[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Jun 19 21:24:29 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
16f7f0f7 by Salvatore Bonaccorso at 2026-06-19T22:24:07+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -45,9 +45,9 @@ CVE-2026-51843 (Tenda AC7 v15.03.06.44 contains a stack buffer overflow vulnerab
CVE-2026-50242 (In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 20 ...)
NOT-FOR-US: JetBrains
CVE-2026-4027 (A security vulnerability has been identified in FlexNet Manager Suite ...)
- TODO: check
+ NOT-FOR-US: FlexNet Manager Suite
CVE-2026-4026 (A security vulnerability has been identified in FlexNet Manager Suite ...)
- TODO: check
+ NOT-FOR-US: FlexNet Manager Suite
CVE-2026-49872 (Improper Authentication vulnerability in Apache APISIX. When the cas- ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-49871 (Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin ...)
@@ -59,11 +59,11 @@ CVE-2026-49358 (PhpWeasyPrint is a PHP library allowing PDF generation from a UR
CVE-2026-49357 (Line Desktop MCP is a project that, while unaffiliated with the offici ...)
NOT-FOR-US: Line Desktop MCP
CVE-2026-49339 (gonic is a music streaming server / free-software subsonic server API ...)
- TODO: check
+ NOT-FOR-US: gonic music streaming server
CVE-2026-49336 (@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for K ...)
TODO: check
CVE-2026-49293 (js-toml is a TOML parser for JavaScript, fully compliant with the TOML ...)
- TODO: check
+ NOT-FOR-US: js-toml
CVE-2026-49291 (mcp-memory-service is a semantic memory layer for AI applications. Pri ...)
NOT-FOR-US: mcp-memory-service
CVE-2026-49290 (Slopsmith is a self-contained web application for browsing, playing, a ...)
@@ -134,13 +134,13 @@ CVE-2026-12619 (Improper Neutralization of Input During Web Page Generation (XSS
CVE-2026-12238 (The WP Go Maps \u2013 Most Popular Map Plugin plugin for WordPress is ...)
NOT-FOR-US: WordPress plugin
CVE-2026-12104 (OS command injection in the environment and tunnel configuration funct ...)
- TODO: check
+ NOT-FOR-US: SIMA GmbH Bondix
CVE-2026-11941 (Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in ...)
- TODO: check
+ NOT-FOR-US: Cloudflare Quiche
CVE-2026-11576 (The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refacto ...)
NOT-FOR-US: Eclipse
CVE-2025-71326 (AVAST Antivirus 25.11 contains an unquoted service path vulnerability ...)
- TODO: check
+ NOT-FOR-US: AVAST Antivirus
CVE-2025-62821 (Microsoft HEIF Image Extensions 1.2.22.0 has an out-of-bounds read bec ...)
TODO: check
CVE-2023-54357 (Joomla com_booking component 2.4.9 contains an information disclosure ...)
@@ -1317,18 +1317,18 @@ CVE-2026-12151 (Impact: The undici WebSocket client enforces maxPayloadSize on t
CVE-2026-12115 (The Counter Box \u2013 Add Countdowns, Timers & Dynamic Counters to Wo ...)
NOT-FOR-US: WordPress plugin
CVE-2026-11975 (Stored cross-site scripting (XSS) in NewsItemApiControllerIn SimplComm ...)
- TODO: check
+ NOT-FOR-US: SimplCommerce
CVE-2026-11858 (Quanos SCHEMA ST4 on-premises contains a local privilege escalation vu ...)
- TODO: check
+ NOT-FOR-US: Quanos SCHEMA ST4 on-premises
CVE-2026-11857 (Quanos SCHEMA ST4 on-premises contains a local privilege escalation vu ...)
- TODO: check
+ NOT-FOR-US: Quanos SCHEMA ST4 on-premises
CVE-2026-11525 (Impact: When undici parses a Set-Cookie header, it accepts any SameSit ...)
