[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jun 18 21:02:36 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b34b3d27 by Salvatore Bonaccorso at 2026-06-18T22:02:09+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -68,29 +68,29 @@ CVE-2026-54220 (uBB.threads is vulnerable to aCross-Site Request Forgery (CSRF)
CVE-2026-54219 (UBB.threads is vulnerable to Stored XSS via user posts and user profil ...)
NOT-FOR-US: UBB.threads
CVE-2026-54106 (The U.S. Government Accountability Office (GAO) Electronic Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-54105 (The U.S. Government Accountability Office (GAO) Electronic Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-54104 (The U.S. Government Accountability Office (GAO) Electronic Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-54103 (The U.S. Government Accountability Office (GAO) Electronic Protest Doc ...)
- TODO: check
+ NOT-FOR-US: Government Accountability Office
CVE-2026-50643 (8cc is vulnerable to an Out\u2011of\u2011Bounds Read due to improper h ...)
- TODO: check
+ NOT-FOR-US: 8cc
CVE-2026-50141 (Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to v ...)
TODO: check
CVE-2026-48986 (pam_usb provides hardware authentication for Linux using removable med ...)
- TODO: check
+ NOT-FOR-US: pam_usb
CVE-2026-48985 (pam_usb provides hardware authentication for Linux using ordinary remo ...)
- TODO: check
+ NOT-FOR-US: pam_usb
CVE-2026-48984 (pam_usb provides hardware authentication for Linux using ordinary remo ...)
- TODO: check
+ NOT-FOR-US: pam_usb
CVE-2026-48937 (A flaw in Node.js HTTP/2 server API can cause servers to keep acceptin ...)
TODO: check
CVE-2026-48617 (A flaw in Node.js Permission Model enforcement allows Bypass via `proc ...)
TODO: check
CVE-2026-47833 (setupBpmLogs follows symlink for bpm.log open and chown \u2014 contain ...)
- TODO: check
+ NOT-FOR-US: setupBpmLogs
CVE-2026-46580 (In Eclipse Theia versions prior to 1.71.0, files matching the pattern ...)
TODO: check
CVE-2026-44942 (A path traversal in handling the "path" component of .repo files proce ...)
@@ -106,15 +106,15 @@ CVE-2026-40456 (An OS Command Injection vulnerability exists in LMS (LAN Managem
CVE-2026-40455 (An SQL Injection vulnerability exists in LMS (LAN Management System) b ...)
TODO: check
CVE-2026-38718 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38717 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38716 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38715 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-38714 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
- TODO: check
+ NOT-FOR-US: InHand Networks IR912
CVE-2026-2021 (The Slideshow Gallery LITE plugin for WordPress is vulnerable to Store ...)
NOT-FOR-US: WordPress plugin
CVE-2026-28573 (In AndroidManifest.xml, there is a possible persistent denial of servi ...)
@@ -539,7 +539,7 @@ CVE-2026-48142 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx
NOTE: https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7 (release-1.30.3)
NOTE: https://github.com/nginx/nginx/commit/319a0bff157b15d9061f4712b2edbe6fdd2dee66 (release-1.31.2)
CVE-2026-48117 (DroneAware is a drone detection platform. The centralized DroneAware s ...)
- TODO: check
+ NOT-FOR-US: DroneAware
CVE-2026-47340 (Allow authenticated users to access alert instances associated with al ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-47103 (Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code ...)
@@ -618,7 +618,7 @@ CVE-2026-40641 (Dell PowerFlex Manager, version(s) 4.6.0.1, contain(s) an Use of
CVE-2026-3894 (Out-of-bounds Read vulnerability in RTI Connext Professional (Core Lib ...)
NOT-FOR-US: RTI Connext
CVE-2026-3490 (picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing ...)
- TODO: check
+ NOT-FOR-US: picklescan
CVE-2026-39597 (Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons for Elemen ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-39596 (Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versio ...)
@@ -658,7 +658,7 @@ CVE-2026-39442 (Unauthenticated PHP Object Injection in PressMart <= 1.2.26 vers
CVE-2026-39199 (snes9x 1.63 allows an out-of-bounds write and denial of service via a ...)
TODO: check
CVE-2026-36418 (JimuReport versions 2.3.4 and below are vulnerable to remote code exec ...)
- TODO: check
+ NOT-FOR-US: JimuReport
CVE-2026-35162 (Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper ...)
