[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Mar 28 10:13:54 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e25840f6 by Salvatore Bonaccorso at 2026-03-28T11:13:30+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -52,41 +52,41 @@ CVE-2026-4968 (A vulnerability was determined in SourceCodester Diary App 1.0. T
CVE-2026-4966 (A flaw has been found in itsourcecode Free Hotel Reservation System 1. ...)
NOT-FOR-US: itsourcecode System
CVE-2026-4965 (A vulnerability was detected in letta-ai letta 0.16.4. This issue affe ...)
- TODO: check
+ NOT-FOR-US: letta-ai letta
CVE-2026-4964 (A security vulnerability has been detected in letta-ai letta 0.16.4. T ...)
- TODO: check
+ NOT-FOR-US: letta-ai letta
CVE-2026-4963 (A weakness has been identified in huggingface smolagents 1.25.0.dev0. ...)
- TODO: check
+ NOT-FOR-US: huggingface smolagents
CVE-2026-4962 (A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affecte ...)
- TODO: check
+ NOT-FOR-US: UltraVNC
CVE-2026-4961 (A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by t ...)
NOT-FOR-US: Tenda
CVE-2026-4960 (A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is t ...)
NOT-FOR-US: Tenda
CVE-2026-4959 (A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the fu ...)
- TODO: check
+ NOT-FOR-US: OpenBMB XAgent
CVE-2026-4958 (A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects t ...)
- TODO: check
+ NOT-FOR-US: OpenBMB XAgent
CVE-2026-4957 (A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is ...)
- TODO: check
+ NOT-FOR-US: OpenBMB XAgent
CVE-2026-4956 (A vulnerability was detected in Shenzhen Ruiming Technology Streamax C ...)
- TODO: check
+ NOT-FOR-US: Shenzhen Ruiming Technology Streamax Crocus
CVE-2026-4955 (A vulnerability was found in Shenzhen Ruiming Technology Streamax Croc ...)
- TODO: check
+ NOT-FOR-US: Shenzhen Ruiming Technology Streamax Crocus
CVE-2026-4954 (A security vulnerability has been detected in mingSoft MCMS up to 5.5. ...)
- TODO: check
+ NOT-FOR-US: mingSoft MCMS
CVE-2026-4953 (A weakness has been identified in mingSoft MCMS up to 5.5.0. This issu ...)
- TODO: check
+ NOT-FOR-US: mingSoft MCMS
CVE-2026-4933 (Incorrect Authorization vulnerability in Drupal Unpublished Node Permi ...)
NOT-FOR-US: Drupal core and addons
CVE-2026-4910 (A security vulnerability has been detected in Shenzhen Ruiming Technol ...)
- TODO: check
+ NOT-FOR-US: Shenzhen Ruiming Technology Streamax Crocus
CVE-2026-4909 (A weakness has been identified in code-projects Exam Form Submission 1 ...)
NOT-FOR-US: code-projects
CVE-2026-4908 (A security flaw has been discovered in code-projects Simple Laundry Sy ...)
NOT-FOR-US: code-projects
CVE-2026-4907 (A vulnerability was identified in Page-Replica Page Replica up to e4a7 ...)
- TODO: check
+ NOT-FOR-US: Page-Replica Page Replica
CVE-2026-4906 (A vulnerability was determined in Tenda AC5 15.03.06.47. The affected ...)
NOT-FOR-US: Tenda
CVE-2026-4905 (A vulnerability was found in Tenda AC5 15.03.06.47. Impacted is the fu ...)
@@ -104,13 +104,13 @@ CVE-2026-4899 (A security flaw has been discovered in code-projects Online Food
CVE-2026-4898 (A vulnerability was identified in code-projects Online Food Ordering S ...)
NOT-FOR-US: code-projects
CVE-2026-4622 (OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series ...)
- TODO: check
+ NOT-FOR-US: NEC
CVE-2026-4621 (Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series ...)
- TODO: check
+ NOT-FOR-US: NEC
CVE-2026-4620 (OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series ...)
- TODO: check
+ NOT-FOR-US: NEC
CVE-2026-4619 (Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allow ...)
- TODO: check
+ NOT-FOR-US: NEC
CVE-2026-4393 (Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Lo ...)
NOT-FOR-US: Drupal core and addons
CVE-2026-4346 (The vulnerability affecting TL-WR850N v3 allows cleartext storage of a ...)
