[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Jun 10 20:13:35 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0c532277 by security tracker role at 2026-06-10T19:13:29+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,16 +1,256 @@
+CVE-2026-9758 (Improper comparison with the certificates trusted list in S2OPC allows ...)
+ TODO: check
+CVE-2026-9151 (An OS command injection vulnerability exists in the VPN module of TP-L ...)
+ TODO: check
+CVE-2026-9045 (During an internal security assessment, a potential vulnerability was ...)
+ TODO: check
+CVE-2026-9019 (The Easy Image Collage plugin for WordPress is vulnerable to Stored Cr ...)
+ TODO: check
+CVE-2026-8853 (The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2026-8637 (A potential uncontrolled search path vulnerability was reported in the ...)
+ TODO: check
+CVE-2026-8613 (The aThemes Addons for Elementor plugin for WordPress is vulnerable to ...)
+ TODO: check
+CVE-2026-8335 (A missing authentication check on the Aix\u2011DB "/llm/process_llm_ou ...)
+ TODO: check
+CVE-2026-7516 (A vulnerability was identified in the Lenovo Android Application, dist ...)
+ TODO: check
+CVE-2026-6090 (A potential authentication bypass was reported in Lenovo Smart Connect ...)
+ TODO: check
+CVE-2026-53698 (Silverpeas through 6.4.6 mishandles the "Personal space" feature that ...)
+ TODO: check
+CVE-2026-53694 (Improper Neutralization of Argument Delimiters in a Command ('Argument ...)
+ TODO: check
+CVE-2026-53693 (A stored cross-site scripting vulnerability existed in MISPBSimVis tag ...)
+ TODO: check
+CVE-2026-53689 (libnfs through 6.0.2 before 55c18ea does not validate a string size, l ...)
+ TODO: check
+CVE-2026-53476 (A flaw was found in assisted-migration-agent. An unauthenticated attac ...)
+ TODO: check
+CVE-2026-53475 (A flaw was found in assisted-migration-agent. The application hardcode ...)
+ TODO: check
+CVE-2026-53474 (A flaw was found in migration-planner. A remote authenticated attacker ...)
+ TODO: check
+CVE-2026-53473 (A flaw was found in migration-planner-ui-app. An attacker can register ...)
+ TODO: check
+CVE-2026-53471 (A flaw was found in migration-planner. The agent-API middleware proces ...)
+ TODO: check
+CVE-2026-53470 (A flaw was found in migration-planner. An authenticated attacker could ...)
+ TODO: check
+CVE-2026-53469 (A flaw was found in migration-planner. An authenticated user can explo ...)
+ TODO: check
+CVE-2026-53442 (Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt se ...)
+ TODO: check
+CVE-2026-53441 (Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.55 ...)
+ TODO: check
+CVE-2026-53440 (Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure tha ...)
+ TODO: check
+CVE-2026-53439 (Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 an ...)
+ TODO: check
+CVE-2026-53438 (A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 a ...)
+ TODO: check
+CVE-2026-53437 (Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determin ...)
+ TODO: check
+CVE-2026-53436 (Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determin ...)
+ TODO: check
+CVE-2026-53435 (In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible ...)
+ TODO: check
+CVE-2026-52759 (Ghidra before 12.1.1 contains an uncontrolled memory allocation vulner ...)
+ TODO: check
+CVE-2026-52758 (Ghidra before 12.1 contains a SQL injection vulnerability in BSim filt ...)
+ TODO: check
+CVE-2026-52757 (Ghidra before 12.1 contains a heap-use-after-free vulnerability in the ...)
+ TODO: check
+CVE-2026-52756 (Ghidra before 12.2 contains an unauthenticated path traversal vulnerab ...)
+ TODO: check
+CVE-2026-52755 (Ghidra before 12.0.4 contains a path traversal vulnerability in the th ...)
+ TODO: check
+CVE-2026-52754 (Ghidra before 12.1 contains an authentication bypass vulnerability in ...)
+ TODO: check
+CVE-2026-52753 (Ghidra before 12.0.3 contains an out-of-memory vulnerability in the ru ...)
