[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jun 18 06:24:36 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
eed94180 by Salvatore Bonaccorso at 2026-06-18T07:22:19+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -13,7 +13,7 @@ CVE-2026-9675 (Impact: The undici WebSocket client enforces maxPayloadSize per-f
- node-undici <not-affected> (Vulnerable code not present)
NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq
CVE-2026-9591 (Cross-site request forgery (CSRF) in NewsItemApiController in SimplCom ...)
- TODO: check
+ NOT-FOR-US: SimplCommerce
CVE-2026-9570 (The Taskbuilder WordPress plugin before 5.0.8 does not properly sanit ...)
NOT-FOR-US: WordPress plugin
CVE-2026-8607 (The Points Management System For Gamification, Ranks, Badges, and Loya ...)
@@ -39,13 +39,13 @@ CVE-2026-5667 (Use of Hard-coded Credentials vulnerability in Mitsubishi Electri
CVE-2026-55743 (The shell tool command allowlist in the SecurityPolicy of OpenHuman de ...)
TODO: check
CVE-2026-55738 (A stack-based buffer overflow exists in the raw_to_header() function i ...)
- TODO: check
+ NOT-FOR-US: microtar
CVE-2026-55198 (Hermes WebUI before 0.51.443 contains an authorization bypass vulnerab ...)
- TODO: check
+ NOT-FOR-US: Hermes WebUI
CVE-2026-55197 (Hermes WebUI before 0.51.443 contains a broken access control vulnerab ...)
- TODO: check
+ NOT-FOR-US: Hermes WebUI
CVE-2026-55196 (Hermes WebUI before 0.51.409 contains an authentication bypass vulnera ...)
- TODO: check
+ NOT-FOR-US: Hermes WebUI
CVE-2026-54819 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-54818 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
@@ -83,9 +83,9 @@ CVE-2026-54803 (Subscriber Privilege Escalation in SMS Alert Order Notifications
CVE-2026-54802 (Unauthenticated Broken Authentication in SMS Alert Order Notifications ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-54417 (An integer overflow in the mtar_next() function in src/microtar.c in r ...)
- TODO: check
+ NOT-FOR-US: microtar
CVE-2026-54415 (Missing Authorization in the server management routes (routes/admin.ph ...)
- TODO: check
+ NOT-FOR-US: Azuriom Azuriom CMS
CVE-2026-54196 (Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-54195 (Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder <= 3.6.0. ...)
@@ -107,19 +107,19 @@ CVE-2026-54185 (Subscriber SQL Injection in Cornerstone < 7.8.8 versions.)
CVE-2026-54184 (Unauthenticated Insecure Direct Object References (IDOR) in Clean Logi ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-53875 (picklescan before 1.0.3 contains a scanning bypass vulnerability in th ...)
- TODO: check
+ NOT-FOR-US: picklescan
CVE-2026-53874 (picklescan before 1.0.1 contains an unsafe deserialization vulnerabili ...)
- TODO: check
+ NOT-FOR-US: picklescan
CVE-2026-53873 (picklescan before 1.0.4 contains an incomplete blocklist for the profi ...)
- TODO: check
+ NOT-FOR-US: picklescan
CVE-2026-53872 (picklescan before 0.0.35 contains an unsafe pickle deserialization vul ...)
- TODO: check
+ NOT-FOR-US: picklescan
CVE-2026-53871 (Hermes WebUI before 0.51.368 contains an authorization bypass vulnerab ...)
- TODO: check
+ NOT-FOR-US: Hermes WebUI
CVE-2026-53870 (Hermes Agent before 0.16.0 creates response_store.db and webhook_subsc ...)
- TODO: check
+ NOT-FOR-US: Hermes Agent
CVE-2026-53869 (Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in W ...)
- TODO: check
+ NOT-FOR-US: Hermes Agent
CVE-2026-53805 (NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthentica ...)
TODO: check
CVE-2026-52716 (Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 ve ...)
@@ -1542,7 +1542,7 @@ CVE-2026-8442 (The WP Review Slider Pro plugin for WordPress is vulnerable to Ar
CVE-2026-8176 (The LatePoint \u2013 Calendar Booking Plugin for Appointments and Even ...)
NOT-FOR-US: WordPress plugin
CVE-2026-5416 (Due to the improper neutralization of special elements used in a name ...)
- TODO: check
+ NOT-FOR-US: TURCK
CVE-2026-54198 (Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-54197 (Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.)
@@ -1610,7 +1610,7 @@ CVE-2026-53841 (OpenClaw before 2026.5.12 contains a cross-site scripting vulner
CVE-2026-53840 (OpenClaw before 2026.5.12 contains an information disclosure vulnerabi ...)
NOT-FOR-US: OpenClaw
CVE-2026-53776 (Perry before 0.5.1166 contains a JWT validation vulnerability that all ...)
- TODO: check
+ NOT-FOR-US: Perry
CVE-2026-52715 (Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-52714 (Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= ...)
@@ -2098,59 +2098,59 @@ CVE-2026-52692 (Unauthenticated Sensitive Data Exposure in Affiliates Manager <=
CVE-2026-50892 (Incorrect access control in the "Let's Encrypt" certificate download e ...)
