[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jun 4 22:52:32 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
51f45e7d by Salvatore Bonaccorso at 2026-06-04T23:52:10+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -27,35 +27,35 @@ CVE-2026-7774 (tarfile.data_filter could be bypassed using crafted link entries,
NOTE: https://github.com/python/cpython/commit/0478bd83d82b255e0f29f613367a59d261e7eaa2 (3.13 branch)
NOTE: https://github.com/python/cpython/commit/0d28f5e46e151718972dfabd91205444d0037b6d (3.12 branch)
CVE-2026-7764 (An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel ...)
- TODO: check
+ NOT-FOR-US: Morse Micro HaLowLink 2 software
CVE-2026-5228 (Improper Access Control, Missing Authorization vulnerability in Kurt S ...)
- TODO: check
+ NOT-FOR-US: Kurt oftware Studio WriteUp Mobile App
CVE-2026-50226 (Fixed AES-128-CBC keys inside the AcerConnect OTA application let atta ...)
- TODO: check
+ NOT-FOR-US: AcerConnect OTA application
CVE-2026-50225 (The registration path/v1/account/registerprovides no bot mitigation me ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50224 (The web administration panel binds broadly to the public IPv6 address ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50214 (The/v1/Planservice relies entirely on a shared global API token for fu ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50213 (The account validation endpoint/v1/User/validatereturns comprehensive ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50212 (Weak validation logic within device dissociation API routines allows a ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50211 (Leftover engineering diagnostics and factory-level diagnostic software ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50210 (The device encrypts data using AES-CBC with static zero-filled Initial ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50209 (Broadcast events allow malicious software to rewrite the device's defa ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50208 (High-riskTrustAllCertsroutines disable standard TLS certificate valida ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50207 (The system Binder boundary accepts unverified pass-through AT commands ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50206 (Incoming VPN network profile settings fail to process special characte ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50205 (System log files output unencrypted SMTP server authentication passwor ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-50076 (Deserialization of Untrusted Data in the Java replace-resolve path in ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-50033 (Local privilege escalation due to DLL hijacking vulnerability. The fol ...)
@@ -63,37 +63,37 @@ CVE-2026-50033 (Local privilege escalation due to DLL hijacking vulnerability. T
CVE-2026-4881 (In affected versions of Octopus Server, permissions were not checked c ...)
NOT-FOR-US: Octopus Deploy
CVE-2026-4104 (Authorization bypass through User-Controlled SQL primary key vulnerabi ...)
- TODO: check
+ NOT-FOR-US: TeknoPass
CVE-2026-49771 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-49510 (Integer overflow or wraparound vulnerability in Samsung Open Source rl ...)
TODO: check
CVE-2026-49204 (Leftover debug modules contain fixed credentials for internal AWS Cogn ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49203 (Crucial management API endpoints for cellular eSIM allocation do not v ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49202 (Internal multimedia session archives are accessible without authentica ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49194 (The debugging routineSCREEN_CLICK(5053)enables a connection to skip th ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49193 (Overly permissive configuration settings on cloud storage containers e ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49192 (The summary service endpoint suffers from an IDOR vulnerability where ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49191 (The production build of the M3WebServer hard-codes its backend API key ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49190 (The system fails to evaluate instructional permissions over multiple i ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49189 (Unchecked public access permissions on a core Broadcast Receiver allow ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49188 (Theai_cmdutility executes with full root permissions. It pipes socket ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49187 (The hard-coded APK resource files never expire, and the shared scepter ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49186 (The local MQTT broker does not enforce topic-level Access Control List ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49185 (The FieldX MDM adb messaging topic passes unverified payloads directly ...)
- TODO: check
+ NOT-FOR-US: Acer
CVE-2026-49077 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-48480 (The netty incubator codec.bhttp is a java language binary http parser. ...)
@@ -101,9 +101,9 @@ CVE-2026-48480 (The netty incubator codec.bhttp is a java language binary http p
CVE-2026-48040 (The netty incubator codec.bhttp is a java language binary http parser. ...)
TODO: check
CVE-2026-47707 (Strawberry GraphQL is a library for creating GraphQL APIs. In versions ...)
- TODO: check
+ NOT-FOR-US: Strawberry GraphQL
CVE-2026-47706 (Strawberry GraphQL is a library for creating GraphQL APIs. In versions ...)
- TODO: check
+ NOT-FOR-US: Strawberry GraphQL
CVE-2026-47320 (Access of uninitialized pointer, Uncontrolled Recursion vulnerability ...)
TODO: check
CVE-2026-47319 (Memory allocation with excessive size value vulnerability in Samsung O ...)
@@ -113,13 +113,13 @@ CVE-2026-47318 (Stack-based buffer overflow vulnerability in Samsung Open Source
CVE-2026-47306 (Uncontrolled Recursion vulnerability in Samsung Open Source rlottie al ...)
TODO: check
CVE-2026-45739 (Strawberry GraphQL is a library for creating GraphQL APIs. In versions ...)
