[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Mar 28 08:13:19 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e43e2d9e by security tracker role at 2026-03-28T08:13:12+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,83 +1,659 @@
-CVE-2026-33375
+CVE-2026-5027 (The 'POST /api/v2/files' endpoint does not sanitize the 'filename' par ...)
+ TODO: check
+CVE-2026-5026 (The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG f ...)
+ TODO: check
+CVE-2026-5025 (The '/logs' and '/logs-stream' endpoints in the log router allow any a ...)
+ TODO: check
+CVE-2026-5022 (The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enf ...)
+ TODO: check
+CVE-2026-5010 (A reflected Cross-Site Scripting (XSS) vulnerability has been discover ...)
+ TODO: check
+CVE-2026-4992 (A flaw has been found in wandb OpenUI up to 1.0. This affects the func ...)
+ TODO: check
+CVE-2026-4991 (A vulnerability was detected in QDOCS Smart School Management System u ...)
+ TODO: check
+CVE-2026-4990 (A security vulnerability has been detected in chatwoot up to 4.11.1. T ...)
+ TODO: check
+CVE-2026-4988 (A security flaw has been discovered in Open5GS 2.7.6. This issue affec ...)
+ TODO: check
+CVE-2026-4987 (The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Bu ...)
+ TODO: check
+CVE-2026-4985 (A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulner ...)
+ TODO: check
+CVE-2026-4984 (The Twilio integration webhook handler accepts any POST request withou ...)
+ TODO: check
+CVE-2026-4982 (A user with permission "update world" in any Venueless world is able t ...)
+ TODO: check
+CVE-2026-4980 (A local file disclosure vulnerability in the XInclude processing compo ...)
+ TODO: check
+CVE-2026-4976 (A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Thi ...)
+ TODO: check
+CVE-2026-4975 (A vulnerability has been found in Tenda AC15 15.03.05.19. This affects ...)
+ TODO: check
+CVE-2026-4974 (A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue ...)
+ TODO: check
+CVE-2026-4973 (A vulnerability was detected in SourceCodester Online Quiz System up t ...)
+ TODO: check
+CVE-2026-4972 (A security vulnerability has been detected in code-projects Online Rev ...)
+ TODO: check
+CVE-2026-4971 (A weakness has been identified in SourceCodester Note Taking App up to ...)
+ TODO: check
+CVE-2026-4970 (A security flaw has been discovered in code-projects Social Networking ...)
+ TODO: check
+CVE-2026-4969 (A vulnerability was identified in code-projects Social Networking Site ...)
+ TODO: check
+CVE-2026-4968 (A vulnerability was determined in SourceCodester Diary App 1.0. The af ...)
+ TODO: check
+CVE-2026-4966 (A flaw has been found in itsourcecode Free Hotel Reservation System 1. ...)
+ TODO: check
+CVE-2026-4965 (A vulnerability was detected in letta-ai letta 0.16.4. This issue affe ...)
+ TODO: check
+CVE-2026-4964 (A security vulnerability has been detected in letta-ai letta 0.16.4. T ...)
+ TODO: check
+CVE-2026-4963 (A weakness has been identified in huggingface smolagents 1.25.0.dev0. ...)
+ TODO: check
+CVE-2026-4962 (A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affecte ...)
+ TODO: check
+CVE-2026-4961 (A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by t ...)
+ TODO: check
+CVE-2026-4960 (A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is t ...)
+ TODO: check
+CVE-2026-4959 (A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the fu ...)
+ TODO: check
+CVE-2026-4958 (A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects t ...)
+ TODO: check
+CVE-2026-4957 (A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is ...)
+ TODO: check
+CVE-2026-4956 (A vulnerability was detected in Shenzhen Ruiming Technology Streamax C ...)
+ TODO: check
+CVE-2026-4955 (A vulnerability was found in Shenzhen Ruiming Technology Streamax Croc ...)
+ TODO: check
+CVE-2026-4954 (A security vulnerability has been detected in mingSoft MCMS up to 5.5. ...)
+ TODO: check
+CVE-2026-4953 (A weakness has been identified in mingSoft MCMS up to 5.5.0. This issu ...)
+ TODO: check
+CVE-2026-4933 (Incorrect Authorization vulnerability in Drupal Unpublished Node Permi ...)
+ TODO: check
+CVE-2026-4910 (A security vulnerability has been detected in Shenzhen Ruiming Technol ...)
+ TODO: check
+CVE-2026-4909 (A weakness has been identified in code-projects Exam Form Submission 1 ...)
+ TODO: check
+CVE-2026-4908 (A security flaw has been discovered in code-projects Simple Laundry Sy ...)
+ TODO: check
+CVE-2026-4907 (A vulnerability was identified in Page-Replica Page Replica up to e4a7 ...)
+ TODO: check
+CVE-2026-4906 (A vulnerability was determined in Tenda AC5 15.03.06.47. The affected ...)
+ TODO: check
+CVE-2026-4905 (A vulnerability was found in Tenda AC5 15.03.06.47. Impacted is the fu ...)
+ TODO: check
+CVE-2026-4904 (A vulnerability has been found in Tenda AC5 15.03.06.47. This issue af ...)
+ TODO: check
+CVE-2026-4903 (A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability aff ...)
+ TODO: check
+CVE-2026-4902 (A vulnerability was detected in Tenda AC5 15.03.06.47. This affects th ...)
+ TODO: check
+CVE-2026-4900 (A weakness has been identified in code-projects Online Food Ordering S ...)
+ TODO: check
+CVE-2026-4899 (A security flaw has been discovered in code-projects Online Food Order ...)
+ TODO: check
+CVE-2026-4898 (A vulnerability was identified in code-projects Online Food Ordering S ...)
+ TODO: check
+CVE-2026-4622 (OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series ...)
+ TODO: check
+CVE-2026-4621 (Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series ...)
+ TODO: check
+CVE-2026-4620 (OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series ...)
+ TODO: check
+CVE-2026-4619 (Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allow ...)
+ TODO: check
+CVE-2026-4393 (Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Lo ...)
+ TODO: check
+CVE-2026-4346 (The vulnerability affecting TL-WR850N v3 allows cleartext storage of a ...)
+ TODO: check
+CVE-2026-4340
+ REJECTED
+CVE-2026-4309 (Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Serie ...)
+ TODO: check
+CVE-2026-4248 (The Ultimate Member plugin for WordPress is vulnerable to Sensitive In ...)
+ TODO: check
+CVE-2026-3622 (The vulnerability exists in the UPnP component of TL-WR841N v14, where ...)
+ TODO: check
+CVE-2026-3573 (Incorrect Authorization vulnerability in Drupal AI (Artificial Intelli ...)
+ TODO: check
+CVE-2026-3532 (Improper Handling of Case Sensitivity vulnerability in Drupal OpenID C ...)
+ TODO: check
+CVE-2026-3531 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+ TODO: check
+CVE-2026-3530 (Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Conn ...)
+ TODO: check
+CVE-2026-3529 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
+ TODO: check
+CVE-2026-3528 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
+ TODO: check
+CVE-2026-3527 (Missing Authentication for Critical Function vulnerability in Drupal A ...)
