[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jun 19 14:49:46 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
78aab5b9 by Moritz Muehlenhoff at 2026-06-19T15:48:15+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -73,9 +73,9 @@ CVE-2026-54130 (Missing authentication for critical function in M365 Copilot all
 CVE-2026-54017 (Open WebUI is a self-hosted artificial intelligence platform designed  ...)
 	NOT-FOR-US: Open WebUI
 CVE-2026-52866 (An attacker within BLE communication range can monopolize the device's ...)
-	TODO: check
+	NOT-FOR-US: Apollo Pharmacy
 CVE-2026-50034 (An attacker within BLE communication range can passively intercept  wi ...)
-	TODO: check
+	NOT-FOR-US: Apollo Pharmacy
 CVE-2026-4328 (The Advanced Import plugin for WordPress is vulnerable to Server-Side  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-49454 (Relyra is a strict-by-default SAML 2.0 Service Provider library for El ...)
@@ -121,19 +121,19 @@ CVE-2026-43915 (Coturn is a free open source implementation of TURN and STUN Ser
 	- coturn 4.12.0-1
 	NOTE: https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j
 CVE-2026-40624 (Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115 ...)
-	TODO: check
+	NOT-FOR-US: AVer
 CVE-2026-32174 (Improper authentication in Azure Bot Service allows an authorized atta ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-2842
 	REJECTED
 CVE-2026-25865 (Punto Switcher through 4.5.0.583 contains an unquoted search path elem ...)
-	TODO: check
+	NOT-FOR-US: Punto Switcher
 CVE-2026-22674 (Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a  ...)
 	NOT-FOR-US: Hashgraph Guardian
 CVE-2026-1856 (The Appointment Booking Calendar plugin for WordPress is vulnerable to ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-12644 (Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Un ...)
-	TODO: check
+	NOT-FOR-US: Node ts-deepmerge
 CVE-2026-12430 (The Blocksy Companion plugin for WordPress is vulnerable to Stored Cro ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-12157 (The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Bl ...)
@@ -157,7 +157,7 @@ CVE-2026-11989 (The Bit integrations \u2013 Form Integration, Webhook, Spreadshe
 CVE-2026-11775 (The User Admin Simplifier plugin for WordPress is vulnerable to Cross- ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-11752 (A vulnerability has been identified in armeria-xds versions 1.38.0 thr ...)
-	TODO: check
+	NOT-FOR-US: Armeria
 CVE-2026-10779 (The Classified Listing \u2013 Classified ads & Business Directory plug ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-10746
@@ -347,9 +347,9 @@ CVE-2026-28573 (In AndroidManifest.xml, there is a possible persistent denial of
 CVE-2026-22551 (In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdo ...)
 	NOT-FOR-US: Eclipse
 CVE-2026-12539 (Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied o ...)
-	TODO: check
+	NOT-FOR-US: Docker Sandboxes
 CVE-2026-12527 (A broken authorization boundary in the RTSP media delivery pipeline of ...)
-	TODO: check
+	NOT-FOR-US: Shenzhen Liandian Communication Technology
 CVE-2026-12475
 	REJECTED
 CVE-2026-12390 (In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulne ...)
@@ -365,17 +365,17 @@ CVE-2026-12102 (The UsersWP \u2013 Front-end login form, User Registration, User
 CVE-2026-12098 (The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vu ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-12039 (Docker Sandboxes (sbx) enforces an HTTP/S-only egress allowlist but do ...)
-	TODO: check
+	NOT-FOR-US: Docker Sandboxes
 CVE-2026-11982 (Grav 2.0.0-rc.9 with Admin2 2.0.0-rc.14 contains a stored cross-site s ...)
-	TODO: check
+	NOT-FOR-US: Grav CMS
 CVE-2026-11958 (Local privilege escalation by loading DLLs from a shared temporary dir ...)
-	TODO: check
+	NOT-FOR-US: DFIR-ORC
 CVE-2026-11719 (An authenticated authorization bypass vulnerability exists in MCP Tool ...)
-	TODO: check
+	NOT-FOR-US: mcp-toolbox
 CVE-2026-11718 (An authentication bypass vulnerability exists in the generic opaque to ...)
-	TODO: check
+	NOT-FOR-US: mcp-toolbox
 CVE-2026-11717 (An authentication bypass vulnerability exists in the generic opaque to ...)
-	TODO: check
+	NOT-FOR-US: mcp-toolbox
 CVE-2026-11395 (The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side R ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-10687
@@ -494,7 +494,7 @@ CVE-2026-48988 (markdown-it is a Markdown parser. Versions 14.1.1 and below cont
 	NOTE: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq
 	NOTE: https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5 (14.2.0)
 CVE-2026-48979 (PHP Standard Library (PSL) is set of APIs covering async, collections, ...)
-	TODO: check
+	NOT-FOR-US: PHP Standard Library (PSL)
 CVE-2026-48823 (Shaarli is a personal bookmarking service. Versions 0.16.1 and prior c ...)
 	- shaarli <unfixed> (bug #1140347)
 	NOTE: https://github.com/shaarli/Shaarli/security/advisories/GHSA-68qr-fvv8-6mc6
@@ -530,7 +530,7 @@ CVE-2026-44645 (LiquidJS is a Shopify/GitHub Pages compatible template engine wr
 CVE-2026-44644 (LiquidJS is a Shopify/GitHub Pages compatible template engine written  ...)
 	NOT-FOR-US: LiquidJS
 CVE-2026-32682 (When NGINX Gateway Fabric is configured using GRPCRoutes, an authentic ...)
-	TODO: check
+	NOT-FOR-US: NGINX Gateway Fabric
 CVE-2026-12569 (A critical remote code execution (RCE) vulnerability has been reported ...)
 	NOT-FOR-US: PTC WindChill
 CVE-2026-12568 (The postman_download module uses the workspace name field from the Pos ...)
@@ -562,7 +562,7 @@ CVE-2026-11777 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Conta
 CVE-2026-11776 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact For ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-11407 (Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability ...)
-	TODO: check
+	NOT-FOR-US: Pimcore
 CVE-2026-11402 (The Services Section Block \u2013 Showcase Service Details in Grid or  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-11360 (The Advanced Order Export For WooCommerce plugin for WordPress is vuln ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78aab5b9aa3e2c7f325e17b3d19a0426f334e475

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78aab5b9aa3e2c7f325e17b3d19a0426f334e475
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260619/eba62a1a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list