NOT-FOR-US: Dell / EMC
CVE-2026-35069 (Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper ...)
@@ -1386,7 +1386,7 @@ CVE-2026-46766 (Vulnerability in the Oracle WebCenter Content product of Oracle
CVE-2026-46765 (Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion ...)
NOT-FOR-US: Oracle
CVE-2026-44587 (CarrierWave is a framework to upload files from Ruby applications. In ...)
- TODO: check
+ NOT-FOR-US: CarrierWave
CVE-2026-40761 (Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-40760 (Unauthenticated PHP Object Injection in Behold <= 1.5 versions.)
@@ -2649,27 +2649,27 @@ CVE-2026-48836 (Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2
CVE-2026-48835 (Unauthenticated Broken Access Control in Contact Form by WPForms <= 1. ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-48723 (The browserstack-cypress-cli is BrowserStack's CLI which allows users ...)
- TODO: check
+ NOT-FOR-US: browserstack-cypress-cli
CVE-2026-48714 (i18next-http-middleware is a middleware to be used with Node.js web fr ...)
- TODO: check
+ NOT-FOR-US: i18next-http-middleware
CVE-2026-48713 (Versions prior to 2.6.6 are vulnerable to prototype pollution via craf ...)
- TODO: check
+ NOT-FOR-US: i18next-fs-backend
CVE-2026-48709 (OliveTin gives access to predefined shell commands from a web interfac ...)
- TODO: check
+ NOT-FOR-US: OliveTin
CVE-2026-48708 (OliveTin gives access to predefined shell commands from a web interfac ...)
- TODO: check
+ NOT-FOR-US: OliveTin
CVE-2026-48599 (Authorization Bypass Through User-Controlled Key vulnerability in elix ...)
- TODO: check
+ NOT-FOR-US: elixir-grpc grpc
CVE-2026-48518 (MultiJuicer is used to run separate Juice Shop instances on a central ...)
- TODO: check
+ NOT-FOR-US: MultiJuicer
CVE-2026-48157 (Slim is a PHP micro framework that enables users to write simple web a ...)
TODO: check
CVE-2026-48124 (Cursor is a code editor built for programming with AI. In versions pri ...)
- TODO: check
+ NOT-FOR-US: Cursor
CVE-2026-48114 (Metacat is data repository software that helps researchers preserve, s ...)
- TODO: check
+ NOT-FOR-US: Metacat
CVE-2026-48017 (DbGate is cross-platform database manager. In versions 7.1.8 and prior ...)
- TODO: check
+ NOT-FOR-US: DbGate
CVE-2026-47835 (In Spring AI Vector Stores, special characters could be used to force ...)
NOT-FOR-US: VMware
CVE-2026-47825 (Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded ...)
@@ -2920,9 +2920,9 @@ CVE-2026-39007 (An issue in Observeinc's Observe v.2026-01-28 and before allows
CVE-2026-39006 (An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arb ...)
TODO: check
CVE-2026-38812 (RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTa ...)
- TODO: check
+ NOT-FOR-US: RuoYi
CVE-2026-38329 (Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) vi ...)
- TODO: check
+ NOT-FOR-US: Bludit CMS
CVE-2026-38065 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injecti ...)
NOT-FOR-US: Tenda
CVE-2026-38064 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injecti ...)
@@ -2936,17 +2936,17 @@ CVE-2026-38061 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command i
CVE-2026-38060 (Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injecti ...)
NOT-FOR-US: Tenda
CVE-2026-37216 (Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interfa ...)
- TODO: check
+ NOT-FOR-US: Ruoyi
CVE-2026-36933 (An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physical ...)
- TODO: check
+ NOT-FOR-US: Boyleep K11, y108 firmware
CVE-2026-36670 (A Time-Based Blind SQL Injection vulnerability in the alias_management ...)
TODO: check
CVE-2026-36537 (ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during ...)
- TODO: check
+ NOT-FOR-US: ThingsBoard
CVE-2026-36521 (PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability i ...)
- TODO: check
+ NOT-FOR-US: PublicCMS
CVE-2026-36213 (An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local att ...)
- TODO: check
+ NOT-FOR-US: Microvirt MEmu Android Emulator
CVE-2026-34902 (Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Tabl ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-34901 (Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b34b3d27ba1b685250fe57290d3c038052676a07
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b34b3d27ba1b685250fe57290d3c038052676a07
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260618/9184bf03/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list