[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Jun 26 08:13:21 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
df82e5dd by security tracker role at 2026-06-26T07:13:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,189 @@
+CVE-2026-9222 (Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 a ...)
+ TODO: check
+CVE-2026-9221 (The Setracker2 Android Companion App (com.tgelec.setracker) versions 3 ...)
+ TODO: check
+CVE-2026-9220 (Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 a ...)
+ TODO: check
+CVE-2026-9219 (Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 a ...)
+ TODO: check
+CVE-2026-8797 (An access control deficiency vulnerability exists in ExpressUpdate Age ...)
+ TODO: check
+CVE-2026-8720 (wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when t ...)
+ TODO: check
+CVE-2026-8661 (Server-Side Cross-Site Scripting and Server-Side Request Forgery vulne ...)
+ TODO: check
+CVE-2026-8380 (The Frontend File Manager Plugin WordPress plugin through 23.6 does no ...)
+ TODO: check
+CVE-2026-7532 (iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defi ...)
+ TODO: check
+CVE-2026-7531 (Use-after-free in PQC hybrid key-share handling. This is an incomplete ...)
+ TODO: check
+CVE-2026-7511 (PKCS7_verify signer confusion allows forged signatures, where the sign ...)
+ TODO: check
+CVE-2026-6731 (X.509 name constraint bypass via the Subject Common Name when treated ...)
+ TODO: check
+CVE-2026-6681 (The PKCS#7 decode path ignores the caller-supplied output buffer size ...)
+ TODO: check
+CVE-2026-6679 (A heap buffer overflow could occur in the DTLS 1.3 ACK serialization p ...)
+ TODO: check
+CVE-2026-6678 (Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other R ...)
+ TODO: check
+CVE-2026-6450 (A CRL critical extension bypass exists in ParseCRL_Extensions where cr ...)
+ TODO: check
+CVE-2026-6412 (Certificate policy and RFC 8446 compliance concerns regarding the cont ...)
+ TODO: check
+CVE-2026-6331 (HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-le ...)
+ TODO: check
+CVE-2026-6330 (The ML-KEM ARM64 NEON ciphertext comparison only compares half of the ...)
+ TODO: check
+CVE-2026-6329 (PKCS#12 MAC verification uses an attacker-controlled comparison length ...)
+ TODO: check
+CVE-2026-6325 (Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversiz ...)
+ TODO: check
+CVE-2026-6092 (When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fal ...)
+ TODO: check
+CVE-2026-57522 (Bitwarden Server before 2026.5.0 contains a JSON injection vulnerabili ...)
+ TODO: check
+CVE-2026-57521 (Bitwarden Server before 2026.5.0 contains a broken access control vuln ...)
+ TODO: check
+CVE-2026-57520 (Bitwarden Server before 2026.5.0 contains a privilege escalation vulne ...)
+ TODO: check
+CVE-2026-56445 (The qrscp application's C-STORE handler uses a specific instance from ...)
+ TODO: check
+CVE-2026-55964 (Chain intermediate CA:TRUE without keyCertSign accepted as a signing C ...)
+ TODO: check
+CVE-2026-55962 (TLS 1.3 post-handshake authentication (PHA) issue where a server could ...)
+ TODO: check
+CVE-2026-55960 (Un-negotiated Raw Public Key (RFC 7250) accepted in place of an X.509 ...)
+ TODO: check
+CVE-2026-55958 (Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In ...)
+ TODO: check
+CVE-2026-54479 (The WebSocket backend uses charging station identifiers to uniquely as ...)
+ TODO: check
+CVE-2026-50745 (A missing sanitisation vulnerability exists with user input in the sta ...)
+ TODO: check
+CVE-2026-50744 (A bypass to the admin\u2011only restriction of the XML\u2011RPC API in ...)
+ TODO: check
+CVE-2026-50742 (A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` ...)
+ TODO: check
+CVE-2026-50741 (Bypass to the fix for CVE-2026-34916. Variants of such vectors have be ...)
+ TODO: check
+CVE-2026-50740 (A missing sanitisation vulnerability of user input in the zone-include ...)
+ TODO: check
+CVE-2026-50739 (A bypass for CVE\u20112026\u201134913 exists with proper ownership val ...)
+ TODO: check
+CVE-2026-50176 (The WebSocket Application Programming Interface lacks restrictions on ...)
+ TODO: check
+CVE-2026-46602 (The TIFF decoder does not set a limit on the size of tiles in tiled im ...)
+ TODO: check
+CVE-2026-46601 (The webp decoder can panic when processing a VP8 chunk with dimensions ...)
