[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Mar 21 09:19:04 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1537d15a by Salvatore Bonaccorso at 2026-03-21T10:18:36+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -157,9 +157,9 @@ CVE-2026-33210 (Ruby JSON is a JSON implementation for Ruby. From version 2.14.0
 	NOTE: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
 	NOTE: Fixed by: https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74 (v2.19.2)
 CVE-2026-33209 (Avo is a framework to create admin panels for Ruby on Rails apps. Prio ...)
-	TODO: check
+	NOT-FOR-US: Avo
 CVE-2026-33204 (SimpleJWT is a simple JSON web token library written in PHP. Prior to  ...)
-	TODO: check
+	NOT-FOR-US: SimpleJWT PHP library
 CVE-2026-33203 (SiYuan is a personal knowledge management system. Prior to version 3.6 ...)
 	NOT-FOR-US: SiYuan
 CVE-2026-33194 (SiYuan is a personal knowledge management system. Prior to version 3.6 ...)
@@ -177,13 +177,13 @@ CVE-2026-33172 (Statamic is a Laravel and Git powered content management system
 CVE-2026-33171 (Statamic is a Laravel and Git powered content management system (CMS). ...)
 	NOT-FOR-US: Statamic CMS
 CVE-2026-33166 (Allure 2 is the version 2.x branch of Allure Report, a multi-language  ...)
-	TODO: check
+	NOT-FOR-US: Allure
 CVE-2026-33165 (libde265 is an open source implementation of the h.265 video codec. Pr ...)
 	TODO: check
 CVE-2026-33164 (libde265 is an open source implementation of the h.265 video codec. Pr ...)
 	TODO: check
 CVE-2026-33156 (ScreenToGif is a screen recording tool. In versions from 2.42.1 and pr ...)
-	TODO: check
+	NOT-FOR-US: ScreenToGif
 CVE-2026-33155 (DeepDiff is a project focused on Deep Difference and search of any Pyt ...)
 	TODO: check
 CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior to versi ...)
@@ -193,7 +193,7 @@ CVE-2026-33151 (Socket.IO is an open source, real-time, bidirectional, event-bas
 CVE-2026-33150 (libfuse is the reference implementation of the Linux FUSE. From versio ...)
 	TODO: check
 CVE-2026-33147 (GMT is an open source collection of command-line tools for manipulatin ...)
-	TODO: check
+	NOT-FOR-US: GMT
 CVE-2026-33144 (GPAC is an open-source multimedia framework. Prior to commit 86b0e36,  ...)
 	- gpac <removed>
 	NOTE: https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg
@@ -219,9 +219,9 @@ CVE-2026-32810 (Halloy is an IRC application written in Rust. In versions on \*n
 CVE-2026-32733 (Halloy is an IRC application written in Rust. Prior to commit 0f77b2cf ...)
 	TODO: check
 CVE-2026-32666 (WebCTRL systems that communicate over BACnet inherit the protocol's la ...)
-	TODO: check
+	NOT-FOR-US: WebCTRL
 CVE-2026-32663 (The WebSocket backend uses charging station identifiers to uniquely as ...)
-	TODO: check
+	NOT-FOR-US: WebCTRL
 CVE-2026-32067 (OpenClaw versions prior to 2026.2.26 contains an authorization bypass  ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-32065 (OpenClaw versions prior to 2026.2.25 contain an approval-integrity byp ...)
@@ -261,11 +261,11 @@ CVE-2026-32043 (OpenClaw versions prior to 2026.2.25 contain a time-of-check-tim
 CVE-2026-32042 (OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege esc ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-31926 (Charging station authentication identifiers are publicly accessible vi ...)
-	TODO: check
+	NOT-FOR-US: WebCTRL
 CVE-2026-31904 (The WebSocket Application Programming Interface lacks restrictions on  ...)
-	TODO: check
+	NOT-FOR-US: CTEK Chargeportal
 CVE-2026-31903 (The WebSocket Application Programming Interface lacks restrictions on  ...)
-	TODO: check
+	NOT-FOR-US: WebCTRL
 CVE-2026-2941 (The Linksy Search and Replace plugin for WordPress is vulnerable to un ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-2837 (The Ricerca \u2013 advanced search plugin for WordPress is vulnerable  ...)
@@ -311,7 +311,7 @@ CVE-2026-2277 (The rexCrawler plugin for WordPress is vulnerable to Reflected Cr
 CVE-2026-2121 (The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cro ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-29796 (WebSocket endpoints lack proper authentication mechanisms, enabling at ...)
-	TODO: check
+	NOT-FOR-US: WebCTRL
 CVE-2026-28204 (Charging station authentication identifiers are publicly accessible vi ...)
 	TODO: check
 CVE-2026-27649 (The WebSocket backend uses charging station identifiers to uniquely as ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1537d15ae5bd8bbebfb0cb427fc2ac33132f175f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1537d15ae5bd8bbebfb0cb427fc2ac33132f175f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260321/3c08277f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list