[Git][security-tracker-team/security-tracker][master] Add intial tracking for new nats-server issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Mar 26 10:14:05 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e3cfb69d by Salvatore Bonaccorso at 2026-03-26T11:13:33+01:00
Add intial tracking for new nats-server issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -113,13 +113,23 @@ CVE-2026-33287 (LiquidJS is a Shopify / GitHub Pages compatible template engine
 CVE-2026-33285 (LiquidJS is a Shopify / GitHub Pages compatible template engine in pur ...)
 	NOT-FOR-US: LiquidJS
 CVE-2026-33249 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	[trixie] - nats-server <not-affected> (Vulnerable code introduced later)
+	[bookworm] - nats-server <not-affected> (Vulnerable code introduced later)
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-15.txt
 CVE-2026-33248 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-13.txt
 CVE-2026-33223 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-09.txt
 CVE-2026-33222 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-12.txt
 CVE-2026-33201 (Digital Photo Frame GH-WDF10A provided by GREEN HOUSE CO., LTD. contai ...)
 	NOT-FOR-US: Digital Photo Frame GH-WDF10A
 CVE-2026-33183 (Saloon is a PHP library that gives users tools to build API integratio ...)
@@ -306,17 +316,32 @@ CVE-2026-33660 (n8n is an open source workflow automation platform. Prior to ver
 CVE-2026-33268 (Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A r ...)
 	NOT-FOR-US: Nanoleaf Lines
 CVE-2026-33247 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-14.txt
 CVE-2026-33246 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-08.txt
 CVE-2026-33219 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-11.txt
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-qrvq-68c2-7grw
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-02.txt
 CVE-2026-33218 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-10.txt
 CVE-2026-33217 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-07.txt
 CVE-2026-33216 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
+	NOTE: Fixed by: https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099 (v2.12.6)
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-05.txt
 CVE-2026-32573 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-32567 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
@@ -474,13 +499,18 @@ CVE-2026-2349 (Improper Neutralization of Input During Web Page Generation ("Cro
 CVE-2026-2348 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
 	NOT-FOR-US: Drupal core and addons
 CVE-2026-29785 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6
+	NOTE: Fixed by: https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8 (v2.12.5)
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-04.txt
 CVE-2026-29092 (Kiteworks is a private data network (PDN). Prior to version 9.2.1, a v ...)
 	NOT-FOR-US: Kiteworks
 CVE-2026-28529 (cryptodev-linux version 1.14 and prior contain a page reference handli ...)
 	TODO: check
 CVE-2026-27889 (NATS-Server is a High-Performance server for NATS.io, a cloud and edge ...)
-	TODO: check
+	- nats-server <unfixed>
+	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6
+	NOTE: https://advisories.nats.io/CVE/secnote-2026-03.txt
 CVE-2026-27659 (Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 1 ...)
 	TODO: check
 CVE-2026-27656 (Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2 ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3cfb69dd8781a63de588eeefb6c345977d1b8f5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3cfb69dd8781a63de588eeefb6c345977d1b8f5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260326/760cbbb7/attachment.htm>

More information about the debian-security-tracker-commits mailing list