+ TODO: check
+CVE-2026-3526 (Incorrect Authorization vulnerability in Drupal File Access Fix (depre ...)
+ TODO: check
+CVE-2026-3525 (Incorrect Authorization vulnerability in Drupal File Access Fix (depre ...)
+ TODO: check
+CVE-2026-3457 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2026-3098 (The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary Fil ...)
+ TODO: check
+CVE-2026-34475 (Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in ...)
+ TODO: check
+CVE-2026-34411 (Appsmith versions prior to 1.98 expose sensitive instance management A ...)
+ TODO: check
+CVE-2026-34391 (Fleet is open source device management software. Prior to 4.81.1, a vu ...)
+ TODO: check
+CVE-2026-34389 (Fleet is open source device management software. Prior to 4.81.0, Flee ...)
+ TODO: check
+CVE-2026-34388 (Fleet is open source device management software. Prior to 4.81.0, a de ...)
+ TODO: check
+CVE-2026-34387 (Fleet is open source device management software. Prior to 4.81.1, a co ...)
+ TODO: check
+CVE-2026-34386 (Fleet is open source device management software. Prior to 4.81.0, a SQ ...)
+ TODO: check
+CVE-2026-34385 (Fleet is open source device management software. Prior to 4.81.0, a se ...)
+ TODO: check
+CVE-2026-34375 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34374 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34369 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34368 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34364 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34362 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34353 (In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, ...)
+ TODO: check
+CVE-2026-34352 (In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users ...)
+ TODO: check
+CVE-2026-34247 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34245 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-34226 (Happy DOM is a JavaScript implementation of a web browser without its ...)
+ TODO: check
+CVE-2026-34205 (Home Assistant is open source home automation software that puts local ...)
+ TODO: check
+CVE-2026-34046 (Langflow is a tool for building and deploying AI-powered agents and wo ...)
+ TODO: check
+CVE-2026-33996 (LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and pr ...)
+ TODO: check
+CVE-2026-33994 (Locutus brings stdlibs of other programming languages to JavaScript fo ...)
+ TODO: check
+CVE-2026-33993 (Locutus brings stdlibs of other programming languages to JavaScript fo ...)
+ TODO: check
+CVE-2026-33992 (pyLoad is a free and open-source download manager written in Python. P ...)
+ TODO: check
+CVE-2026-33991 (WeGIA is a web manager for charitable institutions. Prior to version 3 ...)
+ TODO: check
+CVE-2026-33989 (Mobile Next is an MCP server for mobile development and automation. Pr ...)
+ TODO: check
+CVE-2026-33981 (changedetection.io is a free open source web page change detection too ...)
+ TODO: check
+CVE-2026-33980 (Azure Data Explorer MCP Server is a Model Context Protocol (MCP) serve ...)
+ TODO: check
+CVE-2026-33979 (Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitize ...)
+ TODO: check
+CVE-2026-33976 (Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop ...)
+ TODO: check
+CVE-2026-33955 (Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop ...)
+ TODO: check
+CVE-2026-33954 (LinkAce is a self-hosted archive to collect website links. In versions ...)
+ TODO: check
+CVE-2026-33953 (LinkAce is a self-hosted archive to collect website links. Versions pr ...)
+ TODO: check
+CVE-2026-33946 (MCP Ruby SDK is the official Ruby SDK for Model Context Protocol serve ...)
+ TODO: check
+CVE-2026-33943 (Happy DOM is a JavaScript implementation of a web browser without its ...)
+ TODO: check
+CVE-2026-33941 (Handlebars provides the power necessary to let users build semantic te ...)
+ TODO: check
+CVE-2026-33940 (Handlebars provides the power necessary to let users build semantic te ...)
+ TODO: check
+CVE-2026-33939 (Handlebars provides the power necessary to let users build semantic te ...)
+ TODO: check
+CVE-2026-33938 (Handlebars provides the power necessary to let users build semantic te ...)
+ TODO: check
+CVE-2026-33937 (Handlebars provides the power necessary to let users build semantic te ...)
+ TODO: check
+CVE-2026-33936 (The `ecdsa` PyPI package is a pure Python implementation of ECC (Ellip ...)
+ TODO: check
+CVE-2026-33935 (MyTube is a self-hosted downloader and player for several video websit ...)
+ TODO: check
+CVE-2026-33916 (Handlebars provides the power necessary to let users build semantic te ...)
+ TODO: check
+CVE-2026-33907 (Ella Core is a 5G core designed for private networks. Versions prior t ...)
+ TODO: check
+CVE-2026-33906 (Ella Core is a 5G core designed for private networks. Prior to version ...)
+ TODO: check
+CVE-2026-33904 (Ella Core is a 5G core designed for private networks. Prior to version ...)
+ TODO: check
+CVE-2026-33903 (Ella Core is a 5G core designed for private networks. Versions prior t ...)
+ TODO: check
+CVE-2026-33896 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
+ TODO: check
+CVE-2026-33895 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
+ TODO: check
+CVE-2026-33894 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
+ TODO: check
+CVE-2026-33891 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
+ TODO: check
+CVE-2026-33890 (MyTube is a self-hosted downloader and player for several video websit ...)
+ TODO: check
+CVE-2026-33887 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+ TODO: check
+CVE-2026-33886 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+ TODO: check
+CVE-2026-33885 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+ TODO: check
+CVE-2026-33884 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+ TODO: check
+CVE-2026-33883 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+ TODO: check
+CVE-2026-33882 (Statamic is a Laravel and Git powered content management system (CMS). ...)
+ TODO: check
+CVE-2026-33881 (Windmill is an open-source developer platform for internal code: APIs, ...)
+ TODO: check
+CVE-2026-33879 (Federated Learning and Interoperability Platform (FLIP) is an open-sou ...)
+ TODO: check
+CVE-2026-33875 (Gematik Authenticator securely authenticates users for login to digita ...)
+ TODO: check
+CVE-2026-33874 (Gematik Authenticator securely authenticates users for login to digita ...)
+ TODO: check
+CVE-2026-33873 (Langflow is a tool for building and deploying AI-powered agents and wo ...)
+ TODO: check
+CVE-2026-33872 (elixir-nodejs provides an Elixir API for calling Node.js functions. A ...)
+ TODO: check
+CVE-2026-33871 (Netty is an asynchronous, event-driven network application framework. ...)
+ TODO: check
+CVE-2026-33870 (Netty is an asynchronous, event-driven network application framework. ...)
+ TODO: check
+CVE-2026-33869 (Mastodon is a free, open-source social network server based on Activit ...)
+ TODO: check
+CVE-2026-33868 (Mastodon is a free, open-source social network server based on Activit ...)
+ TODO: check
+CVE-2026-33867 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33770 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33767 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33766 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33765 (Pi-hole Admin Interface is a web interface for managing Pi-hole, a net ...)
+ TODO: check
+CVE-2026-33764 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33763 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33761 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33759 (WWBN AVideo is an open source video platform. In versions up to and in ...)
+ TODO: check
+CVE-2026-33758 (OpenBao is an open source identity-based secrets management system. Pr ...)
+ TODO: check
+CVE-2026-33757 (OpenBao is an open source identity-based secrets management system. Pr ...)