- node-undici <unfixed> (bug #1140363)
NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m
CVE-2026-11311 (When NGINX Plus is configured as the data plane for NGINX Gateway Fabr ...)
TODO: check
CVE-2026-10850 (Plane CE 1.3.1 allows a low-privileged project member to submit arbitr ...)
- TODO: check
+ NOT-FOR-US: Plane
CVE-2026-10839 (Open redirection vulnerability in the authentication system allows an ...)
TODO: check
CVE-2026-10837 (Open redirection vulnerability due to insufficient validation of the X ...)
@@ -2266,7 +2266,7 @@ CVE-2026-11410 (An authenticated OS command injection vulnerability exists in th
CVE-2026-11409 (An authenticated OS command injection vulnerability exists in the IPv6 ...)
NOT-FOR-US: TPLink
CVE-2026-10303 (In ServerCo getssl version 2.49 and prior, the ACME challenge token re ...)
- TODO: check
+ NOT-FOR-US: ServerCo getssl
CVE-2026-0165 (In several functions of the RTCP packet decoder, there is a possible o ...)
NOT-FOR-US: Google devices
CVE-2026-0164 (In Modem, there is a possible out of bounds write due to a missing bou ...)
@@ -2928,7 +2928,7 @@ CVE-2026-0646 (A denial-of-service security issue exists within the 1794-AENTR a
CVE-2025-9912 (Nokia SR Linux is vulnerable to a local privilege escalation vulnerabi ...)
NOT-FOR-US: Nokia
CVE-2025-71261 (An attacker with network-level access between the SUSE Virtualization ...)
- TODO: check
+ NOT-FOR-US: Rancher
CVE-2025-68045 (Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 v ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-14272 (A security issue wasidentifiedin Pavilion due to improperauthorization ...)
@@ -3483,15 +3483,15 @@ CVE-2026-39435 (Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3
CVE-2026-39434 (Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-39197 (An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector ...)
- TODO: check
+ NOT-FOR-US: Datadog, Inc Vector
CVE-2026-39196 (Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection ...)
- TODO: check
+ NOT-FOR-US: Datadog, Inc Vector
CVE-2026-39118 (An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local ...)
- TODO: check
+ NOT-FOR-US: Iru, Inc Kandji Agent
CVE-2026-39007 (An issue in Observeinc's Observe v.2026-01-28 and before allows a remo ...)
- TODO: check
+ NOT-FOR-US: Observeinc's Observe
CVE-2026-39006 (An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arb ...)
- TODO: check
+ NOT-FOR-US: SNMP4J-Agent
CVE-2026-38812 (RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTa ...)
NOT-FOR-US: RuoYi
CVE-2026-38329 (Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) vi ...)
@@ -3535,9 +3535,9 @@ CVE-2026-34891 (Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway
CVE-2026-34886 (Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 ve ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-30121 (remotion-dev remotion v4.0.409 was discovered to contain an arbitrary ...)
- TODO: check
+ NOT-FOR-US: remotion-dev remotion
CVE-2026-30120 (remotion-dev remotion v4.0.409 was discovered to contain a remote code ...)
- TODO: check
+ NOT-FOR-US: remotion-dev remotion
CVE-2026-27407 (Editor Privilege Escalation in AI Engine <= 3.4.9 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-27333 (Unauthenticated Deserialization of untrusted data in Paid Videochat Tu ...)
@@ -3575,7 +3575,7 @@ CVE-2025-68851 (Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.
CVE-2025-68840 (Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-68713 (An issue was discovered in Rakuten Send Anywhere (File Transfer) for A ...)
- TODO: check
+ NOT-FOR-US: Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere)
CVE-2025-68049 (Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-60175 (Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 ver ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f7f0f77cff004834c8ab696e669f8f0bd8d363
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f7f0f77cff004834c8ab696e669f8f0bd8d363
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260619/8bfb5600/attachment.htm>
More information about the debian-security-tracker-commits
mailing list