[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Mar 14 09:26:56 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
76b96e07 by Salvatore Bonaccorso at 2026-03-14T10:25:43+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -415,7 +415,7 @@ CVE-2026-31897 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xgv6-r22m-7c9x
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/cd27c8faca0eeb0d4309cc5837dfdf3c42eba4e7 (3.24.0)
 CVE-2026-31886 (Dagu is a workflow engine with a built-in Web user interface. Prior to ...)
-	TODO: check
+	NOT-FOR-US: Dagu
 CVE-2026-31885 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
 	- freerdp3 3.24.0+dfsg-1
 	- freerdp2 <removed>
@@ -433,9 +433,9 @@ CVE-2026-31883 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-85x9-4xxp-xhm5
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8 (3.24.0)
 CVE-2026-31882 (Dagu is a workflow engine with a built-in Web user interface. Prior to ...)
-	TODO: check
+	NOT-FOR-US: Dagu
 CVE-2026-31864 (JumpServer is an open source bastion host and an operation and mainten ...)
-	TODO: check
+	NOT-FOR-US: JumpServer
 CVE-2026-31814 (Yamux is a stream multiplexer over reliable, ordered connections such  ...)
 	TODO: check
 CVE-2026-31806 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
@@ -444,13 +444,13 @@ CVE-2026-31806 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrqm-46rj-cmx2
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/83d9aedea278a74af3e490ff5eeb889c016dbb2b (3.24.0)
 CVE-2026-31798 (JumpServer is an open source bastion host and an operation and mainten ...)
-	TODO: check
+	NOT-FOR-US: JumpServer
 CVE-2026-30961 (Gokapi is a self-hosted file sharing server with automatic expiration  ...)
-	TODO: check
+	NOT-FOR-US: Gokapi
 CVE-2026-30955 (Gokapi is a self-hosted file sharing server with automatic expiration  ...)
-	TODO: check
+	NOT-FOR-US: Gokapi
 CVE-2026-30943 (Gokapi is a self-hosted file sharing server with automatic expiration  ...)
-	TODO: check
+	NOT-FOR-US: Gokapi
 CVE-2026-30915 (SFTPGo is an open source, event-driven file transfer solution. SFTPGo  ...)
 	TODO: check
 CVE-2026-30914 (SFTPGo is an open source, event-driven file transfer solution. In SFTP ...)
@@ -785,13 +785,13 @@ CVE-2026-32116 (Magic Wormhole makes it possible to get arbitrary-sized files an
 CVE-2026-32100 (Shopware is an open commerce platform. /api/_info/config route exposes ...)
 	NOT-FOR-US: Shopware
 CVE-2026-31890 (Inspektor Gadget is a set of tools and framework for data collection a ...)
-	TODO: check
+	NOT-FOR-US: Inspektor Gadget
 CVE-2026-31873 (Unhead is a document head and template manager. Prior to 2.1.11, The l ...)
-	TODO: check
+	NOT-FOR-US: Unhead
 CVE-2026-31860 (Unhead is a document head and template manager. Prior to 2.1.11, useHe ...)
-	TODO: check
+	NOT-FOR-US: Unhead
 CVE-2026-31841 (Hyperterse is a tool-first MCP framework for building AI-ready backend ...)
-	TODO: check
+	NOT-FOR-US: Hyperterse
 CVE-2026-2987 (The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cros ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-2514 (In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnera ...)
@@ -1402,7 +1402,7 @@ CVE-2026-31868 (Parse Server is an open source backend that can be deployed to a
 CVE-2026-31867 (Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 ...)
 	NOT-FOR-US: Craft Commerce
 CVE-2026-31866 (flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2 ...)
-	TODO: check
+	NOT-FOR-US: flagd
 CVE-2026-31863 (Anytype Heart is the middleware library for Anytype. The challenge-bas ...)
 	NOT-FOR-US: Anytype Heart
 CVE-2026-31862 (Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude C ...)
@@ -1461,7 +1461,7 @@ CVE-2026-28803 (Open Forms allows users create and publish smart forms. Prior to
 CVE-2026-28229 (Argo Workflows is an open source container-native workflow engine for  ...)
 	NOT-FOR-US: Argo CD
 CVE-2026-27897 (Vociferous provides cross-platform, offline speech-to-text with local  ...)
-	TODO: check
+	NOT-FOR-US: Vociferous
 CVE-2026-27703 (RIOT is an open-source microcontroller operating system, designed to m ...)
 	NOT-FOR-US: RIOT-OS
 CVE-2026-27478 (Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4. ...)
@@ -1690,7 +1690,7 @@ CVE-2026-31808 (file-type detects the file type of a file, stream, or data. Prio
 CVE-2026-31807 (SiYuan is a personal knowledge management system. Prior to 3.5.10, SiY ...)
 	NOT-FOR-US: SiYuan
 CVE-2026-31801 (zot is ancontainer image/artifact registry based on the Open Container ...)
-	TODO: check
+	NOT-FOR-US: zot
 CVE-2026-31800 (Parse Server is an open source backend that can be deployed to any inf ...)
 	NOT-FOR-US: Parse Server
 CVE-2026-30972 (Parse Server is an open source backend that can be deployed to any inf ...)
@@ -1708,7 +1708,7 @@ CVE-2026-30954 (LinkAce is a self-hosted archive to collect website links. In 2.
 CVE-2026-30953 (LinkAce is a self-hosted archive to collect website links. When a user ...)
 	NOT-FOR-US: LinkAce
 CVE-2026-30952 (liquidjs is a Shopify / GitHub Pages compatible template engine in pur ...)
-	TODO: check
+	NOT-FOR-US: Node liquidjs
 CVE-2026-30951 (Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injecti ...)
 	NOT-FOR-US: Sequelize
 CVE-2026-30949 (Parse Server is an open source backend that can be deployed to any inf ...)
@@ -1752,7 +1752,7 @@ CVE-2026-28807 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
 CVE-2026-28806 (Improper Authorization vulnerability in nerves-hub nerves_hub_web allo ...)
 	TODO: check
 CVE-2026-27842 (Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which ...)
-	TODO: check
+	NOT-FOR-US: MR-GM5L-S1 and MR-GM5A-L1
 CVE-2026-27278 (Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and e ...)
 	NOT-FOR-US: Adobe
 CVE-2026-27272 (Illustrator versions 29.8.4, 30.1 and earlier are affected by an out-o ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b96e07403542faf4bb987ef872431df1dd4c0b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b96e07403542faf4bb987ef872431df1dd4c0b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260314/7ae91f76/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list