+ TODO: check
+CVE-2026-33755 (Group-Office is an enterprise customer relationship management and gro ...)
+ TODO: check
+CVE-2026-33750 (The brace-expansion library generates arbitrary strings containing a c ...)
+ TODO: check
+CVE-2026-33748 (BuildKit is a toolkit for converting source code to build artifacts in ...)
+ TODO: check
+CVE-2026-33747 (BuildKit is a toolkit for converting source code to build artifacts in ...)
+ TODO: check
+CVE-2026-33745 (cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTT ...)
+ TODO: check
+CVE-2026-33744 (BentoML is a Python library for building online serving systems optimi ...)
+ TODO: check
+CVE-2026-33742 (Invoice Ninja is a source-available invoice, quote, project and time-t ...)
+ TODO: check
+CVE-2026-33739 (FOG is a free open-source cloning/imaging/rescue suite/inventory manag ...)
+ TODO: check
+CVE-2026-33738 (Lychee is a free, open-source photo-management tool. Prior to version ...)
+ TODO: check
+CVE-2026-33735 (MyTube is a self-hosted downloader and player for several video websit ...)
+ TODO: check
+CVE-2026-33730 (Open Source Point of Sale (opensourcepos) is a web based point of sale ...)
+ TODO: check
+CVE-2026-33729 (OpenFGA is a high-performance and flexible authorization/permission en ...)
+ TODO: check
+CVE-2026-33728 (dd-trace-java is a Datadog APM client for Java. In versions of dd-trac ...)
+ TODO: check
+CVE-2026-33726 (Cilium is a networking, observability, and security solution with an e ...)
+ TODO: check
+CVE-2026-33725 (Metabase is an open source business intelligence and embedded analytic ...)
+ TODO: check
+CVE-2026-33721 (MapServer is a system for developing web-based GIS applications. Start ...)
+ TODO: check
+CVE-2026-33718 (OpenHands is software for AI-driven development. Starting in version 1 ...)
+ TODO: check
+CVE-2026-33701 (OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrum ...)
+ TODO: check
+CVE-2026-33697 (Cocos AI is a confidential computing system for AI. The current implem ...)
+ TODO: check
+CVE-2026-33693 (Lemmy is a link aggregator and forum for the fediverse. Prior to versi ...)
+ TODO: check
+CVE-2026-33687 (Sharp is a content management framework built for Laravel as a package ...)
+ TODO: check
+CVE-2026-33686 (Sharp is a content management framework built for Laravel as a package ...)
+ TODO: check
+CVE-2026-33682 (Streamlit is a data oriented application development framework for pyt ...)
+ TODO: check
+CVE-2026-33674 (PrestaShop is an open source e-commerce web application. Versions prio ...)
+ TODO: check
+CVE-2026-33673 (PrestaShop is an open source e-commerce web application. Versions prio ...)
+ TODO: check
+CVE-2026-33672 (Picomatch is a glob matcher written JavaScript. Versions prior to 4.0. ...)
+ TODO: check
+CVE-2026-33671 (Picomatch is a glob matcher written JavaScript. Versions prior to 4.0. ...)
+ TODO: check
+CVE-2026-33670 (SiYuan is a personal knowledge management system. Prior to version 3.6 ...)
+ TODO: check
+CVE-2026-33669 (SiYuan is a personal knowledge management system. Prior to version 3.6 ...)
+ TODO: check
+CVE-2026-33664 (Kestra is an open-source, event-driven orchestration platform Versions ...)
+ TODO: check
+CVE-2026-33661 (Pay is an open-source payment SDK extension package for various Chines ...)
+ TODO: check
+CVE-2026-33658 (Active Storage allows users to attach cloud and local files in Rails a ...)
+ TODO: check
+CVE-2026-33654 (nanobot is a personal AI assistant. Prior to version 0.1.6, an indirec ...)
+ TODO: check
+CVE-2026-33653 (Ulloady is a file uploader script with multi-file upload support. A St ...)
+ TODO: check
+CVE-2026-33645 (Fireshare facilitates self-hosted media and link sharing. In version 1 ...)
+ TODO: check
+CVE-2026-33644 (Lychee is a free, open-source photo-management tool. Prior to version ...)
+ TODO: check
+CVE-2026-33640 (Outline is a service that allows for collaborative documentation. Outl ...)
+ TODO: check
+CVE-2026-33638 (Ech0 is an open-source, self-hosted publishing platform for personal i ...)
+ TODO: check
+CVE-2026-33635 (iCalendar is a Ruby library for dealing with iCalendar files in the iC ...)
+ TODO: check
+CVE-2026-33628 (Invoice Ninja is a source-available invoice, quote, project and time-t ...)
+ TODO: check
+CVE-2026-33623 (PinchTab is a standalone HTTP server that gives AI agents direct contr ...)
+ TODO: check
+CVE-2026-33622 (PinchTab is a standalone HTTP server that gives AI agents direct contr ...)
+ TODO: check
+CVE-2026-33621 (PinchTab is a standalone HTTP server that gives AI agents direct contr ...)
+ TODO: check
+CVE-2026-33620 (PinchTab is a standalone HTTP server that gives AI agents direct contr ...)
+ TODO: check
+CVE-2026-33619 (PinchTab is a standalone HTTP server that gives AI agents direct contr ...)
+ TODO: check
+CVE-2026-33559 (WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-sit ...)
+ TODO: check
+CVE-2026-33545 (MobSF is a mobile application security testing tool used. Prior to ver ...)
+ TODO: check
+CVE-2026-33541 (TSPortal is the WikiTide Foundation\u2019s in-house platform used by t ...)
+ TODO: check
+CVE-2026-33537 (Lychee is a free, open-source photo-management tool. The patch introdu ...)
+ TODO: check
+CVE-2026-33433 (Traefik is an HTTP reverse proxy and load balancer. Prior to versions ...)
+ TODO: check
+CVE-2026-33366 (Missing authentication for critical function vulnerability in BUFFALO ...)
+ TODO: check
+CVE-2026-33284 (GlobaLeaks is free and open-source whistleblowing software. Prior to v ...)
+ TODO: check
+CVE-2026-33280 (Hidden functionality issue exists in BUFFALO Wi-Fi router products, wh ...)
+ TODO: check
+CVE-2026-33206 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
+ TODO: check
+CVE-2026-33205 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
+ TODO: check
+CVE-2026-33045 (Home Assistant is open source home automation software that puts local ...)
+ TODO: check
+CVE-2026-33044 (Home Assistant is open source home automation software that puts local ...)
+ TODO: check
+CVE-2026-32984 (Wazuh authd contains a heap-buffer overflow vulnerability that allows ...)
+ TODO: check
+CVE-2026-32983 (Wazuh Manager authd service in wazuh-manager packages through version ...)
+ TODO: check
+CVE-2026-32859 (ByteDance Deer-Flow versions prior to commit 5dbb362contain a stored c ...)
+ TODO: check
+CVE-2026-32695 (Traefik is an HTTP reverse proxy and load balancer. Prior to versions ...)
+ TODO: check
+CVE-2026-32678 (Authentication bypass issue exists in BUFFALO Wi-Fi router products, w ...)
