[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Mar 18 12:34:18 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b5450408 by Moritz Muehlenhoff at 2026-03-18T13:33:24+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -92,7 +92,7 @@ CVE-2026-31938 (jsPDF is a library to generate PDFs in JavaScript. Prior to vers
CVE-2026-31898 (jsPDF is a library to generate PDFs in JavaScript. Prior to version 4. ...)
- jspdf <itp> (bug #998381)
CVE-2026-31891 (Cockpit is a headless content management system. Any Cockpit CMS insta ...)
- TODO: check
+ NOT-FOR-US: Cockpit Content Platform (different from src:cockpit)
CVE-2026-31865 (Elysia is a Typescript framework for request validation, type inferenc ...)
NOT-FOR-US: Elysia
CVE-2026-30922 (pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pya ...)
@@ -118,7 +118,7 @@ CVE-2026-28500 (Open Neural Network Exchange (ONNX) is an open standard for mach
- onnx <unfixed>
NOTE: https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
CVE-2026-28499 (LeafKit is a templating language with Swift-inspired syntax. Prior to ...)
- TODO: check
+ NOT-FOR-US: LeafKit
CVE-2026-27980 (Next.js is a React framework for building full-stack web applications. ...)
NOT-FOR-US: Next.js
CVE-2026-27979 (Next.js is a React framework for building full-stack web applications. ...)
@@ -315,71 +315,71 @@ CVE-2026-28563 (Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies end
CVE-2026-28506 (Outline is a service that allows for collaborative documentation. Prio ...)
NOT-FOR-US: Outline
CVE-2026-26929 (Apache Airflow versions 3.0.0 through 3.1.7FastAPI DagVersion listing ...)
- TODO: check
+ - airflow <itp> (bug #819700)
CVE-2026-25936 (GLPI is a free Asset and IT management software package. Starting in v ...)
- TODO: check
+ - glpi <removed>
CVE-2026-25790 (Wazuh is a free and open source platform used for threat prevention, d ...)
- TODO: check
+ NOT-FOR-US: Wazuh
CVE-2026-25772 (Wazuh is a free and open source platform used for threat prevention, d ...)
- TODO: check
+ NOT-FOR-US: Wazuh
CVE-2026-25771 (Wazuh is a free and open source platform used for threat prevention, d ...)
- TODO: check
+ NOT-FOR-US: Wazuh
CVE-2026-25770 (Wazuh is a free and open source platform used for threat prevention, d ...)
- TODO: check
+ NOT-FOR-US: Wazuh
CVE-2026-25769 (Wazuh is a free and open source platform used for threat prevention, d ...)
- TODO: check
+ NOT-FOR-US: Wazuh
CVE-2026-25534 (### Impact Spinnaker updated URL Validation logic on user input to pro ...)
- TODO: check
+ NOT-FOR-US: clouddriver-artifacts
CVE-2026-24901 (Outline is a service that allows for collaborative documentation. Prio ...)
- TODO: check
+ NOT-FOR-US: Outline
CVE-2026-23759 (Perle IOLAN STS/SCS terminal server models with firmware versions prio ...)
- TODO: check
+ NOT-FOR-US: Perle IOLAN STS/SCS terminal
CVE-2026-22882 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2026-21886 (OpenCTI is an open source platform for managing cyber threat intellige ...)
- TODO: check
+ NOT-FOR-US: OpenCTI
CVE-2026-21570 (This High severity RCE (Remote Code Execution) vulnerability was intro ...)
NOT-FOR-US: Atlassian
CVE-2026-20726 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2026-1323 (The extension fails to properly define allowed classes used when deser ...)
NOT-FOR-US: TYPO3 (core or extensions)
CVE-2025-66633 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-66617 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-66503 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-66342 (A type confusion vulnerability exists in the EMF functionality of Canv ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-66042 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-66000 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-65119 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-64776 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-64735 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-64733 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-64301 (An out\u2011of\u2011bounds write vulnerability exists in the EMF funct ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-62500 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-62403 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-62320 (HTML Injection can be carried out in Product when a web application do ...)
NOT-FOR-US: HCL
CVE-2025-61979 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-61952 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-58427 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-47873 (An out-of-bounds read vulnerability exists in the EMF functionality of ...)
- TODO: check
+ NOT-FOR-US: Canva Affinity
CVE-2025-31966 (HCL Sametime is vulnerable to broken server-side validation. While the ...)
NOT-FOR-US: HCL
CVE-2025-15584 (Netskope was notified about a potential gap in its Endpoint DLP Module ...)
@@ -427,7 +427,7 @@ CVE-2026-3237 (In affected versions of Octopus Server it was possible for a low
CVE-2026-2579 (The WowStore \u2013 Store Builder & Product Blocks for WooCommerce plu ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2454 (Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10. ...)