+ TODO: check
+CVE-2026-44622 (Charging station authentication identifiers are publicly accessible vi ...)
+ TODO: check
+CVE-2026-43920 (FOSSBilling is a free, open-source billing and client management syste ...)
+ TODO: check
+CVE-2026-40941 (Cacti is an open source performance and fault management framework. Ve ...)
+ TODO: check
+CVE-2026-40702 (WebSocket endpoints lack proper authentication mechanisms, enabling at ...)
+ TODO: check
+CVE-2026-40084 (Cacti is an open source performance and fault management framework. Ve ...)
+ TODO: check
+CVE-2026-40083 (Cacti is an open source performance and fault management framework. Ve ...)
+ TODO: check
+CVE-2026-40082 (Cacti is an open source performance and fault management framework. Ve ...)
+ TODO: check
+CVE-2026-40080 (Cacti is an open source performance and fault management framework. Ve ...)
+ TODO: check
+CVE-2026-38640 (A reachable unwrap in the __assert_fail function (/assert/mod.rs) of r ...)
+ TODO: check
+CVE-2026-38637 (An issue in the pthread_rwlockattr_setpshared() function of relibc com ...)
+ TODO: check
+CVE-2026-37454 (Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2 ...)
+ TODO: check
+CVE-2026-37453 (Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2 ...)
+ TODO: check
+CVE-2026-37452 (Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2 ...)
+ TODO: check
+CVE-2026-37149 (GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 wa ...)
+ TODO: check
+CVE-2026-2299 (The Mattermost Google Drive plugin before version 1.1.0 fails to valid ...)
+ TODO: check
+CVE-2026-22879 (vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow ...)
+ TODO: check
+CVE-2026-13322 (A flaw was found in KubeVirt's downward metrics virtio-serial server. ...)
+ TODO: check
+CVE-2026-13318 (A server-side request forgery (SSRF) flaw was found in KubeVirt's virt ...)
+ TODO: check
+CVE-2026-13283 (Use after free in AdFilter in Google Chrome on Android prior to 149.0. ...)
+ TODO: check
+CVE-2026-13282 (Use after free in Payments in Google Chrome on Android prior to 149.0. ...)
+ TODO: check
+CVE-2026-13281 (Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allo ...)
+ TODO: check
+CVE-2026-13226 (The Groundhogg \u2014 CRM, Newsletters, and Marketing Automation plugi ...)
+ TODO: check
+CVE-2026-13218 (A flaw was found in KubeVirt's virt-handler network cache handling. Th ...)
+ TODO: check
+CVE-2026-13083 (A flaw was found in the Pen Drive report generator. Cluster-sourced da ...)
+ TODO: check
+CVE-2026-12993 (A flaw was found in Apicurio Registry. The DocumentBuilderAccessor cor ...)
+ TODO: check
+CVE-2026-12992 (A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates ...)
+ TODO: check
+CVE-2026-12975 (A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableX ...)
+ TODO: check
+CVE-2026-12473 (Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default ...)
+ TODO: check
+CVE-2026-12340 (Out-of-bounds heap read during SM2/SM3 certificate signature verificat ...)
+ TODO: check
+CVE-2026-11800 (A flaw was found in Keycloak. This JWT algorithm confusion vulnerabili ...)
+ TODO: check
+CVE-2026-11703 (Missing SNI/ALPN binding on stateful (session-ID) resumption, which pr ...)
+ TODO: check
+CVE-2026-11310 (X.509 trust-chain bypass in the OpenSSL compatibility certificate veri ...)
+ TODO: check
+CVE-2026-10835 (The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not prope ...)
+ TODO: check
+CVE-2026-10823 (The YMC Filter WordPress plugin before 3.11.3 does not properly author ...)
+ TODO: check
+CVE-2026-10592 (Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA n ...)
+ TODO: check
+CVE-2026-10512 (The X25519 x86_64 assembly implementation fails to clear the most sign ...)
+ TODO: check
+CVE-2026-10098 (OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_s ...)
+ TODO: check
+CVE-2026-10097 (ML-KEM-1024 x64 AVX2 implicit rejection failure in the Fujisaki-Okamot ...)
+ TODO: check
+CVE-2025-71340 (picklescan through 0.0.26 fails to detect malicious pickle files that ...)
+ TODO: check
+CVE-2025-71338 (Flowise contains a path traversal vulnerability in the /api/v1/documen ...)
+ TODO: check
+CVE-2025-71336 (Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) con ...)