@@ -118,7 +118,7 @@ CVE-2026-4346 (The vulnerability affecting TL-WR850N v3 allows cleartext storage
CVE-2026-4340
REJECTED
CVE-2026-4309 (Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Serie ...)
- TODO: check
+ NOT-FOR-US: NEC
CVE-2026-4248 (The Ultimate Member plugin for WordPress is vulnerable to Sensitive In ...)
NOT-FOR-US: WordPress plugin
CVE-2026-3622 (The vulnerability exists in the UPnP component of TL-WR841N v14, where ...)
@@ -142,81 +142,81 @@ CVE-2026-3526 (Incorrect Authorization vulnerability in Drupal File Access Fix (
CVE-2026-3525 (Incorrect Authorization vulnerability in Drupal File Access Fix (depre ...)
NOT-FOR-US: Drupal core and addons
CVE-2026-3457 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
- TODO: check
+ NOT-FOR-US: Thales Sentinel LDK Runtime on Windows
CVE-2026-3098 (The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary Fil ...)
NOT-FOR-US: WordPress plugin
CVE-2026-34475 (Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in ...)
TODO: check
CVE-2026-34411 (Appsmith versions prior to 1.98 expose sensitive instance management A ...)
- TODO: check
+ NOT-FOR-US: Appsmith
CVE-2026-34391 (Fleet is open source device management software. Prior to 4.81.1, a vu ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-34389 (Fleet is open source device management software. Prior to 4.81.0, Flee ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-34388 (Fleet is open source device management software. Prior to 4.81.0, a de ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-34387 (Fleet is open source device management software. Prior to 4.81.1, a co ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-34386 (Fleet is open source device management software. Prior to 4.81.0, a SQ ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-34385 (Fleet is open source device management software. Prior to 4.81.0, a se ...)
- TODO: check
+ NOT-FOR-US: Fleet
CVE-2026-34375 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34374 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34369 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34368 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34364 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34362 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34353 (In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, ...)
TODO: check
CVE-2026-34352 (In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users ...)
TODO: check
CVE-2026-34247 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34245 (WWBN AVideo is an open source video platform. In versions up to and in ...)
- TODO: check
+ NOT-FOR-US: WWBN AVideo
CVE-2026-34226 (Happy DOM is a JavaScript implementation of a web browser without its ...)
- TODO: check
+ NOT-FOR-US: Happy DOM
CVE-2026-34205 (Home Assistant is open source home automation software that puts local ...)
- TODO: check
+ NOT-FOR-US: Home Assistant
CVE-2026-34046 (Langflow is a tool for building and deploying AI-powered agents and wo ...)
- TODO: check
+ NOT-FOR-US: Langflow
CVE-2026-33996 (LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and pr ...)
TODO: check
CVE-2026-33994 (Locutus brings stdlibs of other programming languages to JavaScript fo ...)
- TODO: check
+ NOT-FOR-US: Node Locutus
CVE-2026-33993 (Locutus brings stdlibs of other programming languages to JavaScript fo ...)
- TODO: check
+ NOT-FOR-US: Node Locutus
CVE-2026-33992 (pyLoad is a free and open-source download manager written in Python. P ...)
TODO: check
CVE-2026-33991 (WeGIA is a web manager for charitable institutions. Prior to version 3 ...)
NOT-FOR-US: WeGIA
CVE-2026-33989 (Mobile Next is an MCP server for mobile development and automation. Pr ...)
- TODO: check
+ NOT-FOR-US: Mobile Next
CVE-2026-33981 (changedetection.io is a free open source web page change detection too ...)
- TODO: check
+ NOT-FOR-US: changedetection.io
CVE-2026-33980 (Azure Data Explorer MCP Server is a Model Context Protocol (MCP) serve ...)
- TODO: check
+ NOT-FOR-US: Azure Data Explorer MCP Server
CVE-2026-33979 (Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitize ...)
- TODO: check
+ NOT-FOR-US: Node express-xss-sanitizer
CVE-2026-33976 (Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop ...)
- TODO: check
+ NOT-FOR-US: Notesnook
CVE-2026-33955 (Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop ...)
- TODO: check
+ NOT-FOR-US: Notesnook
CVE-2026-33954 (LinkAce is a self-hosted archive to collect website links. In versions ...)
- TODO: check
+ NOT-FOR-US: LinkAce
CVE-2026-33953 (LinkAce is a self-hosted archive to collect website links. Versions pr ...)
