[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Mar 20 20:19:23 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
868f60e1 by security tracker role at 2026-03-20T20:19:14+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,28 +1,232 @@
-CVE-2026-23278 [netfilter: nf_tables: always walk all pending catchall elements]
+CVE-2026-4519 (The webbrowser.open() API would accept leading dashes in the URL which ...)
+	TODO: check
+CVE-2026-4505 (A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. Thi ...)
+	TODO: check
+CVE-2026-4504 (A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnera ...)
+	TODO: check
+CVE-2026-4500 (A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297 ...)
+	TODO: check
+CVE-2026-4499 (A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is t ...)
+	TODO: check
+CVE-2026-4497 (A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. ...)
+	TODO: check
+CVE-2026-4496 (A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262 ...)
+	TODO: check
+CVE-2026-4495 (A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts ...)
+	TODO: check
+CVE-2026-4494 (A vulnerability was identified in atjiu pybbs 6.0.0. This affects the  ...)
+	TODO: check
+CVE-2026-4493 (A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impac ...)
+	TODO: check
+CVE-2026-4492 (A vulnerability was found in Tenda A18 Pro 02.03.02.28. The affected e ...)
+	TODO: check
+CVE-2026-4491 (A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted  ...)
+	TODO: check
+CVE-2026-4490 (A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects ...)
+	TODO: check
+CVE-2026-4489 (A vulnerability was detected in Tenda A18 Pro 02.03.02.28. This vulner ...)
+	TODO: check
+CVE-2026-4488 (A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907- ...)
+	TODO: check
+CVE-2026-4487 (A vulnerability was determined in UTT HiPER 1200GW up to 2.5.3-170306. ...)
+	TODO: check
+CVE-2026-4486 (A vulnerability was found in D-Link DIR-513 1.10. This affects the fun ...)
+	TODO: check
+CVE-2026-4485 (A vulnerability has been found in itsourcecode College Management Syst ...)
+	TODO: check
+CVE-2026-4438 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.co ...)
+	TODO: check
+CVE-2026-4437 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.co ...)
+	TODO: check
+CVE-2026-4434 (Improper certificate validation in the PAM propagation WinRM connectio ...)
+	TODO: check
+CVE-2026-3550 (The RockPress plugin for WordPress is vulnerable to Missing Authorizat ...)
+	TODO: check
+CVE-2026-33372 (An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A ...)
+	TODO: check
+CVE-2026-33371 (An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A ...)
+	TODO: check
+CVE-2026-33370 (An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A ...)
+	TODO: check
+CVE-2026-33369 (Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vu ...)
+	TODO: check
+CVE-2026-33368 (Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cr ...)
+	TODO: check
+CVE-2026-33312 (Vikunja is an open-source self-hosted task management platform. Starti ...)
+	TODO: check
+CVE-2026-33192 (Free5GC is an open-source Linux Foundation project for 5th generation  ...)
+	TODO: check
+CVE-2026-33140 (PySpector is a static analysis security testing (SAST) Framework engin ...)
+	TODO: check
+CVE-2026-33139 (PySpector is a static analysis security testing (SAST) Framework engin ...)
+	TODO: check
+CVE-2026-33136 (WeGIA is a web manager for charitable institutions. Versions 3.6.6 and ...)
+	TODO: check
+CVE-2026-33135 (WeGIA is a web manager for charitable institutions. Versions 3.6.6 and ...)
+	TODO: check
+CVE-2026-33134 (WeGIA is a web manager for charitable institutions. Versions 3.6.5 and ...)
+	TODO: check
+CVE-2026-33133 (WeGIA is a web manager for charitable institutions. In versions 3.6.5  ...)
+	TODO: check
+CVE-2026-33132 (ZITADEL is an open source identity management platform. Versions prior ...)
+	TODO: check
+CVE-2026-33131 (H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 ...)
+	TODO: check
+CVE-2026-33130 (Uptime Kuma is an open source, self-hosted monitoring tool. In version ...)
+	TODO: check
+CVE-2026-33129 (H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0- ...)
+	TODO: check
+CVE-2026-33128 (H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and betw ...)
+	TODO: check
+CVE-2026-33126 (Frigate is a network video recorder (NVR) with realtime local object d ...)
+	TODO: check
+CVE-2026-33125 (Frigate is a network video recorder (NVR) with realtime local object d ...)