+ TODO: check
+CVE-2026-32669 (Code injection vulnerability exists in BUFFALO Wi-Fi router products. ...)
+ TODO: check
+CVE-2026-32241 (Flannel is a network fabric for containers, designed for Kubernetes. T ...)
+ TODO: check
+CVE-2026-32187 (Microsoft Edge (Chromium-based) Defense in Depth Vulnerability)
+ TODO: check
+CVE-2026-31951 (LibreChat is a ChatGPT clone with additional features. In versions 0.8 ...)
+ TODO: check
+CVE-2026-31950 (LibreChat is a ChatGPT clone with additional features. In versions 0.8 ...)
+ TODO: check
+CVE-2026-31945 (LibreChat is a ChatGPT clone with additional features. Versions 0.8.2- ...)
+ TODO: check
+CVE-2026-31943 (LibreChat is a ChatGPT clone with additional features. Prior to versio ...)
+ TODO: check
+CVE-2026-30689 (A blog.admin v.8.0 and before system's getinfobytoken API interface co ...)
+ TODO: check
+CVE-2026-30637 (Server-Side Request Forgery (SSRF) vulnerability exists in the AnnounC ...)
+ TODO: check
+CVE-2026-30576 (A Business Logic vulnerability exists in SourceCodester Pharmacy Produ ...)
+ TODO: check
+CVE-2026-30575 (A Business Logic vulnerability exists in SourceCodester Pharmacy Produ ...)
+ TODO: check
+CVE-2026-30574 (A Business Logic vulnerability exists in SourceCodester Pharmacy Produ ...)
+ TODO: check
+CVE-2026-30571 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceC ...)
+ TODO: check
+CVE-2026-30570 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceC ...)
+ TODO: check
+CVE-2026-30569 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceC ...)
+ TODO: check
+CVE-2026-30568 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceC ...)
+ TODO: check
+CVE-2026-30567 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceC ...)
+ TODO: check
+CVE-2026-30534 (A SQL Injection vulnerability exists in SourceCodester Online Food Ord ...)
+ TODO: check
+CVE-2026-30533 (A SQL Injection vulnerability exists in SourceCodester Online Food Ord ...)
+ TODO: check
+CVE-2026-30532 (A SQL Injection vulnerability exists in SourceCodester Online Food Ord ...)
+ TODO: check
+CVE-2026-30531 (A SQL Injection vulnerability exists in SourceCodester Online Food Ord ...)
+ TODO: check
+CVE-2026-30530 (A SQL Injection vulnerability exists in SourceCodester Online Food Ord ...)
+ TODO: check
+CVE-2026-30529 (A SQL Injection vulnerability exists in SourceCodester Online Food Ord ...)
+ TODO: check
+CVE-2026-30527 (A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCode ...)
+ TODO: check
+CVE-2026-30407
+ REJECTED
+CVE-2026-30304 (In its design for automatic terminal command execution, AI Code offers ...)
+ TODO: check
+CVE-2026-30303 (The command auto-approval module in Axon Code contains an OS Command I ...)
+ TODO: check
+CVE-2026-30302 (The command auto-approval module in CodeRider-Kilo contains an OS Comm ...)
+ TODO: check
+CVE-2026-29871 (A path traversal vulnerability exists in the awesome-llm-apps project ...)
+ TODO: check
+CVE-2026-29180 (Fleet is open source device management software. Prior to 4.81.1, a br ...)
+ TODO: check
+CVE-2026-29071 (Open WebUI is a self-hosted artificial intelligence platform designed ...)
+ TODO: check
+CVE-2026-29070 (Open WebUI is a self-hosted artificial intelligence platform designed ...)
+ TODO: check
+CVE-2026-28788 (Open WebUI is a self-hosted artificial intelligence platform designed ...)
+ TODO: check
+CVE-2026-28786 (Open WebUI is a self-hosted artificial intelligence platform designed ...)
+ TODO: check
+CVE-2026-28375 (A testdata data-source can be used to trigger out-of-memory crashes in ...)
+ TODO: check
+CVE-2026-28369 (A flaw was found in Undertow. When Undertow receives an HTTP request w ...)
+ TODO: check
+CVE-2026-28368 (A flaw was found in Undertow. This vulnerability allows a remote attac ...)
+ TODO: check
+CVE-2026-28367 (A flaw was found in Undertow. A remote attacker can exploit this vulne ...)
+ TODO: check
+CVE-2026-27880 (The OpenFeature feature toggle evaluation endpoint reads unbounded val ...)
+ TODO: check
+CVE-2026-27879 (A resample query can be used to trigger out-of-memory crashes in Grafa ...)
+ TODO: check
+CVE-2026-27877 (When using public dashboards and direct data-sources, all direct data- ...)
+ TODO: check
+CVE-2026-27876 (A chained attack via SQL Expressions and a Grafana Enterprise plugin c ...)
+ TODO: check
+CVE-2026-27650 (OS Command Injection vulnerability exists in BUFFALO Wi-Fi router prod ...)
+ TODO: check
+CVE-2026-27309 (Substance3D - Stager versions 3.1.7 and earlier are affected by a Use ...)
+ TODO: check
+CVE-2026-26061 (Fleet is open source device management software. Prior to 4.81.0, Flee ...)
+ TODO: check
+CVE-2026-26060 (Fleet is open source device management software. Prior to 4.81.0, a vu ...)
+ TODO: check
+CVE-2026-25101 (Bludit allows user's session identifier to be set before authenticatio ...)
+ TODO: check
+CVE-2026-25100 (Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image ...)
+ TODO: check
+CVE-2026-25099 (Bludit\u2019s API plugin allows an authenticated attacker with a valid ...)
+ TODO: check
+CVE-2026-23399 (In the Linux kernel, the following vulnerability has been resolved: n ...)
+ TODO: check
+CVE-2026-22744 (InRedisFilterExpressionConverterofspring-ai-redis-store, when a user-c ...)
+ TODO: check
+CVE-2026-22743 (Spring AI'sspring-ai-neo4j-storecontains a Cypher injection vulnerabil ...)
+ TODO: check
+CVE-2026-22742 (Spring AI's spring-ai-bedrock-conversecontains a Server-Side Request F ...)
+ TODO: check
+CVE-2026-22738 (In Spring AI, a SpEL injection vulnerability exists inSimpleVectorStor ...)
+ TODO: check
+CVE-2026-1679 (The eswifi socket offload driver copies user-provided payloads into a ...)
+ TODO: check
+CVE-2026-1496 (Vulnerable versions of Coverity Connect lack an error handler in the a ...)
+ TODO: check
+CVE-2026-1307 (The Ninja Forms - The Contact Form Builder That Grows With You plugin ...)
+ TODO: check
+CVE-2026-0748 (In the Drupal 7 Internationalization (i18n) module, the i18n_node subm ...)
+ TODO: check
+CVE-2025-69988 (BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Cont ...)
+ TODO: check
+CVE-2025-69986 (A buffer overflow vulnerability exists in the ONVIF GetStreamUri funct ...)