+ TODO: check
+CVE-2026-52752 (Ghidra before 12.0.2 contains a path traversal vulnerability in the ex ...)
+ TODO: check
+CVE-2026-52751 (Ghidra before 12.1 contains an unsafe deserialization vulnerability in ...)
+ TODO: check
+CVE-2026-52750 (Ghidra before 12.1 contains a command injection vulnerability in URL a ...)
+ TODO: check
+CVE-2026-50639 (Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not ...)
+ TODO: check
+CVE-2026-50638 (Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does no ...)
+ TODO: check
+CVE-2026-50637 (Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not p ...)
+ TODO: check
+CVE-2026-50570 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50569 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50568 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50567 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50566 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50565 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50564 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50563 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-50545 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-49824 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-49823 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-49822 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-49821 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-49760 (Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface ...)
+ TODO: check
+CVE-2026-49759 (Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv ...)
+ TODO: check
+CVE-2026-49498 (Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the ...)
+ TODO: check
+CVE-2026-49497 (Ghidra before 12.1 contains a path traversal vulnerability in SameDirD ...)
+ TODO: check
+CVE-2026-49496 (Ghidra before 12.1 contains a heap-use-after-free vulnerability in Sle ...)
+ TODO: check
+CVE-2026-49495 (Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption ...)
+ TODO: check
+CVE-2026-49069 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2026-48860 (Reliance on IP Address for Authentication vulnerability in Erlang/OTP ...)
+ TODO: check
+CVE-2026-48859 (Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_aut ...)
+ TODO: check
+CVE-2026-48858 (Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ft ...)
+ TODO: check
+CVE-2026-48856 (Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_respo ...)
+ TODO: check
+CVE-2026-48855 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+ TODO: check
+CVE-2026-48556
+ REJECTED
+CVE-2026-48096 (OpenFGA is an authorization/permission engine built for developers. Pr ...)
+ TODO: check
+CVE-2026-46642 (draw.io is a configurable diagramming and whiteboarding application. P ...)
+ TODO: check
+CVE-2026-46618 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-46617 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-46616 (Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some ...)
+ TODO: check
+CVE-2026-46614 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-46612 (Fission is an open-source, Kubernetes-native serverless framework that ...)
+ TODO: check
+CVE-2026-46609 (Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4. ...)
+ TODO: check
+CVE-2026-46558 (Plane is an open-source project management tool. Prior to version 1.3. ...)
+ TODO: check
+CVE-2026-46497 (Crawlee is a web scraping and browser automation library. From version ...)
+ TODO: check
+CVE-2026-45569 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45567 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45566 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45565 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45564 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45563 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45561 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45560 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45559 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45558 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45556 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45552 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45550 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45549 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Kee ...)
+ TODO: check
+CVE-2026-45062 (FrankenPHP is a modern application server for PHP. From version 1.11.2 ...)
+ TODO: check
+CVE-2026-3018 (The Newsletters plugin for WordPress is vulnerable to time-based SQL I ...)
+ TODO: check
+CVE-2026-25700 (Improper Restriction of Security Token Assignment vulnerability in Apa ...)
+ TODO: check
+CVE-2026-24067 (Slate Digital Connect 1.37.0 for macOS installs a privileged helper to ...)
+ TODO: check
+CVE-2026-24066 (Slate Digital Connect 1.37.0 for macOS installs a privileged helper to ...)
+ TODO: check
+CVE-2026-20260 (In Splunk SOAR (Security Orchestration, Automation, and Response) vers ...)
+ TODO: check
+CVE-2026-20259 (In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Clou ...)
+ TODO: check
+CVE-2026-20258 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-20257 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-20256 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-20255 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-20254 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-20253 (In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Clou ...)
+ TODO: check
+CVE-2026-20252 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-20251 (In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 ...)
+ TODO: check
+CVE-2026-11884 (A heap buffer overflow flaw was found in 389 Directory Server. When se ...)
+ TODO: check
+CVE-2026-11859 (An HTML injection vulnerability in the "fetch links" email sent by Thi ...)
+ TODO: check
+CVE-2026-11626 (CleanWipe Removal Tool (macOS), prior to 16.0.0.65,may be susceptible ...)
