[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Jun 22 20:13:40 BST 2026



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1ee62803 by security tracker role at 2026-06-22T19:13:34+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,6 +1,278 @@
-CVE-2026-11373
+CVE-2026-9610 (IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9 ...)
+	TODO: check
+CVE-2026-9320 (IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Applic ...)
+	TODO: check
+CVE-2026-9162 (Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5 ...)
+	TODO: check
+CVE-2026-9072 (IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IB ...)
+	TODO: check
+CVE-2026-9071 (IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Applic ...)
+	TODO: check
+CVE-2026-9029 (The geomap panel's XYZ tile layer has a sanitize-then-interpolate orde ...)
+	TODO: check
+CVE-2026-9006 (IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server- ...)
+	TODO: check
+CVE-2026-8934 (A Missing Authorization vulnerability in a GraphQL private API operati ...)
+	TODO: check
+CVE-2026-8858 (IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server and IBM ...)
+	TODO: check
+CVE-2026-8823 (Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to vali ...)
+	TODO: check
+CVE-2026-8646 (IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Applica ...)
+	TODO: check
+CVE-2026-8636 (IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9 ...)
+	TODO: check
+CVE-2026-8074 (Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enfo ...)
+	TODO: check
+CVE-2026-8059 (IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9 ...)
+	TODO: check
+CVE-2026-7664 (IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attac ...)
+	TODO: check
+CVE-2026-7253 (IBM Watson Speech Services Cartridge is vulnerable to Server-Side Requ ...)
+	TODO: check
+CVE-2026-7167 (The vulnerability arises when the system fails to properly validate th ...)
+	TODO: check
+CVE-2026-7166 (Vulnerability involving the exposure of sensitive data provided withou ...)
+	TODO: check
+CVE-2026-7165 (The vulnerability is present in the \u2018/addJugador\u2019 endpoint:  ...)
+	TODO: check
+CVE-2026-6673 (Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5 ...)
+	TODO: check
+CVE-2026-6062 (Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5 ...)
+	TODO: check
+CVE-2026-5139 (Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5 ...)
+	TODO: check
+CVE-2026-56450 (AIL did not restrict repeated failed attempts to verify a two-factor a ...)
+	TODO: check
+CVE-2026-56448 (A path traversal vulnerability exists in AIL Framework before the rele ...)
+	TODO: check
+CVE-2026-56447 (MISP allowed an authenticated site administrator to set the Kafka_rdka ...)
+	TODO: check
+CVE-2026-56446 (MISP allowed a site administrator to configure an arbitrary filesystem ...)
+	TODO: check
+CVE-2026-56425 (The Azure Active Directory (AAD) authentication implementation contain ...)
+	TODO: check
+CVE-2026-56424 (MISP core contained multiple broken access-control flaws where authori ...)
+	TODO: check
+CVE-2026-56423 (MISP Core contained broken access-control checks in the bulk deletion  ...)
+	TODO: check
+CVE-2026-56422 (Multiple MISP core controllers and model capture paths accepted client ...)
+	TODO: check
+CVE-2026-56109 (The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 c ...)
+	TODO: check
+CVE-2026-56104 (Chainlit before 2.10.1 contains a session hijacking vulnerability that ...)
+	TODO: check
+CVE-2026-55602 (http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 un ...)
+	TODO: check
+CVE-2026-55443 (LangChain is a framework for building agents and LLM-powered applicati ...)
+	TODO: check
+CVE-2026-55388 (piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2,  ...)
+	TODO: check
+CVE-2026-54665 (Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from o ...)
+	TODO: check
+CVE-2026-54300 (@astrojs/netlify is an adapter that allows Astro to deploy your hybrid ...)
+	TODO: check
+CVE-2026-54299 (Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerende ...)
+	TODO: check
+CVE-2026-54298 (Astro is a web framework. Prior to 6.4.6, the spreadAttributes functio ...)
+	TODO: check
+CVE-2026-54293 (NLTK (Natural Language Toolkit) is a suite of open source Python modul ...)
+	TODO: check
+CVE-2026-54290 (Hono is a Web application framework that provides support for any Java ...)
+	TODO: check
+CVE-2026-54289 (Hono is a Web application framework that provides support for any Java ...)
+	TODO: check
+CVE-2026-54288 (Hono is a Web application framework that provides support for any Java ...)
+	TODO: check
+CVE-2026-54287 (Hono is a Web application framework that provides support for any Java ...)
+	TODO: check
+CVE-2026-54286 (Hono is a Web application framework that provides support for any Java ...)
+	TODO: check
+CVE-2026-54285 (opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8. ...)
+	TODO: check
+CVE-2026-54283 (Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1. ...)
+	TODO: check
+CVE-2026-54282 (Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the ...)
+	TODO: check
+CVE-2026-54280 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54279 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54278 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54277 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54276 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54275 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54274 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54273 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-54271 (protobufjs-cli is the command line add-on for protobuf.js. Prior to 1. ...)
+	TODO: check
+CVE-2026-54270 (protobufjs compiles protobuf definitions into JavaScript (JS) function ...)