+ TODO: check
+CVE-2025-61190 (A Reflected Cross-Site Scripting (XSS) vulnerability has been identifi ...)
+ TODO: check
+CVE-2025-15617 (Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Acti ...)
+ TODO: check
+CVE-2025-15616 (Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contai ...)
+ TODO: check
+CVE-2025-15615 (Wazuh Manager authd service in wazuh-manager packages through version ...)
+ TODO: check
+CVE-2025-15612 (Wazuh provisioning scripts and Dockerfiles contain an insecure transpo ...)
+ TODO: check
+CVE-2025-15445 (The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecur ...)
+ TODO: check
+CVE-2025-15381 (In the latest version of mlflow/mlflow, when the `basic-auth` app is e ...)
+ TODO: check
+CVE-2025-13478 (Cache misconfiguration vulnerability in OpenText Identity Manager on W ...)
+ TODO: check
+CVE-2025-12886 (The Oxygen Theme theme for WordPress is vulnerable to Server-Side Requ ...)
+ TODO: check
+CVE-2024-14028 (Use after free vulnerability in Softing smartLink HW-DP or smartLink H ...)
+ TODO: check
+CVE-2024-11604 (Insertion of Sensitive Information into Log File vulnerability in the ...)
+ TODO: check
+CVE-2023-7340 (Wazuh authd contains a heap-buffer overflow vulnerability that allows ...)
+ TODO: check
+CVE-2023-7339 (Stack-based buffer overflow vulnerability in Softing Industrial Automa ...)
+ TODO: check
+CVE-2019-25652 (UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11 ...)
+ TODO: check
+CVE-2019-25651 (Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), ...)
+ TODO: check
+CVE-2026-33375 (The Grafana MSSQL data source plugin contains a logic flaw that allows ...)
NOT-FOR-US: Grafana MMSQL Data Source Plugin
-CVE-2026-28377
+CVE-2026-28377 (A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key i ...)
NOT-FOR-US: Grafana Tempo
-CVE-2026-27893
+CVE-2026-27893 (vLLM is an inference and serving engine for large language models (LLM ...)
- vllm <itp> (bug #1095237)
-CVE-2026-21724
+CVE-2026-21724 (A vulnerability has been discovered in Grafana OSS where an authorizat ...)
- grafana <removed>
-CVE-2026-4948 [Local unprivileged user can modify firewall state due to D-Bus setter mis-authorization]
+CVE-2026-4948 (A flaw was found in firewalld. A local unprivileged user can exploit t ...)
- firewalld <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2452086
TODO: check, needs checking if desktop policy authorization influencing etZoneSettings2 and setPolicySettings is RedHat specific
-CVE-2026-27855 [auth: OTP driver vulnerable to replay attack]
+CVE-2026-27855 (Dovecot OTP authentication is vulnerable to replay attack under specif ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27855-auth-otp-driver-vulnerable-to-replay-attack
-CVE-2026-27856 [doveadm: Credentials verified without timing safety]
+CVE-2026-27856 (Doveadm credentials are verified using direct comparison which is susc ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27856-doveadm-credentials-verified-without-timing-safety
-CVE-2026-27858 [managesieve-login out-of-memory DoS]
+CVE-2026-27858 (Attacker can send a specifically crafted message before authentication ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27858-managesieve-login-out-of-memory-dos
-CVE-2026-27857 [imap-login: Excessive memory usage DoS]
+CVE-2026-27857 (Sending "NOOP (((...)))" command with 4000 parenthesis open+close resu ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27857-imap-login-excessive-memory-usage-dos
-CVE-2026-27859 [regression: Message headers MIME parameter parsing can cause excessive CPU usage]
+CVE-2026-27859 (A mail message containing excessive amount of RFC 2231 MIME parameters ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27859-v3-0-2-regression-message-headers-mime-parameter-parsing-can-cause-excessive-cpu-usage
-CVE-2026-24031 [regression: SQL injection allows bypassing authentication]
+CVE-2026-24031 (Dovecot SQL based authentication can be bypassed when auth_username_ch ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-24031-v2-4-v3-1-regression-sql-injection-allows-bypassing-authentication
-CVE-2026-27860 [regression: auth-ldap is not escaping usernames]
+CVE-2026-27860 (If auth_username_chars is empty, it is possible to inject arbitrary LD ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27860-v2-4-v3-1-regression-auth-ldap-is-not-escaping-usernames
-CVE-2026-0394 [auth: Path traversal in passwd-file passdb using %d (domain) escapes base directory and opens /etc/passwdPre-auth path traversal in passwd-file passdb using %d (domain) escapes base directory and opens /etc/passwd]
+CVE-2026-0394 (When dovecot has been configured to use per-domain passwd files, and t ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-0394-auth-path-traversal-in-passwd-file-passdb-using-d-domain-escapes-base-directory-and-opens-etc-passwdpre-auth-path-traversal-in-passwd-file-passdb-using-d-domain-escapes-base-directory-and-opens-etc-passwd
-CVE-2025-59031 [decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing]
+CVE-2025-59031 (Dovecot has provided a script to use for attachment to text conversion ...)
- dovecot <unfixed> (unimportant)
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59031-decode2text-sh-ooxml-extraction-may-follow-symlinks-and-read-unintended-files-during-indexing
NOTE: decode2text.sh only installed in dovecot-core/examples
-CVE-2025-59032 [regression: Pigeonhole: ManageSieve panic occurs with sieve-connect as a client]
+CVE-2025-59032 (ManageSieve AUTHENTICATE command crashes when using literal as SASL in ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59032-v2-4-v3-1-regression-pigeonhole-managesieve-panic-occurs-with-sieve-connect-as-a-client
-CVE-2025-59028 [Invalid base64 authentication can cause DoS for other logins]
+CVE-2025-59028 (When sending invalid base64 SASL data, login process is disconnected f ...)
- dovecot <unfixed>
NOTE: https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59028-invalid-base64-authentication-can-cause-dos-for-other-logins
-CVE-2026-3650
+CVE-2026-3650 (A memory leak exists in the Grassroots DICOM library (GDCM). The bug o ...)
- gdcm <unfixed> (bug #1132042)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2451988
TODO: check, vague report from Red Hat, no upstream details
-CVE-2026-1556
+CVE-2026-1556 (Information disclosure in the file URI processing of File (Field) Path ...)
- drupal7 <removed>
-CVE-2026-33542
+CVE-2026-33542 (Incus is a system container and virtual machine manager. Prior to vers ...)
- incus 6.0.6-2
- lxd <removed>
NOTE: https://github.com/lxc/incus/pull/3092
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r
-CVE-2026-33711
+CVE-2026-33711 (Incus is a system container and virtual machine manager. Incus provide ...)
- incus 6.0.6-2 (unimportant)
NOTE: https://github.com/lxc/incus/pull/3092
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x
NOTE: Kernel hardening with fs.protected_symlinks protects against exploiting
NOTE: the issue.
-CVE-2026-33743
+CVE-2026-33743 (Incus is a system container and virtual machine manager. Prior to vers ...)
- incus 6.0.6-2
- lxd <not-affected> (Vulnerable code not present)
NOTE: https://github.com/lxc/incus/pull/3092
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3
-CVE-2026-33897
+CVE-2026-33897 (Incus is a system container and virtual machine manager. Prior to vers ...)