+ TODO: check
+CVE-2025-71335 (Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to i ...)
+ TODO: check
+CVE-2025-71334 (Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an ...)
+ TODO: check
+CVE-2025-71333 (Flowise through 2.2.4 contains an unauthenticated arbitrary file uploa ...)
+ TODO: check
+CVE-2025-71328 (Flowise before 3.0.10 contains an unverified password change vulnerabi ...)
+ TODO: check
+CVE-2025-71327 (Flowise contains an authentication bypass vulnerability in the unprote ...)
+ TODO: check
+CVE-2025-71324 (Flowise before 3.0.6 contains an arbitrary file read vulnerability in ...)
+ TODO: check
+CVE-2025-60465 (A use-after-free in the gf_filter_pid_inst_swap function (/filter_core ...)
+ TODO: check
+CVE-2025-60464 (A use-after-free in the gf_sei_load_from_state_internal function (/fil ...)
+ TODO: check
+CVE-2025-10268 (The Printcart Web to Print Product Designer for WooCommerce WordPress ...)
+ TODO: check
+CVE-2021-47987 (Parse Server before 4.10.0 was affected by a supply chain incident in ...)
+ TODO: check
+CVE-2021-47986 (Parse Server before 4.10.0 contains a supply chain vulnerability where ...)
+ TODO: check
+CVE-2020-37256 (Grav before 1.6.30 contains a cross-site scripting vulnerability in th ...)
+ TODO: check
CVE-2026-48750
- incus 7.0.0-5
- lxd <removed>
@@ -461,46 +647,55 @@ CVE-2026-12844 (List::SomeUtils::XS versions before 0.59 for Perl have a heap bu
NOTE: https://www.openwall.com/lists/oss-security/2026/06/25/11
NOTE: Fixed by: https://github.com/houseabsolute/List-SomeUtils-XS/commit/22549f78669b780d6aa338a2d2e49a3dedfffaa6 (v0.59)
CVE-2026-40211 (An attacker can send crafted DNS over HTTP/3 queries, triggering an ex ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40211-denial-of-service-via-crafted-doh3-queries
CVE-2026-40210 (An out-of-bounds read might happen when SetMacAddrAction is used, pote ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40210-out-of-bounds-read-in-setmacaddraction
CVE-2026-40209 (An attacker might be able to cause outgoing TCP connections to backend ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40209-denial-of-service-via-ixfr-queries
CVE-2026-40208 (An attacker might be able to delay the processing of DoH3 queries by s ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40208-denial-of-service-via-doh3-queries
CVE-2026-42004 (An attacker can send a crafted EDNS OPT record that will be ignored by ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-42004-edns-options-smuggling
CVE-2026-40011 (An attacker sending a large number of crafted DNS queries might be abl ...)
+ {DSA-6367-1}
- dnsdist <unfixed>
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40011-prometheus-denial-of-service-via-crafted-dns-queries
CVE-2026-52690 (Spoofing replies to Recursor might mark an IP of an authoritative serv ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-52690-spoofed-answers-can-mark-an-authoritative-non-edns-capable
CVE-2026-42387 (A malicious authoritative server can send a crafted zone via the ZoneT ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42387-insufficient-input-validation-in-zonetocache
CVE-2026-42388 (Incomplete validation of the SOA record present in a catalog zone migh ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -512,11 +707,13 @@ CVE-2026-42389 (This fix provides extra hardening for the 5.4.x branch by doing
[bullseye] - pdns-recursor <not-affected> (Vulnerable code not present, only affects 5.4.x)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42389-reject-more-queries-with-invalid-header-values
CVE-2026-42390 (An invalid zone might pass ZONEMD validation while it should not. This ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42390-zonemd-validation-can-be-bypassed
CVE-2026-42005 (An attacker can send a web request that causes unlimited memory alloc ...)
+ {DSA-6369-1 DSA-6368-1 DSA-6367-1}
- pdns-recursor 5.3.0-1
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -532,11 +729,13 @@ CVE-2026-42005 (An attacker can send a web request that causes unlimited memory
NOTE: https://github.com/PowerDNS/pdns/commit/11e4f2da8259e5070e7a193f48d23ade38b71dc0
NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-42005-insufficient-input-validation-of-internal-web-server
CVE-2026-40012 (ECS zero scoped answers are stored in the packet cache while they shou ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-40012-information-about-ecs-zero-scoped-answers-might-leak-to-clients-that-use-a-specific-ecs
CVE-2026-33612 (A malicious authoritative server can send a crafted zone via the ZoneT ...)