+	TODO: check
+CVE-2026-33124 (Frigate is a network video recorder (NVR) with realtime local object d ...)
+	TODO: check
+CVE-2026-33123 (pypdf is a free and open-source pure-python PDF library. Versions prio ...)
+	TODO: check
+CVE-2026-33081 (PinchTab is a standalone HTTP server that gives AI agents direct contr ...)
+	TODO: check
+CVE-2026-33080 (Filament is a collection of full-stack components for accelerated Lara ...)
+	TODO: check
+CVE-2026-33075 (FastGPT is an AI Agent building platform. In versions 4.14.8.3 and bel ...)
+	TODO: check
+CVE-2026-33072 (FileRise is a self-hosted web file manager / WebDAV server. In version ...)
+	TODO: check
+CVE-2026-33071 (FileRise is a self-hosted web file manager / WebDAV server. In version ...)
+	TODO: check
+CVE-2026-33070 (FileRise is a self-hosted web file manager / WebDAV server. In version ...)
+	TODO: check
+CVE-2026-33069 (PJSIP is a free and open source multimedia communication library writt ...)
+	TODO: check
+CVE-2026-33068 (Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolv ...)
+	TODO: check
+CVE-2026-33067 (SiYuan is a personal knowledge management system. Versions 3.6.0 and b ...)
+	TODO: check
+CVE-2026-33066 (SiYuan is a personal knowledge management system. In versions 3.6.0 an ...)
+	TODO: check
+CVE-2026-33010 (mcp-memory-service is an open-source memory backend for multi-agent sy ...)
+	TODO: check
+CVE-2026-32989 (Precurio Intranet Portal 4.4 contains a cross-site request forgery vul ...)
+	TODO: check
+CVE-2026-32986 (Textpattern CMS version 4.9.0 contains a second-order cross-site scrip ...)
+	TODO: check
+CVE-2026-32844 (XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected  ...)
+	TODO: check
+CVE-2026-32710 (MariaDB server is a community developed fork of MySQL server. An authe ...)
+	TODO: check
+CVE-2026-32701 (Qwik is a performance-focused JavaScript framework. Versions prior to  ...)
+	TODO: check
+CVE-2026-32595 (Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 a ...)
+	TODO: check
+CVE-2026-32318 (Cryptomator for IOS offers multi-platform transparent client-side encr ...)
+	TODO: check
+CVE-2026-32317 (Cryptomator for Android offers multi-platform transparent client-side  ...)
+	TODO: check
+CVE-2026-32310 (Cryptomator encrypts data being stored on cloud infrastructure. From v ...)
+	TODO: check
+CVE-2026-32309 (Cryptomator encrypts data being stored on cloud infrastructure. Prior  ...)
+	TODO: check
+CVE-2026-32305 (Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 a ...)
+	TODO: check
+CVE-2026-32303 (Cryptomator encrypts data being stored on cloud infrastructure. Prior  ...)
+	TODO: check
+CVE-2026-31836 (Checkmate is an open-source, self-hosted tool designed to track and mo ...)
+	TODO: check
+CVE-2026-31382 (The error_description parameter is vulnerable to Reflected XSS. An att ...)
+	TODO: check
+CVE-2026-31381 (An attacker can extract user email addresses (PII) exposed in base64 e ...)
+	TODO: check
+CVE-2026-30580 (File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious u ...)
+	TODO: check
+CVE-2026-30579 (File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A mali ...)
+	TODO: check
+CVE-2026-30578 (File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A mal ...)
+	TODO: check
+CVE-2026-2432 (The CM Custom Reports \u2013 Flexible reporting to track what matters  ...)
+	TODO: check
+CVE-2026-2421 (The ilGhera Carta Docente for WooCommerce plugin for WordPress is vuln ...)
+	TODO: check
+CVE-2026-29828 (DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the  ...)
+	TODO: check
+CVE-2026-29794 (Vikunja is an open-source self-hosted task management platform. Starti ...)
+	TODO: check
+CVE-2026-27625 (Stirling-PDF is a locally hosted web application that performs various ...)
+	TODO: check
+CVE-2026-25792 (Greenshot is an open source Windows screenshot utility. Versions 1.3.3 ...)
+	TODO: check
+CVE-2026-22902 (A command injection vulnerability has been reported to affect QuNetSwi ...)