- incus 6.0.6-2
[trixie] - incus <not-affected> (Vulnerable code not present)
- lxd <not-affected> (Vulnerable code not present)
NOTE: https://github.com/lxc/incus/pull/3092
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92
-CVE-2026-33898
+CVE-2026-33898 (Incus is a system container and virtual machine manager. Prior to vers ...)
- incus <unfixed> (unimportant)
NOTE: https://github.com/lxc/incus/pull/3092
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq
NOTE: "Web UI" HTML/JavaScript files not included in built binary packages
-CVE-2026-33945
+CVE-2026-33945 (Incus is a system container and virtual machine manager. Incus instanc ...)
- incus 6.0.6-2
- lxd <removed>
NOTE: https://github.com/lxc/incus/pull/3092
@@ -481,7 +1057,7 @@ CVE-2026-4824 (A vulnerability has been found in Enter Software Iperius Backup u
NOT-FOR-US: Enter Software Iperius Backup
CVE-2026-4823 (A flaw has been found in Enter Software Iperius Backup up to 8.7.3. Af ...)
NOT-FOR-US: Enter Software Iperius Backup
-CVE-2026-4822 (A vulnerability was detected in Enter Software Iperius Backup bis 8.7. ...)
+CVE-2026-4822 (A vulnerability was detected in Enter Software Iperius Backup up to 8. ...)
NOT-FOR-US: Enter Software Iperius Backup
CVE-2026-4758 (The WP Job Portal plugin for WordPress is vulnerable to arbitrary file ...)
NOT-FOR-US: WordPress plugin
@@ -1427,6 +2003,7 @@ CVE-2024-51347 (A buffer overflow vulnerability in the dgiot binary in LSC Smart
CVE-2024-51346 (An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker t ...)
NOT-FOR-US: Eufy Homebase 2
CVE-2026-1519 (If a BIND resolver is performing DNSSEC validation and encounters a ma ...)
+ {DSA-6181-1}
- bind9 1:9.20.21-1
NOTE: https://kb.isc.org/docs/cve-2026-1519
NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/05c51d3a5aedf7cb56407c5df02f7ab6deaf5755 (v9.20.21)
@@ -2267,11 +2844,11 @@ CVE-2025-33216 (NVIDIA SNAP-4 Container contains a vulnerability in the configur
CVE-2025-33215 (NVIDIA SNAP-4 Container contains a vulnerability in the VIRTIO-BLK com ...)
TODO: check
CVE-2026-4371 (A malicious mail server could send malformed strings with negative len ...)
- {DSA-6179-1}
+ {DSA-6179-1 DLA-4511-1}
- thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4371
CVE-2026-3889 (Spoofing issue in Thunderbird. This vulnerability affects Thunderbird ...)
- {DSA-6179-1}
+ {DSA-6179-1 DLA-4511-1}
- thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-3889
CVE-2026-3836
@@ -2557,7 +3134,7 @@ CVE-2019-25627 (FlexHEX 2.71 contains a local buffer overflow vulnerability in t
CVE-2019-25626 (River Past Cam Do 3.7.6 contains a local buffer overflow vulnerability ...)
NOT-FOR-US: River Past Cam Do
CVE-2026-4721 (Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, T ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2568,7 +3145,7 @@ CVE-2026-4729 (Memory safety bugs present in Firefox 148 and Thunderbird 148. So
- firefox 149.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4729
CVE-2026-4720 (Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8 ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2576,7 +3153,7 @@ CVE-2026-4720 (Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4720
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4720
CVE-2026-4719 (Incorrect boundary conditions in the Graphics: Text component. This vu ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2584,7 +3161,7 @@ CVE-2026-4719 (Incorrect boundary conditions in the Graphics: Text component. Th
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4719
CVE-2026-4718 (Undefined behavior in the WebRTC: Signaling component. This vulnerabil ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2601,7 +3178,7 @@ CVE-2026-4726 (Denial-of-service in the XML component. This vulnerability affect
- firefox 149.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4726
CVE-2026-4717 (Privilege escalation in the Netmonitor component. This vulnerability a ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2609,7 +3186,7 @@ CVE-2026-4717 (Privilege escalation in the Netmonitor component. This vulnerabil
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4717
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4717
CVE-2026-4716 (Incorrect boundary conditions, uninitialized memory in the JavaScript ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2617,7 +3194,7 @@ CVE-2026-4716 (Incorrect boundary conditions, uninitialized memory in the JavaSc
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4716
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4716
CVE-2026-4715 (Uninitialized memory in the Graphics: Canvas2D component. This vulnera ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2625,7 +3202,7 @@ CVE-2026-4715 (Uninitialized memory in the Graphics: Canvas2D component. This vu
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4715
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4715
CVE-2026-4714 (Incorrect boundary conditions in the Audio/Video component. This vulne ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2633,7 +3210,7 @@ CVE-2026-4714 (Incorrect boundary conditions in the Audio/Video component. This
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4714
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4714
CVE-2026-4713 (Incorrect boundary conditions in the Graphics component. This vulnerab ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2658,7 +3235,7 @@ CVE-2026-4711 (Use-after-free in the Widget: Cocoa component. This vulnerability
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4711
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4711
CVE-2026-4710 (Incorrect boundary conditions in the Audio/Video component. This vulne ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2666,7 +3243,7 @@ CVE-2026-4710 (Incorrect boundary conditions in the Audio/Video component. This
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4710
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4710
CVE-2026-4709 (Incorrect boundary conditions in the Audio/Video: GMP component. This ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2674,7 +3251,7 @@ CVE-2026-4709 (Incorrect boundary conditions in the Audio/Video: GMP component.