+ {DSA-6369-1}
- pdns-recursor <unfixed>
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -1644,7 +1843,7 @@ CVE-2025-60467 (A use-after-free in the gf_filter_pid_inst_swap_delete_task func
TODO: check
CVE-2025-60466 (A use-after-free in the gf_filter_pid_get_packet function (/filter_cor ...)
TODO: check
-CVE-2026-13201 (A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow fu ...)
+CVE-2026-13201 (A flaw was found in KubeVirt's safepath package used by virt-handler. ...)
NOT-FOR-US: KubeVirt
CVE-2026-13208 (A flaw was found in KubeVirt's virt-handler domain notify server. The ...)
NOT-FOR-US: KubeVirt
@@ -3191,7 +3390,7 @@ CVE-2026-11997 (The Bulk SEO Image plugin for WordPress is vulnerable to Cross-S
NOT-FOR-US: WordPress plugin
CVE-2026-11972 (When using the "tarfile" module with a file opened in "streaming mode" ...)
TODO: check
-CVE-2026-11820 (Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM \u2014 AV:N/AC: ...)
+CVE-2026-11820 (A flaw was found in the community.general Ansible collection's nexmo m ...)
NOT-FOR-US: Red Hat
CVE-2026-11819 (Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM \u2014 ...)
NOT-FOR-US: Red Hat
@@ -5197,38 +5396,38 @@ CVE-2026-48931 (A flaw in Node.js HTTP Agent can cause a client to accept as val
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#http-response-queue-poisoning-via-toctou-race-condition-in-httpagent-cve-2026-48931---low
NOTE: https://github.com/nodejs/node/commit/0a22d40180cb796e0d68e94c1a7a8a05a8f47c10 (v22.23.0)
-CVE-2026-48936
+CVE-2026-48936 (A flaw in Node.js Permission API can cause a local server to be starte ...)
- nodejs <not-affected> (Only affects Node.js v26)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unix-domain-socket-server-bypasses---permission-network-restrictions-incomplete-cve-2026-21636-fix-cve-2026-48936---low
-CVE-2026-48935
+CVE-2026-48935 (A flaw in Node.js Permission API can cause a file metadata to be modif ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#permission-model-bypass-via-filehandleutimes-in-the-promises-api-cve-2026-48935---low
NOTE: https://github.com/nodejs/node/commit/28dcd388644c676b5b8149abfe18ec32cd010781 (v22.23.0)
-CVE-2026-48934
+CVE-2026-48934 (A flaw in Node.js TLS host verification can cause an attacker to bypas ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#tls-host-identity-verification-bypass-via-session-reuse-with-different-servername-leads-to-unauthorized-connections-cve-2026-48934---medium
NOTE: https://github.com/nodejs/node/commit/fd890ba01d508ac111bbba302981d7fdf734d2ce (v22.23.0)
-CVE-2026-48930
+CVE-2026-48930 (A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnam ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#embedded-nul-hostnames-can-lead-to-silent-authority-rebinding-due-to-c-string-truncation-in-resolver-bindings-cve-2026-48930---medium
NOTE: https://github.com/nodejs/node/commit/c551a51d0c58dfc91961fb3f24c2c86af6183eca (v22.23.0)
-CVE-2026-48928
+CVE-2026-48928 (A inconsistency in Node.js hostname matching can cause a trust-policy ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#uppercase-sni-context-matching-can-lead-to-mtls-authorization-bypass-due-to-case-sensitive-hostname-matching-cve-2026-48928---medium
NOTE: https://github.com/nodejs/node/commit/39d1d0968471a144d93dc293d640008f57d3c58e (v22.23.0)
-CVE-2026-48619
+CVE-2026-48619 (A flaw in Node.js HTTP/2 client allows a server to send an unlimited n ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unbounded-memory-growth-in-nodehttp2-clients-via-attacker-controlled-origin-frames-cve-2026-48619---medium
NOTE: https://github.com/nodejs/node/commit/c79968e108002c2394bdb9e9cefb2c8c8cc202f8 (v22.23.0)
-CVE-2026-48615
+CVE-2026-48615 (A flaw in Node.js proxy tunnel error handling could expose proxy crede ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#proxy-credentials-leaked-in-err_proxy_tunnel-error-message-cve-2026-48615---medium
NOTE: https://github.com/nodejs/node/commit/9b6af26132f6e87659ce360e6a59f42a03ff1701 (v22.23.0)
-CVE-2026-48618
+CVE-2026-48618 (A flaw in Node.js TLS hostname handling can cause Node.js unicode dot ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-unicode-dot-separator-handling-can-lead-to-tls-wildcard-depth-authentication-bypass-due-to-resolver-and-verifier-hostname-normalization-mismat-cve-2026-48618---high
NOTE: https://github.com/nodejs/node/commit/2197a47144f3356ab451c5dcd858a49eb5957a70 (v22.23.0)
-CVE-2026-48933
+CVE-2026-48933 (A flaw in Node.js WebCrypto implementation can crash the process if th ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-webcrypto-aes-integer-overflow-leads-to-remote-process-abort-dos-cve-2026-48933---high
NOTE: https://github.com/nodejs/node/commit/38b4c5ed51b2ec81c28fbd379fea72e22fa12a15 (v22.23.0)
@@ -15386,12 +15585,12 @@ CVE-2026-11309 (Insufficient policy enforcement in History in Google Chrome prio
- chromium 149.0.7827.53-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-9698 (DBI versions before 1.648 for Perl saved errors in a limited-sized buf ...)