+	TODO: check
+CVE-2026-54269 (protobufjs compiles protobuf definitions into JavaScript (JS) function ...)
+	TODO: check
+CVE-2026-54268 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-54267 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-54266 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-54265 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-54264 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-54100 (A flaw was found in the Windows Machine Config Operator (WMCO) for Red ...)
+	TODO: check
+CVE-2026-54099 (A flaw was found in the Windows Machine Config Operator (WMCO) for Red ...)
+	TODO: check
+CVE-2026-53779 (WebP Server Go through 0.14.4 contains a path traversal vulnerability  ...)
+	TODO: check
+CVE-2026-53778
+	REJECTED
+CVE-2026-53663 (React Router is a router for React. From 7.12.0 until 7.15.1, certain  ...)
+	TODO: check
+CVE-2026-53655 (node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...)
+	TODO: check
+CVE-2026-53632 (launch-editor allows users to open files with line numbers in editor f ...)
+	TODO: check
+CVE-2026-53571 (Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16,  ...)
+	TODO: check
+CVE-2026-53550 (js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a craf ...)
+	TODO: check
+CVE-2026-53540 (Python-Multipart is a streaming multipart parser for Python. Prior to  ...)
+	TODO: check
+CVE-2026-53539 (Python-Multipart is a streaming multipart parser for Python. Prior to  ...)
+	TODO: check
+CVE-2026-53538 (Python-Multipart is a streaming multipart parser for Python. Prior to  ...)
+	TODO: check
+CVE-2026-53537 (Python-Multipart is a streaming multipart parser for Python. Prior to  ...)
+	TODO: check
+CVE-2026-52725 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50557 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50556 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50555 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50269 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
+	TODO: check
+CVE-2026-50184 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50178 (The Angular Language Service VS Code Extension provides a rich editing ...)
+	TODO: check
+CVE-2026-50171 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50170 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50169 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50168 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-50146 (Astro is a web framework. Prior to 6.3.3, when a component uses a clie ...)
+	TODO: check
+CVE-2026-49356 (Babel is a compiler for writing next generation JavaScript. Prior to 8 ...)
+	TODO: check
+CVE-2026-49241 (The Angular Language Service VS Code Extension provides a rich editing ...)
+	TODO: check
+CVE-2026-48712 (protobufjs compiles protobuf definitions into JavaScript (JS) function ...)
+	TODO: check
+CVE-2026-46417 (Angular is a development platform for building mobile and desktop web  ...)
+	TODO: check
+CVE-2026-44914 (Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replac ...)
+	TODO: check
+CVE-2026-44913 (Improper escaping of database table names in the CaptureChangeMySQL Pr ...)
+	TODO: check
+CVE-2026-44911 (Authorization handling for component configuration verification reques ...)
+	TODO: check
+CVE-2026-42129 (The Loki datasource plugin's callResource handler contains a path trav ...)
+	TODO: check
+CVE-2026-42127 (The public dashboard query endpoint does not limit request body size b ...)
+	TODO: check
+CVE-2026-41049 (Incorrect caching of authentication between different users of the qSn ...)
+	TODO: check
+CVE-2026-41048 (Incorrect caching of authentication between different polkit methods i ...)
+	TODO: check
+CVE-2026-41047 (Lack of authentication when using the "snapshot diff" functions in qSn ...)
+	TODO: check
+CVE-2026-41046 (A path traversal attack when using a "configName" parameter in qSnappe ...)
+	TODO: check
+CVE-2026-41045 (A time-to-check-time-of-use in polkit authentication of qSnapper befor ...)
+	TODO: check
+CVE-2026-28381 (The Snowflake datasource allows for GET/PUT commands, which can allow  ...)
+	TODO: check
+CVE-2026-12888 (An HTML injection vulnerability exists in the Google Chat webhook noti ...)
+	TODO: check
+CVE-2026-12863 (An unvalidated redirect was contained in Venueless' social login funct ...)
+	TODO: check
+CVE-2026-12862 (Untrusted user data was passed verbatim to Excel exports for administr ...)
+	TODO: check
+CVE-2026-12725 (A heap-based buffer overflow was found in dnsmasq. When DNSSEC validat ...)
+	TODO: check
+CVE-2026-12628 (IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Pro ...)
+	TODO: check
+CVE-2026-12602 (Incorrect default permissions in ArubaSign, affecting versions prior t ...)
+	TODO: check
+CVE-2026-12581 (EasyFlow .NET developed by Digiwin has a Session Fixation vulnerabilit ...)
+	TODO: check
+CVE-2026-12580 (EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting v ...)
+	TODO: check
+CVE-2026-12549 (The fix for CVE-2026-2443 was regressed by a subsequent rework commit  ...)
+	TODO: check
+CVE-2026-12479 (A path traversal vulnerability exists in keras-team/keras version 3.14 ...)
+	TODO: check
+CVE-2026-12249 (An issue was discovered in Canonical ADSys upstream versions through v ...)
+	TODO: check
+CVE-2026-11994 (Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting ...)