+ TODO: check
+CVE-2026-11596 (In ScreenConnect\u2122 versions prior to 26.2, input validation within ...)
+ TODO: check
+CVE-2026-11417 (OS command injection in the NodejsFunction local bundling pipeline in ...)
+ TODO: check
+CVE-2026-10740 (Unbounded memory allocation in the CRYPTO frame reassembler in s2n-qui ...)
+ TODO: check
+CVE-2026-10721 (Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection viaunse ...)
+ TODO: check
+CVE-2025-71330 (image-size through 2.0.2 contains a denial of service vulnerability th ...)
+ TODO: check
+CVE-2025-71329 (image-size through 2.0.2 contains a denial of service vulnerability th ...)
+ TODO: check
+CVE-2025-6254 (The Doctreat Core plugin for WordPress is vulnerable to Privilege Esca ...)
+ TODO: check
+CVE-2025-10238 (During an internal security assessment, apotential out-of-bounds write ...)
+ TODO: check
+CVE-2025-10237 (During an internal security assessment, a potential vulnerability was ...)
+ TODO: check
+CVE-2024-58350 (Ghidra before 11.2 contains a use after free vulnerability in the Slei ...)
+ TODO: check
CVE-2026-XXXX [OnionShare follows symlinks in shared directories, allowing unintended disclosure of local files]
- onionshare <unfixed>
NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-22p9-r2f5-22mf
CVE-2026-XXXX [OnionShare Receive mode writes uploaded files even when file uploads are disabled]
- onionshare <unfixed>
NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-v833-3823-cmhp
-CVE-2026-11853
+CVE-2026-11853 (Debusine is an integrated solution to build, distribute and maintain a ...)
- debusine 0.14.9
[trixie] - debusine <no-dsa> (Will be fixed via point release)
NOTE: https://salsa.debian.org/freexian-team/debusine/-/work_items/1484
NOTE: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3103
NOTE: https://salsa.debian.org/freexian-team/debusine/-/commit/c24cdc49fb258714767546bdec5b09f8065d414e
-CVE-2026-11852
+CVE-2026-11852 (Debusine is an integrated solution to build, distribute and maintain a ...)
- debusine 0.14.6
[trixie] - debusine <no-dsa> (Will be fixed via point release)
NOTE: https://salsa.debian.org/freexian-team/debusine/-/work_items/1499
@@ -340,7 +580,7 @@ CVE-2026-10238
REJECTED
CVE-2025-8444 (The Animation Addons for Elementor \u2013 GSAP Powered Elementor Addon ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-71319 (image-size 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2 contain a denial ...)
+CVE-2025-71319 (image-size through 2.0.2 contains a denial of service vulnerability th ...)
NOT-FOR-US: Node image-size
CVE-2025-66281 (A NULL pointer dereference vulnerability has been reported to affect s ...)
NOT-FOR-US: QNAP
@@ -427,7 +667,7 @@ CVE-2026-49959 (Hermes WebUI before version 0.51.311 contains a remote code exec
NOT-FOR-US: Hermes WebUI
CVE-2026-49958 (Hermes WebUI before version 0.51.303 contains a time-of-check time-of- ...)
NOT-FOR-US: Hermes WebUI
-CVE-2026-49957 (Hermes WebUI before version 0.51.269 contains a workspace boundary byp ...)
+CVE-2026-49957 (Hermes WebUI before version 0.51.296 contains a workspace boundary byp ...)
NOT-FOR-US: Hermes WebUI
CVE-2026-49956 (Hermes WebUI before version 0.51.269 contains a profile isolation bypa ...)
NOT-FOR-US: Hermes WebUI
@@ -1280,7 +1520,7 @@ CVE-2026-0419 (Insufficient input validation in NETGEAR JR6150 (AC750 WiFi Route
NOT-FOR-US: Netgear
CVE-2026-0418 (Insufficient configuration management in the listed devicesallows auth ...)
NOT-FOR-US: Netgear
-CVE-2026-0417 (Insufficient input validation vulnerability in NETGEARdevicesallows au ...)
+CVE-2026-0417 (Insufficient input validation vulnerability in the listed NETGEARdevic ...)
