to define routes to make pods reac ...)
+ TODO: check
+CVE-2026-1451 (The rognone plugin for WordPress is vulnerable to Reflected Cross-Site ...)
+ TODO: check
+CVE-2026-1450 (The rognone plugin for WordPress is vulnerable to Reflected Cross-Site ...)
+ TODO: check
+CVE-2026-10629 (SIP signaling stack in Verizon IMS (unspecified version) implements SI ...)
+ TODO: check
+CVE-2026-10622 (Improper Authentication in REST API in Collibra Agent, allows a remote ...)
+ TODO: check
+CVE-2026-10621 (Path traversal in restore handler in Collibra Agent, allows an attacke ...)
+ TODO: check
+CVE-2026-10611 (An authentication bypass vulnerability exists in MISP when LDAP mixed ...)
+ TODO: check
+CVE-2026-10606 (A vulnerability was determined in DedeCMS 5.7.88. The affected element ...)
+ TODO: check
+CVE-2026-10591 (Insufficient access control restrictions in the file write tool in Ama ...)
+ TODO: check
+CVE-2026-10549 (LDAP filter injection vulnerability in Yandex Database prior to 25.3.1 ...)
+ TODO: check
+CVE-2026-10047 (The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds ...)
+ TODO: check
+CVE-2026-10046 (Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds wri ...)
+ TODO: check
+CVE-2026-0611 (Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x be ...)
+ TODO: check
+CVE-2025-69369 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-68886 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-5085 (The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2025-58897 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-58707 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-58705 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-58024 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-53440 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2025-53346 (Missing Authorization vulnerability in ThimPress Thim Core allows Expl ...)
+ TODO: check
+CVE-2025-53345 (Missing Authorization vulnerability leading to code execution after in ...)
+ TODO: check
+CVE-2025-53302 (Missing Authorization vulnerability in Anton Shevchuk Constructor allo ...)
+ TODO: check
+CVE-2025-53209 (Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LM ...)
+ TODO: check
+CVE-2025-52766 (Missing Authorization vulnerability in Printeers Printeers Print & Shi ...)
+ TODO: check
+CVE-2025-52759 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-42206 (HCL iReflection Third party vulnerable and outdated components issue w ...)
+ TODO: check
+CVE-2019-25719 (Dr\xe4ger Infinity Acute Care System and Standalone Infinity M540 pati ...)
+ TODO: check
+CVE-2019-25717 (Dr\xe4ger Infinity Delta, Delta XL, and Kappa patient monitors contain ...)
+ TODO: check
+CVE-2026-41115 (An improper authorization vulnerability has been identified in Apache ...)
- kafka <itp> (bug #786460)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/02/5
CVE-2026-9050 (The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 an ...)
@@ -8086,9 +8326,11 @@ CVE-2026-9157 (Improper input validation, Unrestricted upload of file with dange
NOT-FOR-US: Gmission
CVE-2026-9089 (The ConnectWise Automate\u2122 Agent does not fully verify the authent ...)
NOT-FOR-US: ConnectWise
-CVE-2026-5434 (Honeywell Control Network Module (CNM)contains insertion of sensitive ...)
+CVE-2026-5434
+ REJECTED
NOT-FOR-US: Honeywell
-CVE-2026-5433 (Honeywell Control Network Module (CNM)contains command injection vulne ...)
+CVE-2026-5433
+ REJECTED
NOT-FOR-US: Honeywell
CVE-2026-5118 (The Divi Form Builder plugin for WordPress is vulnerable to privilege ...)
NOT-FOR-US: WordPress plugin
@@ -8426,24 +8668,24 @@ CVE-2026-46635
NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-vcc8-phrv-43wj
NOTE: Variant of CVE-2024-51755
CVE-2026-46628
- {DSA-6311-1}
+ {DSA-6320-1 DSA-6311-1}
- php-twig 3.26.0-1
NOTE: https://symfony.com/blog/cve-2026-46628-the-spaceless-filter-implicitly-marks-its-output-as-safe
CVE-2026-46629
- {DSA-6311-1}
+ {DSA-6320-1 DSA-6311-1}
- php-twig 3.26.0-1
NOTE: https://symfony.com/blog/cve-2026-46629-unbounded-formatter-memoisation-in-twig-intl-extra-keyed-on-template-controlled-arguments
CVE-2026-46633
- {DSA-6311-1}
+ {DSA-6320-1 DSA-6311-1}
- php-twig 3.26.0-1
NOTE: https://symfony.com/blog/cve-2026-46633-php-code-injection-via-use-template-name
CVE-2026-47730
- {DSA-6311-1}
+ {DSA-6320-1 DSA-6311-1}
- php-twig 3.26.0-1
[bullseye] - php-twig <not-affected> (Vulnerable code not present, introduced in 3.0.0)
NOTE: https://symfony.com/blog/cve-2026-47730-xss-in-profiler-htmldumper-via-unescaped-template-and-profile-names
CVE-2026-46637
- {DSA-6311-1}
+ {DSA-6320-1 DSA-6311-1}
- php-twig 3.26.0-1
NOTE: https://symfony.com/blog/cve-2026-46637-html-output-filters-in-twig-extras-incorrectly-declared-is-safe-all
CVE-2026-46638
@@ -8657,7 +8899,7 @@ CVE-2026-46626
- symfony 7.4.12+dfsg-1
NOTE: https://symfony.com/blog/cve-2026-46626-symfonyruntime-cve-2024-50340-patch-bypass-via-parse-str-sapi-argv-mismatch
CVE-2026-45070
- {DSA-6312-1}
+ {DSA-6317-1 DSA-6312-1}
- symfony 7.4.12+dfsg-1
NOTE: https://symfony.com/blog/cve-2026-45070-email-header-injection-via-non-token-characters-in-mime-parameter-names
CVE-2026-45065
@@ -13952,11 +14194,11 @@ CVE-2026-7255 (** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excess
NOT-FOR-US: Zyxel
CVE-2026-45430 (The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not prope ...)
NOT-FOR-US: Salesforce module for Backdrop CMS
-CVE-2026-45393 (Reserved. Details will be published at disclosure.)
+CVE-2026-45393 (A vulnerability chain in Cribl Edge for Windows before 4.17.1 allows a ...)
NOT-FOR-US: Cribl
-CVE-2026-45392 (Reserved. Details will be published at disclosure.)
+CVE-2026-45392 (DOM-based cross-site scripting (XSS) in Cribl Stream before 4.17.1 all ...)
NOT-FOR-US: Cribl
-CVE-2026-45391 (Reserved. Details will be published at disclosure.)
+CVE-2026-45391 (A command injection vulnerability in Cribl Edge for Linux versions 3.2 ...)
NOT-FOR-US: Cribl
CVE-2026-45362 (Sangoma Switchvox before 8.4 places cleartext SIP authentication crede ...)
NOT-FOR-US: Sangoma Switchvox
@@ -219933,7 +220175,7 @@ CVE-2024-51755 (Twig is a template language for PHP. In a sandbox, an attacker c
NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
NOTE: Fixed by: https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21 (v3.14.1)
CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker can cal ...)
- {DLA-4186-1}
+ {DSA-6320-1 DLA-4186-1}
- php-twig 3.14.2-1 (bug #1086884)
- twig <removed>
NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3861223bba32b5f8c056c156ff63807a65fcba0d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3861223bba32b5f8c056c156ff63807a65fcba0d
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260602/8909211f/attachment.htm>
More information about the debian-security-tracker-commits
mailing list