+	TODO: check
+CVE-2026-11943 (Akaunting 3.1.21 contains an authenticated stored cross-site scripting ...)
+	TODO: check
+CVE-2026-11942 (Akaunting 3.1.21 contains an authenticated stored cross-site scripting ...)
+	TODO: check
+CVE-2026-11834 (A command injection vulnerability has been identified in the DHCP opti ...)
+	TODO: check
+CVE-2026-11825
+	REJECTED
+CVE-2026-11372 (IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to  ...)
+	TODO: check
+CVE-2026-10845 (IBM WebSphere Application Server 8.5 and 9.0could allow a remote attac ...)
+	TODO: check
+CVE-2026-10789 (A maliciously crafted webpage, when visited by a user with Autodesk Fu ...)
+	TODO: check
+CVE-2026-10601 (The Tempo and Loki datasource plugins construct backend HTTP requests  ...)
+	TODO: check
+CVE-2026-10561 (IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an im ...)
+	TODO: check
+CVE-2025-66389 (GitHub Copilot 1.372.0 allows filesystem access outside of a workspace ...)
+	TODO: check
+CVE-2025-66336 (Apache Doris MCP Server contains a SQL injection vulnerability in a me ...)
+	TODO: check
+CVE-2025-62198 (An authenticated user can perform XSS.  This issue affects Apache Atla ...)
+	TODO: check
+CVE-2025-4994 (The SafeLine SL6 and SL6+ devices integrated into elevator emergency i ...)
+	TODO: check
+CVE-2025-33128 (IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 02 ...)
+	TODO: check
+CVE-2025-2669 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data  ...)
+	TODO: check
+CVE-2024-54178 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data  ...)
+	TODO: check
+CVE-2024-51454 (IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 03 ...)
+	TODO: check
+CVE-2023-45796 (A stored cross-site scripting vulnerability in the Runtime component o ...)
+	TODO: check
+CVE-2023-45795 (A cross-site scripting vulnerability in the Builder Component of Pilz  ...)
+	TODO: check
+CVE-2023-33854 (IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data  ...)
+	TODO: check
+CVE-2026-11373 (Net::Statsite::Client versions through 1.1.0 for Perl allow metric inj ...)
 	NOT-FOR-US: Net::Statsite::Client Perl module
-CVE-2026-6653
+CVE-2026-6653 (Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2  ...)
 	- libxml2 2.14.5+dfsg-0.1
 	NOTE: https://www.openwall.com/lists/oss-security/2026/06/22/3
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1058
@@ -65549,11 +65821,12 @@ CVE-2026-30798 (Insufficient Verification of Data Authenticity, Improper Handlin
 	NOT-FOR-US: RustDesk Client
 CVE-2026-30797 (Missing Authorization vulnerability in rustdesk-client RustDesk Client ...)
 	NOT-FOR-US: RustDesk Client
-CVE-2026-30796 (Cleartext Transmission of Sensitive Information vulnerability in rustd ...)
+CVE-2026-30796 (Cleartext Transmission of Sensitive Information, Insufficiently Protec ...)
 	NOT-FOR-US: RustDesk Server Pro (not same as src:rustdesk, itp'ed #1038942)
 CVE-2026-30795 (Cleartext Transmission of Sensitive Information vulnerability in rustd ...)
 	NOT-FOR-US: RustDesk Client
-CVE-2026-30794 (Improper Certificate Validation vulnerability in rustdesk-client RustD ...)
+CVE-2026-30794
+	REJECTED
 	NOT-FOR-US: RustDesk Client
 CVE-2026-30793 (Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client Rus ...)
 	NOT-FOR-US: RustDesk Client
@@ -65561,13 +65834,15 @@ CVE-2026-30792 (A vulnerability in rustdesk-client RustDesk Client rustdesk-clie
 	NOT-FOR-US: RustDesk Client
 CVE-2026-30791 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in rust ...)
 	NOT-FOR-US: RustDesk Client
-CVE-2026-30790 (Improper Restriction of Excessive Authentication Attempts, Use of Pass ...)
+CVE-2026-30790
+	REJECTED
 	- rustdesk <itp> (bug #1038942)
-CVE-2026-30789 (Authentication Bypass by Capture-replay, Use of Password Hash With Ins ...)
+CVE-2026-30789 (Use of Password Hash With Insufficient Computational Effort, Improper  ...)
 	NOT-FOR-US: RustDesk Client
 CVE-2026-30785 (Improperly Controlled Modification of Object Prototype Attributes ('Pr ...)
 	NOT-FOR-US: RustDesk Client
-CVE-2026-30784 (Missing Authorization, Missing Authentication for Critical Function vu ...)
+CVE-2026-30784
+	REJECTED
 	- rustdesk <itp> (bug #1038942)
 CVE-2026-30783 (A vulnerability in rustdesk-client RustDesk Client rustdesk-client on  ...)
 	NOT-FOR-US: RustDesk Client



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee628032fa5aa9aafe625c5a88da416a09f6596

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee628032fa5aa9aafe625c5a88da416a09f6596
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260622/7d978584/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list