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4709
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4709
CVE-2026-4708 (Incorrect boundary conditions in the Graphics component. This vulnerab ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2682,7 +3259,7 @@ CVE-2026-4708 (Incorrect boundary conditions in the Graphics component. This vul
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4708
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4708
CVE-2026-4707 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2690,7 +3267,7 @@ CVE-2026-4707 (Incorrect boundary conditions in the Graphics: Canvas2D component
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4707
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4707
CVE-2026-4706 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2698,7 +3275,7 @@ CVE-2026-4706 (Incorrect boundary conditions in the Graphics: Canvas2D component
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4706
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4706
CVE-2026-4705 (Undefined behavior in the WebRTC: Signaling component. This vulnerabil ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2706,7 +3283,7 @@ CVE-2026-4705 (Undefined behavior in the WebRTC: Signaling component. This vulne
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4705
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4705
CVE-2026-4704 (Denial-of-service in the WebRTC: Signaling component. This vulnerabili ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2720,7 +3297,7 @@ CVE-2026-4723 (Use-after-free in the JavaScript Engine component. This vulnerabi
- firefox 149.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4723
CVE-2026-4702 (JIT miscompilation in the JavaScript Engine component. This vulnerabil ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2731,7 +3308,7 @@ CVE-2026-4722 (Privilege escalation in the IPC component. This vulnerability aff
- firefox 149.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4722
CVE-2026-4701 (Use-after-free in the JavaScript Engine component. This vulnerability ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2739,7 +3316,7 @@ CVE-2026-4701 (Use-after-free in the JavaScript Engine component. This vulnerabi
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4701
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4701
CVE-2026-4700 (Mitigation bypass in the Networking: HTTP component. This vulnerabilit ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2747,7 +3324,7 @@ CVE-2026-4700 (Mitigation bypass in the Networking: HTTP component. This vulnera
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4700
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4700
CVE-2026-4699 (Incorrect boundary conditions in the Layout: Text and Fonts component. ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2755,7 +3332,7 @@ CVE-2026-4699 (Incorrect boundary conditions in the Layout: Text and Fonts compo
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4699
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4699
CVE-2026-4698 (JIT miscompilation in the JavaScript Engine: JIT component. This vulne ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2763,7 +3340,7 @@ CVE-2026-4698 (JIT miscompilation in the JavaScript Engine: JIT component. This
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4698
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4698
CVE-2026-4697 (Incorrect boundary conditions in the Audio/Video: Web Codecs component ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2771,7 +3348,7 @@ CVE-2026-4697 (Incorrect boundary conditions in the Audio/Video: Web Codecs comp
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4697
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4697
CVE-2026-4696 (Use-after-free in the Layout: Text and Fonts component. This vulnerabi ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2779,7 +3356,7 @@ CVE-2026-4696 (Use-after-free in the Layout: Text and Fonts component. This vuln
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4696
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4696
CVE-2026-4695 (Incorrect boundary conditions in the Audio/Video: Web Codecs component ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2787,7 +3364,7 @@ CVE-2026-4695 (Incorrect boundary conditions in the Audio/Video: Web Codecs comp
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4695
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4695
CVE-2026-4694 (Incorrect boundary conditions, integer overflow in the Graphics compon ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2795,7 +3372,7 @@ CVE-2026-4694 (Incorrect boundary conditions, integer overflow in the Graphics c
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4694
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4694
CVE-2026-4693 (Incorrect boundary conditions in the Audio/Video: Playback component. ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2803,7 +3380,7 @@ CVE-2026-4693 (Incorrect boundary conditions in the Audio/Video: Playback compon
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4693
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4693
CVE-2026-4692 (Sandbox escape in the Responsive Design Mode component. This vulnerabi ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2811,7 +3388,7 @@ CVE-2026-4692 (Sandbox escape in the Responsive Design Mode component. This vuln
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4692
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4692
CVE-2026-4691 (Use-after-free in the CSS Parsing and Computation component. This vuln ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2819,7 +3396,7 @@ CVE-2026-4691 (Use-after-free in the CSS Parsing and Computation component. This
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4691
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4691
CVE-2026-4690 (Sandbox escape due to incorrect boundary conditions, integer overflow ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2827,7 +3404,7 @@ CVE-2026-4690 (Sandbox escape due to incorrect boundary conditions, integer over
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4690
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4690
CVE-2026-4689 (Sandbox escape due to incorrect boundary conditions, integer overflow ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2835,7 +3412,7 @@ CVE-2026-4689 (Sandbox escape due to incorrect boundary conditions, integer over
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4689
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4689
CVE-2026-4688 (Sandbox escape due to use-after-free in the Disability Access APIs com ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2843,7 +3420,7 @@ CVE-2026-4688 (Sandbox escape due to use-after-free in the Disability Access API
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4688
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4688
CVE-2026-4687 (Sandbox escape due to incorrect boundary conditions in the Telemetry c ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2851,7 +3428,7 @@ CVE-2026-4687 (Sandbox escape due to incorrect boundary conditions in the Teleme
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4687
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4687
CVE-2026-4686 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2859,7 +3436,7 @@ CVE-2026-4686 (Incorrect boundary conditions in the Graphics: Canvas2D component
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4686
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4686
CVE-2026-4685 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2867,7 +3444,7 @@ CVE-2026-4685 (Incorrect boundary conditions in the Graphics: Canvas2D component
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4685
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4685
CVE-2026-4684 (Race condition, use-after-free in the Graphics: WebRender component. T ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
@@ -2948,7 +3525,7 @@ CVE-2026-4623 (A security vulnerability has been detected in DefaultFuction Jeso
NOT-FOR-US: DefaultFuction Jeson-Customer-Relationship-Management-System
CVE-2026-4617 (A weakness has been identified in SourceCodester Patients Waiting Area ...)
NOT-FOR-US: SourceCodester
-CVE-2026-4616 (A security flaw has been discovered in bolo-blog \uae4c\uc9c0 2.6.4. T ...)
+CVE-2026-4616 (A security flaw has been discovered in bolo-blog up to 2.6.4. The affe ...)
NOT-FOR-US: bolo-blog
CVE-2026-4615 (A vulnerability was identified in SourceCodester Online Catering Reser ...)
NOT-FOR-US: SourceCodester
@@ -3460,14 +4037,14 @@ CVE-2026-33347 (league/commonmark is a PHP Markdown parser. From version 2.3.0 t
[bookworm] - php-league-commonmark <no-dsa> (Minor issue)
NOTE: https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5
NOTE: Fixed by: https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b (2.8.2)
-CVE-2026-33699
+CVE-2026-33699 (pypdf is a free and open-source pure-python PDF library. Versions prio ...)
- pypdf 6.9.2-1
- pypdf2 <removed>
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3
NOTE: https://github.com/py-pdf/pypdf/pull/3693
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/02b1345f77fdbc006faccc301507df4fb1855413 (6.9.2)
CVE-2026-25075 (strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow ...)
- {DSA-6176-1}
+ {DSA-6176-1 DLA-4512-1}
- strongswan 6.0.5-1
NOTE: https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html
NOTE: Patch: https://download.strongswan.org/security/CVE-2026-25075/
@@ -4966,7 +5543,7 @@ CVE-2026-26139 (Server-side request forgery (ssrf) in Microsoft Purview allows a
NOT-FOR-US: Microsoft
CVE-2026-26138 (Server-side request forgery (ssrf) in Microsoft Purview allows an unau ...)
NOT-FOR-US: Microsoft
-CVE-2026-26137 (Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business ...)
+CVE-2026-26137 (Server-side request forgery (ssrf) in Microsoft Exchange allows an aut ...)
NOT-FOR-US: Microsoft
CVE-2026-26136 (Improper neutralization of special elements used in a command ('comman ...)
NOT-FOR-US: Microsoft
@@ -18057,7 +18634,7 @@ CVE-2026-27100 (Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run P
CVE-2026-27099 (Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.54 ...)
NOT-FOR-US: Jenkins (core or plugin)
CVE-2026-25500 (Rack is a modular Ruby web server interface. Prior to versions 2.2.22, ...)
- {DLA-4505-1}
+ {DSA-6180-1 DLA-4505-1}
- ruby-rack 3.2.5-1 (bug #1128480)
NOTE: https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
NOTE: Fixed by: https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff (main)
@@ -18067,7 +18644,7 @@ CVE-2026-25500 (Rack is a modular Ruby web server interface. Prior to versions 2
CVE-2026-23491 (InvoicePlane is a self-hosted open source application for managing inv ...)
