[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Jun 18 08:13:43 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
521f3d54 by security tracker role at 2026-06-18T07:13:37+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,147 @@
+CVE-2026-9860 (The Offload, AI & Optimize with Cloudflare Images plugin for WordPress ...)
+	TODO: check
+CVE-2026-9199 (The Equalize Digital Accessibility Checker \u2013 WCAG, ADA, EAA and S ...)
+	TODO: check
+CVE-2026-8050 (In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL ha ...)
+	TODO: check
+CVE-2026-8049 (In SignalRGB versions prior to 1.3.7.0, the \\.\SignalIo device object ...)
+	TODO: check
+CVE-2026-55740 (Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb9 ...)
+	TODO: check
+CVE-2026-55202 (Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly v ...)
+	TODO: check
+CVE-2026-55201 (Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path trave ...)
+	TODO: check
+CVE-2026-55200 (libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bou ...)
+	TODO: check
+CVE-2026-55199 (libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authen ...)
+	TODO: check
+CVE-2026-54533 (vantage6 is an open-source infrastructure for privacy preserving analy ...)
+	TODO: check
+CVE-2026-54445 (vantage6 is an open-source infrastructure for privacy preserving analy ...)
+	TODO: check
+CVE-2026-54388 (Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject req ...)
+	TODO: check
+CVE-2026-54387 (Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile  ...)
+	TODO: check
+CVE-2026-54386 (marimo before 0.23.9 contains a reflected cross-site scripting vulnera ...)
+	TODO: check
+CVE-2026-53676 (ThingsBoard contains a prototype pollution vulnerability which may lea ...)
+	TODO: check
+CVE-2026-50268 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50267 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50202 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50201 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50200 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50196 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50194 (Steeltoe is an open source project that provides a collection of libra ...)
+	TODO: check
+CVE-2026-50107 (When NGINX Plus or NGINX Open Source is configured as the data plane f ...)
+	TODO: check
+CVE-2026-49133 (Typemill before 2.24.0 contains a path traversal vulnerability that al ...)
+	TODO: check
+CVE-2026-48997 (e107 is a content management system (CMS). Versions  2.3.5 and earlier ...)
+	TODO: check
+CVE-2026-48991 (XianYuLauncher is a Minecraft Java Edition launcher. In versions prior ...)
+	TODO: check
+CVE-2026-48990 (joserfc is a Python library that provides an implementation of several ...)
+	TODO: check
+CVE-2026-48989 (Windows-MCP is an open-source project that integrates AI agents with W ...)
+	TODO: check
+CVE-2026-48988 (markdown-it is a Markdown parser. Versions 14.1.1 and below contain a  ...)
+	TODO: check
+CVE-2026-48979 (PHP Standard Library (PSL) is set of APIs covering async, collections, ...)
+	TODO: check
+CVE-2026-48823 (Shaarli is a personal bookmarking service. Versions 0.16.1 and prior c ...)
+	TODO: check
+CVE-2026-48822 (Shaarli is a personal bookmarking service. Versions 0.16.1 and prior c ...)
+	TODO: check
+CVE-2026-48821 (Shaarli is a personal bookmarking service. Versions 0.16.1 and prior c ...)
+	TODO: check
+CVE-2026-48820 (CakePHP is a rapid development framework for PHP. In versions 4.5.11 a ...)
+	TODO: check
+CVE-2026-48817 (Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 a ...)
+	TODO: check
+CVE-2026-48814 (Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versio ...)
+	TODO: check
+CVE-2026-48768 (TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POS ...)
+	TODO: check
+CVE-2026-48764 (TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF v ...)
+	TODO: check
+CVE-2026-48759 (TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an I ...)
+	TODO: check
+CVE-2026-45617 (LiquidJS is a Shopify/GitHub Pages compatible template engine written  ...)
+	TODO: check
+CVE-2026-45357 (LiquidJS is a Shopify/GitHub Pages compatible template engine written  ...)
+	TODO: check
+CVE-2026-44646 (LiquidJS is a Shopify/GitHub Pages compatible template engine written  ...)
+	TODO: check
+CVE-2026-44645 (LiquidJS is a Shopify/GitHub Pages compatible template engine written  ...)
+	TODO: check
+CVE-2026-44644 (LiquidJS is a Shopify/GitHub Pages compatible template engine written  ...)
+	TODO: check
+CVE-2026-32682 (When NGINX Gateway Fabric is configured using GRPCRoutes, an authentic ...)
+	TODO: check
+CVE-2026-12569 (A critical remote code execution (RCE) vulnerability has been reported ...)
+	TODO: check
+CVE-2026-12568 (The postman_download module uses the workspace name field from the Pos ...)
+	TODO: check
+CVE-2026-12567 (The github_workflows module constructs local directory paths from user ...)
+	TODO: check
+CVE-2026-12566 (The docker_pull module uses the realm parameter from a Docker registry ...)
+	TODO: check
+CVE-2026-12565 (The unarchive internal module's archive extraction commands perform no ...)
+	TODO: check
+CVE-2026-12530 (Improper neutralization of argument delimiters in the install_packages ...)
+	TODO: check
+CVE-2026-12529 (A security vulnerability has been detected in SourceCodester CET Autom ...)
+	TODO: check
+CVE-2026-12505 (A flaw was found in the cifs-utils package where the cifs.upcall helpe ...)
+	TODO: check
+CVE-2026-12407 (The E2Pdf \u2013 Export Pdf Tool for WordPress plugin for WordPress is ...)