- TODO: check
+ NOT-FOR-US: Strawberry GraphQL
CVE-2026-45433 (This vulnerability exists in GX Earth 2022 ONT models due to the prese ...)
- TODO: check
+ NOT-FOR-US: GX Earth 2022 ONT models
CVE-2026-45432 (This vulnerability exists in GX Earth ONT models due to the transmissi ...)
- TODO: check
+ NOT-FOR-US: GX Earth ONT models
CVE-2026-45431 (This vulnerability exists in GX Earth ONT models due to improper handl ...)
- TODO: check
+ NOT-FOR-US: GX Earth ONT models
CVE-2026-45287 (OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to v ...)
TODO: check
CVE-2026-44682 (Local privilege escalation due to DLL hijacking vulnerability. The fol ...)
@@ -127,23 +127,23 @@ CVE-2026-44682 (Local privilege escalation due to DLL hijacking vulnerability. T
CVE-2026-44609 (Local privilege escalation due to EXE hijacking vulnerability. The fol ...)
NOT-FOR-US: Acronis
CVE-2026-43986 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-43985 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-43984 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-43926 (FOSSBilling is a free, open-source billing and client management syste ...)
- TODO: check
+ NOT-FOR-US: FOSSBilling
CVE-2026-43924 (FOSSBilling is a free, open-source billing and client management syste ...)
- TODO: check
+ NOT-FOR-US: FOSSBilling
CVE-2026-42061 (Local privilege escalation due to excessive permissions assigned to ch ...)
NOT-FOR-US: Acronis
CVE-2026-41860 (CWE-326 in BOSH allows a local attacker to steal Basic-auth credential ...)
- TODO: check
+ NOT-FOR-US: BOSH
CVE-2026-41859 (A network man-in-the-middle between nats-sync and the BOSH director ca ...)
- TODO: check
+ NOT-FOR-US: BOSH
CVE-2026-41858 (Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-Ra ...)
- TODO: check
+ NOT-FOR-US: BOSH
CVE-2026-41237 (Froxlor is open source server administration software. In version 2.3. ...)
TODO: check
CVE-2026-41236 (Froxlor is open source server administration software. Version 2.3.6 c ...)
@@ -157,7 +157,7 @@ CVE-2026-41207 (The netty incubator codec.bhttp is a java language binary http p
CVE-2026-41178 (OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1 ...)
TODO: check
CVE-2026-41065 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
- TODO: check
+ NOT-FOR-US: Tautulli
CVE-2026-41011 (PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = ...)
TODO: check
CVE-2026-41010 (ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', nam ...)
@@ -437,7 +437,7 @@ CVE-2026-6657 (A vulnerability in jupyter-server versions 1.12.0 through 2.17.0
CVE-2026-5241 (A vulnerability in the LightGlue model loading path of huggingface/tra ...)
NOT-FOR-US: huggingface/transformers
CVE-2026-5078 (Impact: The morgan logging middleware's :remote-user token extracts th ...)
- TODO: check
+ NOT-FOR-US: morgan logging middleware
CVE-2026-4035 (A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for t ...)
NOT-FOR-US: mlflow
CVE-2026-47325 (ProjectsAndPrograms school-management-systemuses predictable credentia ...)
@@ -478,7 +478,7 @@ CVE-2026-42317 (GLPI is a free asset and IT management software package. Startin
- glpi <removed>
NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-jf72-cvjh-px5w
CVE-2026-41032 (It is possible for an unauthenticated adjacent attacker to download lo ...)
- TODO: check
+ NOT-FOR-US: Phoenix Contact
CVE-2026-40290 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...)
- optee-os <unfixed>
NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-332c-xr93-849m
@@ -8258,7 +8258,7 @@ CVE-2026-9497 (A flaw has been found in changmingxie tcc-transaction up to 2.1.0
CVE-2026-9496 (Versions of the package pacote from 11.2.7 are vulnerable to Denial of ...)
TODO: check
CVE-2026-9495 (Versions of the package @koa/router from 14.0.0 and before 15.0.0 are ...)
- TODO: check
+ NOT-FOR-US: koa/router
CVE-2026-9486 (A security flaw has been discovered in SourceCodester Student Grades M ...)
NOT-FOR-US: SourceCodester
CVE-2026-9485 (A vulnerability was identified in SourceCodester Student Grades Manage ...)
@@ -10128,7 +10128,7 @@ CVE-2026-47372 (Crypt::SaltedHash versions through 0.09 for Perl generate insecu
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40252126/
NOTE: Fixed by: https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5 (0.10)
CVE-2026-9101 (Prototype pollution in csv parsing logic during import can lead to unt ...)
- TODO: check
+ NOT-FOR-US: MongoDB Compass
CVE-2026-9100 (The MongoDB C Driver's legacy GridFS API accepts malformed file metada ...)
- mongo-c-driver 2.2.4-1 (bug #1137217)
[trixie] - mongo-c-driver 1.30.4-1+deb13u2
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f45e7d65f32baee247a6a78a8c71c7a57fa94a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f45e7d65f32baee247a6a78a8c71c7a57fa94a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260604/f44a4c5e/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list