- {DSA-6338-1}
+ {DSA-6338-1 DLA-4649-1}
- libdbi-perl 1.648-1
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40831067/
NOTE: Fixed by: https://github.com/perl5-dbi/dbi/commit/bfe5d73c162d2d1f761a639a0aa33aad6a9eb54e (1.648)
CVE-2026-10879 (DBI versions before 1.648 for Perl have a heap overflow when preparsin ...)
- {DSA-6338-1}
+ {DSA-6338-1 DLA-4649-1}
- libdbi-perl 1.648-1
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40729086/
NOTE: Fixed by: https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978 (1.648)
@@ -51677,7 +51876,7 @@ CVE-2026-2509 (The Page Builder: Pagelayer plugin for WordPress is vulnerable to
NOT-FOR-US: WordPress plugin
CVE-2026-2481 (The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder p ...)
NOT-FOR-US: WordPress plugin
-CVE-2026-2377 (A flaw was found in mirror-registry. Authenticated users can exploit t ...)
+CVE-2026-2377 (A flaw was found in Red Hat Quay and mirror registry for Red Hat OpenS ...)
NOT-FOR-US: Quay
CVE-2026-2104 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
- gitlab <not-affected> (Vulnerable code introduced later)
@@ -64177,6 +64376,7 @@ CVE-2026-26948 (Dell Integrated Dell Remote Access Controller 9, 14G versions pr
CVE-2026-26945 (Dell Integrated Dell Remote Access Controller 9, 14G versions prior to ...)
NOT-FOR-US: Dell / EMC
CVE-2026-26740 (Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attack ...)
+ {DLA-4650-1}
- giflib 6.1.3-1 (bug #1131368)
[trixie] - giflib <no-dsa> (Minor issue)
NOTE: https://github.com/zakkanijia/POC/blob/main/giflib/giftool/giflib_giftool_gce_len_heap_oobwrite_disclosure.md
@@ -68079,6 +68279,7 @@ CVE-2026-23907 (This issue affects the ExtractEmbeddedFiles example inApache PD
NOTE: Examples are not shipped in the Debian package
NOTE: https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw
CVE-2026-23868 (Giflib contains a double-free vulnerability that is the result of a sh ...)
+ {DLA-4650-1}
- giflib 6.1.3-1 (bug #1130495)
[trixie] - giflib <no-dsa> (Minor issue)
NOTE: https://www.facebook.com/security/advisories/cve-2026-23868
@@ -114973,11 +115174,11 @@ CVE-2025-65065
REJECTED
CVE-2025-65064
REJECTED
-CVE-2025-64309 (Brightpick Mission Control discloses device telemetry, configuration, ...)
+CVE-2025-64309 (The affected product discloses device telemetry, configuration, and se ...)
NOT-FOR-US: Brightpick Mission Control
CVE-2025-64308 (The Brightpick Mission Control web application exposes hardcoded crede ...)
NOT-FOR-US: Brightpick Mission Control
-CVE-2025-64307 (The Brightpick Internal Logic Control web interface is accessible wit ...)
+CVE-2025-64307 (The Brightpick Internal Logic Control web interface is accessible with ...)
NOT-FOR-US: Brightpick
CVE-2025-64084 (An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 ...)
NOT-FOR-US: Cloudlog
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df82e5ddfe76e2e1da7a259d35db28bd131bfeab
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df82e5ddfe76e2e1da7a259d35db28bd131bfeab
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260626/f54dd3bf/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list