+	TODO: check
+CVE-2026-12120 (The FireBox Popups \u2013 Increase Sales and Grow Your Email List plug ...)
+	TODO: check
+CVE-2026-12093 (The Simple Membership plugin for WordPress is vulnerable to authorizat ...)
+	TODO: check
+CVE-2026-11784 (The Optimole \u2013 Optimize Images | Convert WebP & AVIF | CDN & Lazy ...)
+	TODO: check
+CVE-2026-11777 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact For ...)
+	TODO: check
+CVE-2026-11776 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact For ...)
+	TODO: check
+CVE-2026-11407 (Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability ...)
+	TODO: check
+CVE-2026-11402 (The Services Section Block \u2013 Showcase Service Details in Grid or  ...)
+	TODO: check
+CVE-2026-11360 (The Advanced Order Export For WooCommerce plugin for WordPress is vuln ...)
+	TODO: check
+CVE-2026-11358 (The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, ...)
+	TODO: check
+CVE-2026-11357 (The Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor pl ...)
+	TODO: check
+CVE-2026-10741 (Sonatype Nexus Repository Manager before 3.93.0 contains an authorizat ...)
+	TODO: check
+CVE-2026-10736 (The Tutor LMS \u2013 eLearning and online course solution plugin for W ...)
+	TODO: check
+CVE-2026-10696 (Use of an incorrectly resolved name or reference in the pinget backend ...)
+	TODO: check
+CVE-2026-10623 (The PressPrimer Quiz \u2013 AI Quiz Maker, Exam Builder & LMS Assessme ...)
+	TODO: check
+CVE-2026-10029 (The Event Koi Lite \u2013 Events Calendar, Event Management, RSVP, and ...)
+	TODO: check
+CVE-2026-10023 (The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2 ...)
+	TODO: check
+CVE-2024-27928 (vantage6 is an open-source infrastructure for privacy preserving analy ...)
+	TODO: check
+CVE-2024-24769 (vantage6 is an open-source infrastructure for privacy preserving analy ...)
+	TODO: check
 CVE-2026-9697 (Impact: undici's ProxyAgent silently drops the requestTls option when  ...)
 	- node-undici <unfixed>
 	NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g
@@ -11641,7 +11785,7 @@ CVE-2026-48188 (An improper Input Validation vulnerability in OTRS or ((OTRS)) C
 CVE-2026-48187 (An uncontrolled allocation of resources without limits or throttling i ...)
 	NOT-FOR-US: OTRS
 	NOTE: Could possibly affect Znuny, we'll let their security team figure it out
-CVE-2026-47294 (Deserialization of untrusted data in Microsoft Office SharePoint allow ...)
+CVE-2026-47294 (Improper neutralization of special elements used in an os command ('os ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-46605 (Incomplete authorization by Apache ActiveMQ server before versions v6. ...)
 	- activemq <unfixed>
@@ -18999,7 +19143,7 @@ CVE-2026-9277 (shell-quote's `quote()` function did not validate object-token in
 	NOTE: https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
 	NOTE: https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d (v1.8.4)
 CVE-2026-9256 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ ...)
-	{DSA-6326-1}
+	{DSA-6326-1 DLA-4634-1}
 	- nginx 1.30.1-3 (bug #1137339)
 	NOTE: https://my.f5.com/manage/s/article/K000161377
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 (release-1.30.2)
@@ -24914,7 +25058,7 @@ CVE-2026-35438 (Missing authorization in Windows Admin Center allows an authoriz
 	NOT-FOR-US: Microsoft
 CVE-2026-35436 (Use after free in Microsoft Office allows an authorized attacker to el ...)
 	NOT-FOR-US: Microsoft
-CVE-2026-35433 (Heap-based buffer overflow in .NET allows an unauthorized attacker to  ...)
+CVE-2026-35433 (Improper input validation in .NET allows an unauthorized attacker to e ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-35429 (User interface (ui) misrepresentation of critical information in Micro ...)
 	NOT-FOR-US: Microsoft
@@ -30091,7 +30235,8 @@ CVE-2026-43128 (In the Linux kernel, the following vulnerability has been resolv
 	[bookworm] - linux 6.1.170-1
 	[bullseye] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/104016eb671e19709721c1b0048dd912dc2e96be (7.0-rc2)
-CVE-2026-43122 (In the Linux kernel, the following vulnerability has been resolved:  A ...)
+CVE-2026-43122
+	REJECTED
 	TODO: check
 CVE-2026-43121 (In the Linux kernel, the following vulnerability has been resolved:  i ...)
 	- linux 6.19.6-1
@@ -62686,7 +62831,8 @@ CVE-2025-36105 (IBM Planning Analytics Advanced Certified Containers 3.1.0 throu
 	NOT-FOR-US: IBM
 CVE-2025-2399 (Improper Validation of Specified Index, Position, or Offset in Input v ...)
 	NOT-FOR-US: Mitsubishi
-CVE-2025-15603 (A security vulnerability has been detected in open-webui up to 0.6.16. ...)
+CVE-2025-15603
+	REJECTED
 	NOT-FOR-US: open-webui
 CVE-2025-11158 (Hitachi Vantara Pentaho Data Integration & Analytics versions before 1 ...)
 	NOT-FOR-US: Hitachi Vantana



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/521f3d54743967581aa9ece789091f859b407caa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/521f3d54743967581aa9ece789091f859b407caa
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260618/d866560e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list