- TODO: check
+ NOT-FOR-US: LinkAce
CVE-2026-33946 (MCP Ruby SDK is the official Ruby SDK for Model Context Protocol serve ...)
- TODO: check
+ NOT-FOR-US: MCP Ruby SDK
CVE-2026-33943 (Happy DOM is a JavaScript implementation of a web browser without its ...)
- TODO: check
+ NOT-FOR-US: Happy DOM
CVE-2026-33941 (Handlebars provides the power necessary to let users build semantic te ...)
TODO: check
CVE-2026-33940 (Handlebars provides the power necessary to let users build semantic te ...)
@@ -230,17 +230,17 @@ CVE-2026-33937 (Handlebars provides the power necessary to let users build seman
CVE-2026-33936 (The `ecdsa` PyPI package is a pure Python implementation of ECC (Ellip ...)
TODO: check
CVE-2026-33935 (MyTube is a self-hosted downloader and player for several video websit ...)
- TODO: check
+ NOT-FOR-US: MyTube
CVE-2026-33916 (Handlebars provides the power necessary to let users build semantic te ...)
TODO: check
CVE-2026-33907 (Ella Core is a 5G core designed for private networks. Versions prior t ...)
- TODO: check
+ NOT-FOR-US: Ella Core
CVE-2026-33906 (Ella Core is a 5G core designed for private networks. Prior to version ...)
- TODO: check
+ NOT-FOR-US: Ella Core
CVE-2026-33904 (Ella Core is a 5G core designed for private networks. Prior to version ...)
- TODO: check
+ NOT-FOR-US: Ella Core
CVE-2026-33903 (Ella Core is a 5G core designed for private networks. Versions prior t ...)
- TODO: check
+ NOT-FOR-US: Ella Core
CVE-2026-33896 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
TODO: check
CVE-2026-33895 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
@@ -250,29 +250,29 @@ CVE-2026-33894 (Forge (also called `node-forge`) is a native implementation of T
CVE-2026-33891 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
TODO: check
CVE-2026-33890 (MyTube is a self-hosted downloader and player for several video websit ...)
- TODO: check
+ NOT-FOR-US: MyTube
CVE-2026-33887 (Statamic is a Laravel and Git powered content management system (CMS). ...)
- TODO: check
+ NOT-FOR-US: Statamic CMS
CVE-2026-33886 (Statamic is a Laravel and Git powered content management system (CMS). ...)
- TODO: check
+ NOT-FOR-US: Statamic CMS
CVE-2026-33885 (Statamic is a Laravel and Git powered content management system (CMS). ...)
- TODO: check
+ NOT-FOR-US: Statamic CMS
CVE-2026-33884 (Statamic is a Laravel and Git powered content management system (CMS). ...)
- TODO: check
+ NOT-FOR-US: Statamic CMS
CVE-2026-33883 (Statamic is a Laravel and Git powered content management system (CMS). ...)
- TODO: check
+ NOT-FOR-US: Statamic CMS
CVE-2026-33882 (Statamic is a Laravel and Git powered content management system (CMS). ...)
- TODO: check
+ NOT-FOR-US: Statamic CMS
CVE-2026-33881 (Windmill is an open-source developer platform for internal code: APIs, ...)
- TODO: check
+ NOT-FOR-US: Windmill
CVE-2026-33879 (Federated Learning and Interoperability Platform (FLIP) is an open-sou ...)
- TODO: check
+ NOT-FOR-US: Federated Learning and Interoperability Platform (FLIP)
CVE-2026-33875 (Gematik Authenticator securely authenticates users for login to digita ...)
- TODO: check
+ NOT-FOR-US: Gematik Authenticator
CVE-2026-33874 (Gematik Authenticator securely authenticates users for login to digita ...)
- TODO: check
+ NOT-FOR-US: Gematik Authenticator
CVE-2026-33873 (Langflow is a tool for building and deploying AI-powered agents and wo ...)
- TODO: check
+ NOT-FOR-US: Langflow
CVE-2026-33872 (elixir-nodejs provides an Elixir API for calling Node.js functions. A ...)
TODO: check
CVE-2026-33871 (Netty is an asynchronous, event-driven network application framework. ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e25840f699fbd9c4cc1503072e074196cffe8aab
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e25840f699fbd9c4cc1503072e074196cffe8aab
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260328/66a2beab/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list