- TODO: check
+ - mattermost-server <itp> (bug #823556)
CVE-2026-2373 (The Royal Addons for Elementor \u2013 Addons and Templates Kit for Ele ...)
NOT-FOR-US: WordPress plugin
CVE-2026-29522 (ZwickRoell Test Data Management versions prior to3.0.8 contain a local ...)
@@ -435,13 +435,13 @@ CVE-2026-29522 (ZwickRoell Test Data Management versions prior to3.0.8 contain a
CVE-2026-26230 (Mattermost versions 10.11.x <= 10.11.10 fail to properly validate perm ...)
- mattermost-server <itp> (bug #823556)
CVE-2026-21991 (A DTrace component, dtprobed, allows arbitrary file creation through c ...)
- TODO: check
+ NOT-FOR-US: Oracle Linux
CVE-2026-1629 (Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached perm ...)
- mattermost-server <itp> (bug #823556)
CVE-2025-69902 (A command injection vulnerability in the minimal_wrapper.py component ...)
- TODO: check
+ NOT-FOR-US: kubectl-mcp-server
CVE-2025-50881 (The `flow/admin/moniteur.php` script in Use It Flow administration web ...)
- TODO: check
+ NOT-FOR-US: Use It Flow
CVE-2026-4177 (YAML::Syck versions through 1.36 for Perl has several potential securi ...)
- libyaml-syck-perl 1.36-2
NOTE: https://lists.security.metacpan.org/cve-announce/msg/38035745/
@@ -633,17 +633,17 @@ CVE-2026-22545 (Mattermost versions 10.11.x <= 10.11.10 fail to validate user's
CVE-2026-21386 (Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10. ...)
- mattermost-server <itp> (bug #823556)
CVE-2025-69809 (A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows una ...)
- TODO: check
+ NOT-FOR-US: Bareiron
CVE-2025-69808 (An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 al ...)
- TODO: check
+ NOT-FOR-US: Bareiron
CVE-2025-69784 (A local, non-privileged attacker can abuse a vulnerable IOCTL interfac ...)
- TODO: check
+ NOT-FOR-US: OpenEDR
CVE-2025-69783 (A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism b ...)
- TODO: check
+ NOT-FOR-US: OpenEDR
CVE-2025-69768 (SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remot ...)
- TODO: check
+ NOT-FOR-US: Chyrp
CVE-2025-69727 (An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PR ...)
- TODO: check
+ NOT-FOR-US: INDEX-EDUCATION PRONOTE
CVE-2025-69693 (Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavco ...)
- ffmpeg <unfixed>
[trixie] - ffmpeg <not-affected> (Vulnerable code not present)
@@ -678,7 +678,7 @@ CVE-2025-68971 (In Forgejo through 13.0.3, the attachment component allows a den
CVE-2025-66687 (Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to miss ...)
NOT-FOR-US: Doom Launcher
CVE-2025-65734 (An authenticated arbitrary file upload vulnerability in the Courses/Wo ...)
- TODO: check
+ NOT-FOR-US: Open eClass
CVE-2025-62319 (Boolean-Based SQL Injection is a type of blind SQL injection where an ...)
NOT-FOR-US: HCL
CVE-2025-57543 (Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" fie ...)
@@ -712,17 +712,17 @@ CVE-2025-52636 (HCL AION is affected by a vulnerability related to the handling
CVE-2025-2274 (Improper Neutralization of Input During Web Page Generation in Forcepo ...)
NOT-FOR-US: Forcepoint
CVE-2025-15587 (Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and ...)
- TODO: check
+ NOT-FOR-US: Tinycontrol
CVE-2025-15554 (Browser caching of LAPS passwords in Truesec\u2019s LAPSWebUI before v ...)
- TODO: check
+ NOT-FOR-US: LAPSWebUI
CVE-2025-15553 (Non-working logout functionality in Truesec\u2019s LAPSWebUI before ve ...)
- TODO: check
+ NOT-FOR-US: LAPSWebUI
CVE-2025-15552 (Insufficient Session Expiration in Truesec\u2019s LAPSWebUI before ver ...)
- TODO: check
+ NOT-FOR-US: LAPSWebUI
CVE-2025-15540 ("Functions" module in Raytha CMS allows privileged users towrite custo ...)
NOT-FOR-US: Raytha CMS
CVE-2025-11500 (Tinycontrol devices such as tcPDU andLAN Controllers LK3.5, LK3.9 and ...)
- TODO: check
+ NOT-FOR-US: Tinycontrol
CVE-2025-10685 (Heap-based buffer overflow vulnerability in Softing Industrial Automat ...)
NOT-FOR-US: Softing
CVE-2025-10461 (Global file reads caused by improper URL checks in webserver in Softin ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5450408178304d8e44b1015d81e6ff7845201de
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5450408178304d8e44b1015d81e6ff7845201de
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260318/9bc426a7/attachment.htm>
More information about the debian-security-tracker-commits
mailing list