TODO: check
CVE-2026-50891 (Incorrect access control in the /admin/api/config component of Filesta ...)
- TODO: check
+ NOT-FOR-US: Filestash
CVE-2026-50890 (Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vu ...)
- grocy <itp> (bug #969056)
CVE-2026-50889 (An input handling flaw in the HTTP refresh token process of LLDAP v0.6 ...)
TODO: check
CVE-2026-50888 (An authenticated Server-Side Request Forgery (SSRF) in the custom scra ...)
- TODO: check
+ NOT-FOR-US: Benjamin Jonard Koillection
CVE-2026-50887 (A Server-Side Request Forgery (SSRF) in the automatic short URL title ...)
- TODO: check
+ NOT-FOR-US: shlink
CVE-2026-50886 (Incorrect access control in the webhook management component of Projec ...)
- TODO: check
+ NOT-FOR-US: Firefly
CVE-2026-50885 (Incorrect access control in the share-based read endpoints of Sismics ...)
- TODO: check
+ NOT-FOR-US: Sismics Docs (Teedy)
CVE-2026-50884 (Incorrect access control in statping-ng v0.93.0 allows attackers to es ...)
- TODO: check
+ NOT-FOR-US: statping-ng
CVE-2026-50883 (An HTML injection vulnerability in the /src/highlight.rs component of ...)
- TODO: check
+ NOT-FOR-US: matze wastebin
CVE-2026-50882 (An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 a ...)
- TODO: check
+ NOT-FOR-US: anna-is-cute paste
CVE-2026-50881 (Incorrect access control in the impworks Bonsai v6.0 allows authentica ...)
- TODO: check
+ NOT-FOR-US: impworks Bonsai
CVE-2026-50880 (An issue in the sendmail transport integration component of YouTransfe ...)
- TODO: check
+ NOT-FOR-US: YouTransfer
CVE-2026-50879 (An issue in the uploadPostHandler component of Andrei Marcu linx-serve ...)
- TODO: check
+ NOT-FOR-US: Andrei Marcu linx-server
CVE-2026-50878 (An issue in the attachment handling component of Feuerhamster MailForm ...)
- TODO: check
+ NOT-FOR-US: Feuerhamster MailForm
CVE-2026-50877 (An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a direc ...)
- TODO: check
+ NOT-FOR-US: Zhoros SuperBin
CVE-2026-50876 (A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allow ...)
- TODO: check
+ NOT-FOR-US: Deck9 Input
CVE-2026-50875 (Incorrect access control in the /{form}/webhooks/{webhook} endpoint of ...)
- TODO: check
+ NOT-FOR-US: Deck9 Input
CVE-2026-50874 (An OS command injection vulnerability in the /manage/features/media co ...)
- TODO: check
+ NOT-FOR-US: kanishka-linux Reminiscence
CVE-2026-50873 (An arbitrary file upload vulnerability in the attachment handling comp ...)
- TODO: check
+ NOT-FOR-US: flatnotes
CVE-2026-50872 (An issue in the loopback request handling component of fossar selfoss ...)
- TODO: check
+ NOT-FOR-US: fossar selfoss
CVE-2026-50871 (An OS command injection vulnerability in the media archiving and expor ...)
- TODO: check
+ NOT-FOR-US: kanishka-linux Reminiscence
CVE-2026-50870 (An information disclosure vulnerability in the configuration endpoint ...)
- TODO: check
+ NOT-FOR-US: Ben Busby whoogle-search
CVE-2026-50869 (An issue in the api/plugin.php component of Bludit v3.19.0 allows atta ...)
- TODO: check
+ NOT-FOR-US: Bludit
CVE-2026-50255 (Incorrect default permissions issue exists in Optical Disc Archive Sof ...)
- TODO: check
+ NOT-FOR-US: Optical Disc Archive Software for Windows
CVE-2026-49954 (Discuz! X5.0 releases 20260320 through 20260610 contain a local file i ...)
- TODO: check
+ NOT-FOR-US: Discuz!
CVE-2026-49953 (Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA byp ...)
- TODO: check
+ NOT-FOR-US: Discuz!
CVE-2026-49952 (Discuz! X5.0 releases 20260320 through 20260501 contains an authentica ...)
- TODO: check
+ NOT-FOR-US: Discuz!
CVE-2026-49781 (Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-49780 (Customer Privilege Escalation in Dokan <= 5.0.2 versions.)
@@ -2761,7 +2761,7 @@ CVE-2026-52704 (Improper Control of Generation of Code ('Code Injection') vulner
CVE-2026-50100 (Multiple printer drivers provided by Ricoh Company, Ltd. and KONICA MI ...)
NOT-FOR-US: Ricoh
CVE-2026-49757 (Authentication Bypass by Spoofing vulnerability in team-alembic AshAut ...)
- TODO: check
+ NOT-FOR-US: team-alembic AshAuthentication
CVE-2026-49294 (Valhalla is an open source routing engine and accompanying libraries f ...)
TODO: check
CVE-2026-49111 (Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed94180a2581eb1dc7b65856272606ddaaa7e82
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed94180a2581eb1dc7b65856272606ddaaa7e82
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260618/5a0efd0d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list