NOT-FOR-US: Netgear
CVE-2026-0416 (Authenticated administrators connected to the local network can modify ...)
NOT-FOR-US: Netgear
@@ -5971,7 +6211,7 @@ CVE-2021-4481 (Dr\xe4ger Protector Software prior to version 6.4.2 contains a lo
NOT-FOR-US: Draeger
CVE-2021-4480 (Dr\xe4ger Protector Software prior to version 6.4.2 contains a local p ...)
NOT-FOR-US: Draeger
-CVE-2021-4479 (Dr\xe4ger Atlan A350 software versions 1.00 through 1.01 contains an i ...)
+CVE-2021-4479 (Dr\xe4ger Atlan A350 versions 1.00 up to and including 1.01 contains a ...)
NOT-FOR-US: Draeger
CVE-2021-4478 (Dr\xe4ger CC-Vision Basic before 7.5.3 and Dr\xe4ger CC-Vision E-Cal b ...)
NOT-FOR-US: Draeger
@@ -21156,31 +21396,31 @@ CVE-2026-42304 (Twisted is an event-based framework for internet applications, s
NOTE: Introduced with: https://github.com/twisted/twisted/commit/e11cd82bdd79b3ebbb0e8635cbb9c76df2b5af09 (twisted-11.1.0)
NOTE: Fixed by: https://github.com/twisted/twisted/commit/2d196123264efb0027eecfe1b430be4a9babdbd8 (twisted-26.4.0rc1)
CVE-2026-2291 (dnsmasqs extract_name() function can be abused to cause a heap buffer ...)
- {DSA-6264-1}
+ {DSA-6264-1 DLA-4625-1}
- dnsmasq 2.92-5
NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
NOTE: https://xchglabs.com/blog/dnsmasq-five-cves.html
NOTE: Fixed by: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 (v2.93rc1)
CVE-2026-4890 (A Denial of Service (DoS) vulnerability in the DNSSEC validation of dn ...)
- {DSA-6264-1}
+ {DSA-6264-1 DLA-4625-1}
- dnsmasq 2.92-5
NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
NOTE: https://xchglabs.com/blog/dnsmasq-five-cves.html
NOTE: Fixed by: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71 (v2.93rc1)
CVE-2026-4891 (A heap-based out-of-bounds read vulnerability in the DNSSEC validation ...)
- {DSA-6264-1}
+ {DSA-6264-1 DLA-4625-1}
- dnsmasq 2.92-5
NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
NOTE: https://xchglabs.com/blog/dnsmasq-five-cves.html
NOTE: Fixed by: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 (v2.93rc1)
CVE-2026-4892 (A heap-based out-of-bounds write vulnerability in the DHCPv6 implement ...)
- {DSA-6264-1}
+ {DSA-6264-1 DLA-4625-1}
- dnsmasq 2.92-5
NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
NOTE: https://xchglabs.com/blog/dnsmasq-five-cves.html
NOTE: Fixed by: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 (v2.93rc1)
CVE-2026-4893 (An information disclosure vulnerability in dnsmasq allows remote attac ...)
- {DSA-6264-1}
+ {DSA-6264-1 DLA-4625-1}
- dnsmasq 2.92-5
NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
NOTE: https://xchglabs.com/blog/dnsmasq-five-cves.html
@@ -21967,7 +22207,7 @@ CVE-2026-3318 (Open redirection vulnerability in the latest demo version of the
NOT-FOR-US: Cradle eCommerce platform
CVE-2026-39816 (The optional extension component TinkerpopClientService is missing the ...)
NOT-FOR-US: Apache software not packaged in Debian
-CVE-2026-38361 (An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a ...)
+CVE-2026-38361 (Multiple unauthenticated denial-of-service (DoS) issues in fohrloop da ...)
NOT-FOR-US: fohrloop dash-uploader
CVE-2026-38360 (Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 th ...)
NOT-FOR-US: fohrloop dash-uploader
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c532277f9b78044579a67ba06b19025b912bb78
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c532277f9b78044579a67ba06b19025b912bb78
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260610/2d522d84/attachment.htm>
More information about the debian-security-tracker-commits
mailing list