+	TODO: check
+CVE-2026-22901 (A command injection vulnerability has been reported to affect QuNetSwi ...)
+	TODO: check
+CVE-2026-22900 (A use of hard-coded credentials vulnerability has been reported to aff ...)
+	TODO: check
+CVE-2026-22898 (A missing authentication for critical function vulnerability has been  ...)
+	TODO: check
+CVE-2026-22897 (A command injection vulnerability has been reported to affect QuNetSwi ...)
+	TODO: check
+CVE-2026-22895 (A cross-site scripting (XSS) vulnerability has been reported to affect ...)
+	TODO: check
+CVE-2026-22324 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+	TODO: check
+CVE-2026-22172 (OpenClaw versions prior to 2026.3.12 contain an authorization bypass v ...)
+	TODO: check
+CVE-2026-0677 (Deserialization of Untrusted Data vulnerability in TotalSuite TotalCon ...)
+	TODO: check
+CVE-2025-67260 (The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indica ...)
+	TODO: check
+CVE-2025-63260 (SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the ...)
+	TODO: check
+CVE-2025-62846 (An SQL injection vulnerability has been reported to affect QHora. If a ...)
+	TODO: check
+CVE-2025-62845 (An improper neutralization of escape, meta, or control sequences vulne ...)
+	TODO: check
+CVE-2025-62844 (A weak authentication vulnerability has been reported to affect QHora. ...)
+	TODO: check
+CVE-2025-62843 (An improper restriction of communication channel to intended endpoints ...)
+	TODO: check
+CVE-2025-59383 (A buffer overflow vulnerability has been reported to affect Media Stre ...)
+	TODO: check
+CVE-2025-46598 (Bitcoin Core through 29.0 allows a denial of service via a crafted tra ...)
+	TODO: check
+CVE-2025-46597 (Bitcoin Core 0.13.0 through 29.x has an integer overflow.)
+	TODO: check
+CVE-2025-15608 (This vulnerability in AX53 v1 results from insufficient input sanitiza ...)
+	TODO: check
+CVE-2025-15607 (A command injection vulnerability on AX53 v1 occurs in mscd debug func ...)
+	TODO: check
+CVE-2024-44722 (SysAK v2.0 and before is vulnerable to command execution via aaa;cat / ...)
+	TODO: check
+CVE-2024-32537 (Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash V ...)
+	TODO: check
+CVE-2024-31119 (Improper neutralization of input during web page generation ('cross-si ...)
+	TODO: check
+CVE-2026-23278 (In the Linux kernel, the following vulnerability has been resolved:  n ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 (7.0-rc4)
-CVE-2026-23277 [net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit]
+CVE-2026-23277 (In the Linux kernel, the following vulnerability has been resolved:  n ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/0cc0c2e661af418bbf7074179ea5cfffc0a5c466 (7.0-rc4)
-CVE-2026-23276 [net: add xmit recursion limit to tunnel xmit functions]
+CVE-2026-23276 (In the Linux kernel, the following vulnerability has been resolved:  n ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/6f1a9140ecda3baba3d945b9a6155af4268aafc4 (7.0-rc4)
-CVE-2026-23275 [io_uring: ensure ctx->rings is stable for task work flags manipulation]
+CVE-2026-23275 (In the Linux kernel, the following vulnerability has been resolved:  i ...)
 	- linux <unfixed>
 	[trixie] - linux <not-affected> (Vulnerable code not present)
 	[bookworm] - linux <not-affected> (Vulnerable code not present)
 	[bullseye] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/96189080265e6bb5dde3a4afbaf947af493e3f82 (7.0-rc4)
-CVE-2026-23274 [netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels]
+CVE-2026-23274 (In the Linux kernel, the following vulnerability has been resolved:  n ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf (7.0-rc4)
-CVE-2026-23273 [macvlan: observe an RCU grace period in macvlan_common_newlink() error path]
+CVE-2026-23273 (In the Linux kernel, the following vulnerability has been resolved:  m ...)
 	- linux 6.18.14-1
 	NOTE: https://git.kernel.org/linus/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35 (7.0-rc1)
-CVE-2026-23272 [netfilter: nf_tables: unconditionally bump set->nelems before insertion]
+CVE-2026-23272 (In the Linux kernel, the following vulnerability has been resolved:  n ...)
