[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jun 19 11:51:03 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ec2cc6e8 by Moritz Muehlenhoff at 2026-06-19T12:50:04+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,5 @@
+CVE-2026-55225
+	NOT-FOR-US: Strimzi
 CVE-2026-3865
 	NOT-FOR-US: Kubernetes CSI Driver for SMB
 CVE-2026-9822 (The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce ca ...)
@@ -29,23 +31,23 @@ CVE-2026-56131 (libexpat before 2.8.2 lacks handler call depth tracking for call
 	- expat <unfixed>
 	NOTE: https://github.com/libexpat/libexpat/pull/1267
 CVE-2026-56099 (OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds r ...)
-	TODO: check
+	NOT-FOR-US: OpenBSD
 CVE-2026-56078 (PraisonAI before 1.5.115 contains a path traversal vulnerability in Mu ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-56077 (PraisonAI before 1.5.115 contains an information disclosure vulnerabil ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-56076 (PraisonAI before 1.5.128 contains a cross-origin agent execution vulne ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-56075 (PraisonAI before 4.5.128 contains an arbitrary shell command execution ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-56074 (PraisonAI before 1.5.128 caches tool approval decisions by tool name o ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-54414 (FileRise before 3.16.0 is vulnerable to path traversal in the shared-f ...)
 	TODO: check
 CVE-2026-54130 (Missing authentication for critical function in M365 Copilot allows an ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-54017 (Open WebUI is a self-hosted artificial intelligence platform designed  ...)
-	TODO: check
+	NOT-FOR-US: Open WebUI
 CVE-2026-52866 (An attacker within BLE communication range can monopolize the device's ...)
 	TODO: check
 CVE-2026-50034 (An attacker within BLE communication range can passively intercept  wi ...)
@@ -55,13 +57,13 @@ CVE-2026-4328 (The Advanced Import plugin for WordPress is vulnerable to Server-
 CVE-2026-49454 (Relyra is a strict-by-default SAML 2.0 Service Provider library for El ...)
 	TODO: check
 CVE-2026-49257 (mcp-pinot is a Python-based Model Context Protocol (MCP) server for in ...)
-	TODO: check
+	NOT-FOR-US: mcp-pinot
 CVE-2026-49252 (deepstream is a server that allows clients and backend services to syn ...)
 	TODO: check
 CVE-2026-49248 (OneDev is a Git server with CI/CD, kanban, and packages. In versions 1 ...)
 	TODO: check
 CVE-2026-49205 (phpMyFAQ is an open source FAQ web application. Versions prior to  4.1 ...)
-	TODO: check
+	NOT-FOR-US: phpMyFAQ
 CVE-2026-48983 (pam_usb provides hardware authentication for Linux using ordinary remo ...)
 	TODO: check
 CVE-2026-48982 (pam_usb provides hardware authentication for Linux using ordinary remo ...)
@@ -71,17 +73,17 @@ CVE-2026-48981 (pam_usb provides hardware authentication for Linux using ordinar
 CVE-2026-48980 (pam_usb provides hardware authentication for Linux using removable med ...)
 	TODO: check
 CVE-2026-48716 (nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, ...)
-	TODO: check
+	NOT-FOR-US: nanobot
 CVE-2026-47847 (Bitnami MariaDB Galera container images and Helm chart are affected by ...)
-	TODO: check
+	NOT-FOR-US: Bitnami container
 CVE-2026-47846 (Bitnami Cassandra container images are affected by a retained default  ...)
-	TODO: check
+	NOT-FOR-US: Bitnami container
 CVE-2026-47647 (Improper access control in Microsoft Dynamics 365 allows an authorized ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-47633 (Exposure of sensitive information to an unauthorized actor in Cost Man ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-46699 (conda-smithy is a tool for combining a conda recipe with configuration ...)
-	TODO: check
+	NOT-FOR-US: conda-smithy
 CVE-2026-45696 (OpenEXR is the reference implementation and specification for the EXR  ...)
 	- openexr <unfixed>
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-gjpj-qv64-vwhf
@@ -103,7 +105,7 @@ CVE-2026-2842
 CVE-2026-25865 (Punto Switcher through 4.5.0.583 contains an unquoted search path elem ...)
 	TODO: check
 CVE-2026-22674 (Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a  ...)
-	TODO: check
+	NOT-FOR-US: Hashgraph Guardian
 CVE-2026-1856 (The Appointment Booking Calendar plugin for WordPress is vulnerable to ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-12644 (Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Un ...)
@@ -113,19 +115,19 @@ CVE-2026-12430 (The Blocksy Companion plugin for WordPress is vulnerable to Stor
 CVE-2026-12157 (The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Bl ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-12050 (SQL injection in pgAdmin 4's named restore point endpoint (POST /brows ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-12049 (Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-12048 (Stored cross-site scripting in pgAdmin 4's error-rendering and plan-no ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-12047 (HTML injection in pgAdmin 4's cloud deployment module. The verify_cred ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-12046 (Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DE ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-12045 (Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an a ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-12044 (SQL injection in pgAdmin 4 across every dialog template that renders ` ...)
-	TODO: check
+	- pgadmin4 <itp> (bug #834129)
 CVE-2026-11989 (The Bit integrations \u2013 Form Integration, Webhook, Spreadsheets, C ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-11775 (The User Admin Simplifier plugin for WordPress is vulnerable to Cross- ...)
@@ -137,7 +139,7 @@ CVE-2026-10779 (The Classified Listing \u2013 Classified ads & Business Director
 CVE-2026-10746
 	REJECTED
 CVE-2026-10720 (Canonical MicroCeph versions from the squid and tentacle track are vul ...)
-	TODO: check
+	NOT-FOR-US: MicroCeph
 CVE-2026-10034 (The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to author ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-7737 (DoS Vulnerability in 10G iSCSI Interface of Hitachi Virtual Storage Pl ...)
@@ -283,11 +285,11 @@ CVE-2026-44691 (In Eclipse Theia versions prior to 1.69.0, custom task definitio
 CVE-2026-44688 (In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed ...)
 	TODO: check
 CVE-2026-40457 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LA ...)
-	TODO: check
+	NOT-FOR-US: LMS (LAN Management System)
 CVE-2026-40456 (An OS Command Injection vulnerability exists in LMS (LAN Management Sy ...)
-	TODO: check
+	NOT-FOR-US: LMS (LAN Management System)
 CVE-2026-40455 (An SQL Injection vulnerability exists in LMS (LAN Management System) b ...)
-	TODO: check
+	NOT-FOR-US: LMS (LAN Management System)
 CVE-2026-38718 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
 	NOT-FOR-US: InHand Networks IR912
 CVE-2026-38717 (InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including ...)
@@ -311,7 +313,7 @@ CVE-2026-12527 (A broken authorization boundary in the RTSP media delivery pipel
 CVE-2026-12475
 	REJECTED
 CVE-2026-12390 (In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulne ...)
-	TODO: check
+	NOT-FOR-US: AzeoTech DAQFactory
 CVE-2026-12137 (The SysBasics Customize My Account for WooCommerce \u2013 Dashboard, E ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-12136 (The Customize My Account For Woocommerce plugin for WordPress is vulne ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec2cc6e8364c3d037a217c81f7fde455510af1e3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec2cc6e8364c3d037a217c81f7fde455510af1e3
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260619/b766da01/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list