NOT-FOR-US: InvoicePlane
CVE-2026-22860 (Rack is a modular Ruby web server interface. Prior to versions 2.2.22, ...)
- {DLA-4505-1}
+ {DSA-6180-1 DLA-4505-1}
- ruby-rack 3.2.5-1 (bug #1128479)
NOTE: https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
NOTE: Fixed by: https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7 (main)
@@ -21044,7 +21621,7 @@ CVE-2019-25306 (BlackMoon FTP Server 3.1.2.1731 contains an unquoted service pat
NOT-FOR-US: BlackMoon FTP Server
CVE-2018-25157 (Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability ...)
NOT-FOR-US: Phraseanet
-CVE-2026-0968 [Denial of Service due to malformed SFTP message]
+CVE-2026-0968 (A flaw was found in libssh in which a malicious SFTP (SSH File Transfe ...)
- libssh 0.12.0-1 (bug #1127693)
[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
@@ -21052,14 +21629,14 @@ CVE-2026-0968 [Denial of Service due to malformed SFTP message]
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0968.txt
NOTE: Tests: https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03 (libssh-0.11.4)
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9 (libssh-0.11.4)
-CVE-2026-0967 [Denial of Service via inefficient regular expression processing]
+CVE-2026-0967 (A flaw was found in libssh. A remote attacker, by controlling client c ...)
- libssh 0.12.0-1 (bug #1127693)
[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
[bullseye] - libssh <postponed> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0967.txt
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15 (libssh-0.11.4)
-CVE-2026-0966 [Buffer underflow in ssh_get_hexa() on invalid input]
+CVE-2026-0966 (The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input i ...)
- libssh 0.12.0-1 (bug #1127693)
[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
@@ -21068,14 +21645,14 @@ CVE-2026-0966 [Buffer underflow in ssh_get_hexa() on invalid input]
NOTE: Documentation: https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced (libssh-0.11.4)
NOTE: Tests: https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8 (libssh-0.11.4)
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117 (libssh-0.11.4)
-CVE-2026-0965 [Denial of Service via improper configuration file handling]
+CVE-2026-0965 (A flaw was found in libssh where it can attempt to open arbitrary file ...)
- libssh 0.12.0-1 (bug #1127693)
[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
[bullseye] - libssh <postponed> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0965.txt
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76 (libssh-0.11.4)
-CVE-2026-0964 [Improper sanitation of paths received from SCP servers]
+CVE-2026-0964 (A malicious SCP server can send unexpected paths that could make the c ...)
- libssh 0.12.0-1 (bug #1127693)
[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
@@ -21151,12 +21728,12 @@ CVE-2025-12699 (The ZOLL ePCR IOS application reflects unsanitized user input in
NOT-FOR-US: ZOLL ePCR IOS
CVE-2025-10912 (Authorization Bypass Through User-Controlled Key vulnerability in Saas ...)
NOT-FOR-US: TemizlikYolda
-CVE-2026-2272 [ICO import integer overflow bypass leads to heap buffer overflow]
+CVE-2026-2272 (A flaw was found in GIMP. An integer overflow vulnerability exists whe ...)
{DSA-6139-1 DLA-4483-1}
- gimp 3.2.0~RC2-3.2 (bug #1127842)
NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15617
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gimp/-/commit/058ada8f3ffc0a42b7dd1561a8817c8cc83b7d2a
-CVE-2026-2271 [GIMP PSP File Parsing Integer Overflow Leading to Heap Corruption]
+CVE-2026-2271 (A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote ...)
{DSA-6139-1 DLA-4483-1}
- gimp 3.2.0~RC2-3.2 (bug #1127841)
NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15732
@@ -21885,7 +22462,7 @@ CVE-2025-11547 (AXIS Camera Station Pro contained a flaw toperform a privilege e
NOT-FOR-US: Axis Communication
CVE-2025-11142 (The VAPIX API mediaclip.cgi that did not have a sufficient input valid ...)
NOT-FOR-US: Axis Communication
-CVE-2026-2239 [PSD loader: heap-buffer-overflow in fread_pascal_string() (no null terminator)]
+CVE-2026-2239 (A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in ...)
{DSA-6139-1 DLA-4483-1}
- gimp 3.2.0~RC2-3.2 (bug #1127838)
NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15812
@@ -22617,7 +23194,7 @@ CVE-2020-37095 (Cyberoam Authentication Client 2.1.2.7 contains a buffer overflo
NOT-FOR-US: Cyberoam Authentication Client
CVE-2020-37079 (Wing FTP Server versions prior to 6.2.7 contain a cross-site request f ...)
NOT-FOR-US: Wing FTP Server
-CVE-2026-2100 [NULL dereference via C_DeriveKey with specific NULL parameters]
+CVE-2026-2100 (A flaw was found in p11-kit. A remote attacker could exploit this vuln ...)
[experimental] - p11-kit 0.26.2-1
- p11-kit 0.26.2-2
[trixie] - p11-kit <not-affected> (Vulnerable code introduced later)
@@ -23894,7 +24471,7 @@ CVE-2025-71192 (In the Linux kernel, the following vulnerability has been resolv
{DSA-6127-1 DSA-6126-1 DLA-4476-1}
- linux 6.18.8-1
NOTE: https://git.kernel.org/linus/830988b6cf197e6dcffdfe2008c5738e6c6c3c0f (6.19-rc5)
-CVE-2025-12805
+CVE-2025-12805 (A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. ...)
NOT-FOR-US: llama-stack-k8s-operator
CVE-2026-25510 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production ...)
NOT-FOR-US: CI4MS
@@ -65611,7 +66188,7 @@ CVE-2025-53860 (A vulnerability exists in F5OS-A software that allows a highly p
NOT-FOR-US: F5
CVE-2025-53856 (When a virtual server, network address translation (NAT) object, or se ...)
NOT-FOR-US: F5
-CVE-2025-53521 (When a BIG-IP APM Access Policy is configured on a virtual server, und ...)
+CVE-2025-53521 (When a BIG-IP APM access policy is configured on a virtual server, spe ...)
NOT-FOR-US: F5
CVE-2025-53474 (When an iRule using an ILX::callcommand is configured on a virtual ser ...)
NOT-FOR-US: F5
@@ -79415,7 +79992,7 @@ CVE-2025-59378 (In guix-daemon in GNU Guix before 1618ca7, a content-addressed-m
NOTE: Fixed by: https://codeberg.org/guix/guix/commit/f607aaaaaafe19257ef09ca519d325df6ae97e05
NOTE: Fixed by: https://codeberg.org/guix/guix/commit/9202921e812708b23788b2209cdb576d456f56db
CVE-2025-59375 (libexpat in Expat before 2.7.2 allows attackers to trigger large dynam ...)
- {DSA-6179-1 DSA-6178-1}
+ {DSA-6179-1 DSA-6178-1 DLA-4511-1 DLA-4510-1}
- firefox 149.0-1
- firefox-esr 140.9.0esr-1
- thunderbird 1:140.9.0esr-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e43e2d9e7a094ff3e886215aa7cb2fdb36ba6594
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e43e2d9e7a094ff3e886215aa7cb2fdb36ba6594
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260328/e97f0c4f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list