 	- linux 6.19.8-1
 	NOTE: https://git.kernel.org/linus/def602e498a4f951da95c95b1b8ce8ae68aa733a (7.0-rc3)
-CVE-2026-23271 [perf: Fix __perf_event_overflow() vs perf_remove_from_context() race]
+CVE-2026-23271 (In the Linux kernel, the following vulnerability has been resolved:  p ...)
 	- linux 6.19.8-1
 	NOTE: https://git.kernel.org/linus/c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae (7.0-rc2)
 CVE-2026-4478 (A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1 ...)
@@ -1530,7 +1734,7 @@ CVE-2026-32981 (A path traversal vulnerability was identified in Ray Dashboard (
 CVE-2026-32837 (miniaudio version 0.11.25 and earlier contain a heap out-of-bounds rea ...)
 	- miniaudio <unfixed>
 	NOTE: https://github.com/mackron/miniaudio/issues/1101
-CVE-2026-32836 (dr_libs version 0.13.3 and earlier contain an uncontrolled memory allo ...)
+CVE-2026-32836 (dr_libsdr_flac.h version 0.13.3 and earlier contain an uncontrolled me ...)
 	TODO: check
 CVE-2026-32586 (Missing Authorization vulnerability in Pluggabl Booster for WooCommerc ...)
 	NOT-FOR-US: WordPress plugin or theme
@@ -2926,7 +3130,7 @@ CVE-2026-22215 (wpDiscuz before 7.6.47 contains a cross-site request forgery vul
 	NOT-FOR-US: wpDiscuz
 CVE-2026-22210 (wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability t ...)
 	NOT-FOR-US: wpDiscuz
-CVE-2026-22209 (wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability i ...)
+CVE-2026-22209 (thingino-firmware up to commit e3f6a41 (published on 2026-03-15) conta ...)
 	NOT-FOR-US: wpDiscuz
 CVE-2026-22204 (wpDiscuz before 7.6.47 contains an email header injection vulnerabilit ...)
 	NOT-FOR-US: wpDiscuz
@@ -4972,7 +5176,8 @@ CVE-2026-30918 (facileManager is a modular suite of web apps built with the sysa
 	NOT-FOR-US: facileManager
 CVE-2026-30917 (Bucket is a MediaWiki extension to store and retrieve structured data  ...)
 	NOT-FOR-US: Bucket MediaWiki extensiom
-CVE-2026-30916 (Shescape is a simple shell escape library for JavaScript. Prior to 2.1 ...)
+CVE-2026-30916
+	REJECTED
 	NOT-FOR-US: Shescape
 CVE-2026-30913 (Flarum is open-source forum software. When the flarum/nicknames extens ...)
 	NOT-FOR-US: Flarum
@@ -7903,7 +8108,7 @@ CVE-2026-2606 (IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.
 	NOT-FOR-US: IBM
 CVE-2026-2568 (The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and  ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2026-29022 (dr_libs version 0.14.4 and earlier (fixed in commit 8a7258c) contain a ...)
+CVE-2026-29022 (dr_libs dr_wav.h version 0.14.4 and earlier (fixed in commit 8a7258c)  ...)
 	NOTE: https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49
 	TODO: qtads, dosbox-x, roc-toolkit, octave-ltfat, faudio bundle a copy, check security impact
 CVE-2026-28518 (OpenViking versions 0.2.1 and prior, fixed in commit46b3e76, contain a ...)
@@ -9811,7 +10016,7 @@ CVE-2026-1916 (The WPGSI: Spreadsheet Integration plugin for WordPress is vulner
 	NOT-FOR-US: WordPress plugin
 CVE-2026-0704 (In affected version of Octopus Deploy it was possible to remove files  ...)
 	NOT-FOR-US: Octopus Deploy
-CVE-2025-69771 (An arbitrary file upload vulnerability in the subtitle loading functio ...)
+CVE-2025-69771 (Cross-Site Scripting (XSS) vulnerability in the subtitle loading funct ...)
 	NOT-FOR-US: asbplayer
 CVE-2025-67860 (A vulnerability has been identified in the NeuVector scanner where the ...)
 	NOT-FOR-US: NeuVector



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/868f60e1853623b62fe1824354805073fe6e4d50

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/868f60e1853623b62fe1824354805073fe6e4d50
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260320/6990ddd4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list