[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Mar 25 18:23:24 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5dccbb1c by Salvatore Bonaccorso at 2026-03-25T19:22:57+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -546,7 +546,7 @@ CVE-2026-33215 (NATS-Server is a High-Performance server for NATS.io, a cloud an
 	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
 	NOTE: https://advisories.nats.io/CVE/secnote-2026-06.txt
 CVE-2026-32326 (SHARP routers do not perform authentication for some web APIs. The dev ...)
-	TODO: check
+	NOT-FOR-US: SHARP routers
 CVE-2026-2343 (The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bul ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-2072 (Cross-Site Scripting vulnerability in Hitachi Infrastructure Analytics ...)
@@ -670,7 +670,7 @@ CVE-2026-28817 (A race condition was addressed with improved state handling. Thi
 CVE-2026-28816 (A path handling issue was addressed with improved validation. This iss ...)
 	NOT-FOR-US: Apple
 CVE-2026-26306 (The installer for OM Workspace (Windows Edition) Ver 2.4 and earlier i ...)
-	TODO: check
+	NOT-FOR-US: OM Workspace (Windows Edition)
 CVE-2026-24159 (NVIDIA NeMo Framework contains a vulnerability where an attacker may c ...)
 	NOT-FOR-US: NVIDIA
 CVE-2026-24158 (NVIDIA Triton Inference Server contains a vulnerability in the HTTP en ...)
@@ -950,11 +950,11 @@ CVE-2026-30662 (ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerabil
 CVE-2026-30661 (iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the ...)
 	NOT-FOR-US: iCMS
 CVE-2026-30655 (SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0. ...)
-	TODO: check
+	NOT-FOR-US: esiclivre/esiclivre
 CVE-2026-30653 (An issue in Free5GC v.4.2.0 and before allows a remote attacker to cau ...)
 	NOT-FOR-US: Free5GC
 CVE-2026-2417 (A Missing Authentication for Critical Function vulnerability in Pharos ...)
-	TODO: check
+	NOT-FOR-US: Pharos Controls Mosaic Show Controller firmware
 CVE-2026-29840 (JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS ...)
 	NOT-FOR-US: JiZhiCMS
 CVE-2026-29839 (DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forger ...)
@@ -988,7 +988,7 @@ CVE-2026-22559 (An Improper Input Validation vulnerability in UniFi Network Serv
 CVE-2026-21783 (HCL Traveler is affected by sensitive information disclosure. The appl ...)
 	NOT-FOR-US: HCL
 CVE-2026-1995 (IDrive\u2019s id_service.exe process runs with elevated privileges and ...)
-	TODO: check
+	NOT-FOR-US: IDrive
 CVE-2025-71275 (Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 co ...)
 	NOT-FOR-US: Zimbra
 CVE-2025-64998 (Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and ...)
@@ -1608,37 +1608,37 @@ CVE-2026-27646 (OpenClaw versions prior to 2026.3.7 contain a sandbox escape vul
 CVE-2026-27183 (OpenClaw versions prior to 2026.3.7 contain a shell approval gating by ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-23882 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23488 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23487 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23486 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23485 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23484 (Blinko is an AI-powered card note-taking project. In versions from 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23483 (Blinko is an AI-powered card note-taking project. In versions from 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23482 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23481 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-23480 (Blinko is an AI-powered card note-taking project. Prior to version 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Blinko
 CVE-2026-22739 (Vulnerability in Spring Cloud when substituting the profile parameter  ...)
 	TODO: check
 CVE-2026-22173
 	REJECTED
 CVE-2025-60949 (Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in som ...)
-	TODO: check
+	NOT-FOR-US: Census CSWeb
 CVE-2025-60948 (Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied ...)
-	TODO: check
+	NOT-FOR-US: Census CSWeb
 CVE-2025-60947 (Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticat ...)
-	TODO: check
+	NOT-FOR-US: Census CSWeb
 CVE-2025-60946 (Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authent ...)
-	TODO: check
+	NOT-FOR-US: Census CSWeb
 CVE-2025-41660 (A low-privileged remote attacker may be able to replace the boot appli ...)
 	NOT-FOR-US: CODESYS
 CVE-2026-4680 (Use after free in FedCM in Google Chrome prior to 146.0.7680.165 allow ...)
@@ -1828,9 +1828,9 @@ CVE-2026-30886 (New API is a large language mode (LLM) gateway and artificial in
 CVE-2026-30849 (Mantis Bug Tracker (MantisBT) is an open source issue tracker. Version ...)
 	- mantis <removed>
 CVE-2026-30007 (XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .t ...)
-	TODO: check
+	NOT-FOR-US: XnSoft NConvert
 CVE-2026-30006 (XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun via a craf ...)
-	TODO: check
+	NOT-FOR-US: XnSoft NConvert
 CVE-2026-2298 (Improper Neutralization of Argument Delimiters in a Command ('Argument ...)
 	NOT-FOR-US: Salesforce
 CVE-2026-28809 (XML External Entity (XXE) vulnerability in esaml (and its forks) allow ...)
@@ -1844,17 +1844,17 @@ CVE-2026-26828 (A NULL pointer dereference in the daap_reply_playlists function
 CVE-2026-26209 (cbor2 provides encoding and decoding for the Concise Binary Object Rep ...)
 	TODO: check
 CVE-2026-24516 (A command injection vulnerability exists in DigitalOcean Droplet Agent ...)
-	TODO: check
+	NOT-FOR-US: DigitalOcean Droplet Agent
 CVE-2026-1958 (Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino al ...)
-	TODO: check
+	NOT-FOR-US: Klinika XP
 CVE-2026-0898 (An arbitrary file-write vulnerability in Pega Browser Extension (PBE)  ...)
-	TODO: check
+	NOT-FOR-US: Pega
 CVE-2025-52204 (A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x ...)
 	TODO: check
 CVE-2025-41008 (SQL injection vulnerability in Sinturno. This vulnerability allows an  ...)
-	TODO: check
+	NOT-FOR-US: Sinturno
 CVE-2025-41007 (SQL Injection in Cuantis. This vulnerability allows an attacker to ret ...)
-	TODO: check
+	NOT-FOR-US: Cuantis
 CVE-2025-15606 (A Denial-of-Service (DoS) vulnerability in the httpd component of TP-L ...)
 	NOT-FOR-US: TPLink
 CVE-2025-15605 (A hardcoded cryptographic key within the configuration mechanism on TP ...)
@@ -2601,7 +2601,7 @@ CVE-2026-25086 (Under certain conditions, an attacker could bind to the same por
 CVE-2026-24060 (Service information is not encrypted when transmitted as BACnet packet ...)
 	NOT-FOR-US: WebCTRL
 CVE-2026-23536 (A security issue was discovered in the Feast Feature Server's `/read-d ...)
-	TODO: check
+	NOT-FOR-US: Feast
 CVE-2026-22163 (Requires malware code to misuse the DDK kernel module IOCTL interface. ...)
 	NOT-FOR-US: Imagination Technologies
 CVE-2026-21732 (A web page that contains unusual GPU shader code is loaded into the GP ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dccbb1c9b19b858cd14fddcbd5d0fe772d6321f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dccbb1c9b19b858cd14fddcbd5d0fe772d6321f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/6c1b12f4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list