[Git][security-tracker-team/security-tracker][master] Process some new NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Mar 31 06:53:52 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3c6b1f46 by Salvatore Bonaccorso at 2026-03-31T07:53:41+02:00
Process some new NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2,9 +2,9 @@ CVE-2026-5170 (A user with access to the cluster with a limited set of privilege
 	- mongodb <removed>
 	NOTE: https://jira.mongodb.org/browse/SERVER-101758
 CVE-2026-5165 (A flaw was found in virtio-win, specifically within the VirtIO Block ( ...)
-	TODO: check
+	NOT-FOR-US: virtio Windows drivers
 CVE-2026-5164 (A flaw was found in virtio-win. The `RhelDoUnMap()` function does not  ...)
-	TODO: check
+	NOT-FOR-US: virtio Windows drivers
 CVE-2026-5147 (A security flaw has been discovered in YunaiV yudao-cloud up to 2026.0 ...)
 	NOT-FOR-US: YunaiV yudao-cloud
 CVE-2026-5128 (A sensitive information exposure vulnerability exists in ArthurFiorett ...)
@@ -50,7 +50,7 @@ CVE-2026-3945 (An integer overflow vulnerability in the HTTP chunked transfer en
 CVE-2026-3502 (TrueConf Client downloads application update code and applies it witho ...)
 	NOT-FOR-US: TrueConf Client
 CVE-2026-3321 (A vulnerability of authorization bypass through user-controlled key in ...)
-	TODO: check
+	NOT-FOR-US: ON24 Q&A chat
 CVE-2026-34714 (Vim before 9.2.0272 allows code execution that happens immediately upo ...)
 	- vim <unfixed>
 	NOTE: https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
@@ -94,47 +94,47 @@ CVE-2026-30557 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in S
 CVE-2026-30556 (A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceC ...)
 	NOT-FOR-US: SourceCodester
 CVE-2026-30082 (Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit ...)
-	TODO: check
+	NOT-FOR-US: IngEstate Server
 CVE-2026-30077 (OpenAirInterface V2.2.0 AMF crashes when it fails to decode the messag ...)
-	TODO: check
+	NOT-FOR-US: OpenAirInterface
 CVE-2026-2328 (An unauthenticated remote attacker can exploit insufficient input vali ...)
-	TODO: check
+	NOT-FOR-US: WAGO
 CVE-2026-2287 (CrewAI does not properly check that Docker is still running during run ...)
-	TODO: check
+	NOT-FOR-US: CrewAI
 CVE-2026-2286 (CrewAI contains a server-side request forgery vulnerability that enabl ...)
-	TODO: check
+	NOT-FOR-US: CrewAI
 CVE-2026-2285 (CrewAI contains a arbitrary local file read vulnerability in the JSON  ...)
-	TODO: check
+	NOT-FOR-US: CrewAI
 CVE-2026-2275 (The CrewAI CodeInterpreter tool falls back to SandboxPython when it ca ...)
-	TODO: check
+	NOT-FOR-US: CrewAI
 CVE-2026-29954 (In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator compon ...)
-	TODO: check
+	NOT-FOR-US: KubePlus
 CVE-2026-29953 (SQL Injection vulnerability in SchemaHero 0.23.0 via the column parame ...)
-	TODO: check
+	NOT-FOR-US: SchemaHero
 CVE-2026-29925 (Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Reque ...)
-	TODO: check
+	NOT-FOR-US: Invoice Ninja
 CVE-2026-29924 (Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE)  ...)
-	TODO: check
+	NOT-FOR-US: Grav CMS
 CVE-2026-29909 (MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnera ...)
-	TODO: check
+	NOT-FOR-US: MRCMS
 CVE-2026-29872 (A cross-session information disclosure vulnerability exists in the awe ...)
-	TODO: check
+	NOT-FOR-US: awesome-llm-apps
 CVE-2026-29597 (Incorrect access control in the file_details.asp endpoint of DDSN Inte ...)
-	TODO: check
+	NOT-FOR-US: DDSN Interactive Acora CMS
 CVE-2026-28528 (BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds r ...)
-	TODO: check
+	NOT-FOR-US: BlueKitchen BTstack
 CVE-2026-28527 (BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds r ...)
-	TODO: check
+	NOT-FOR-US: BlueKitchen BTstack
 CVE-2026-28526 (BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds r ...)
-	TODO: check
+	NOT-FOR-US: BlueKitchen BTstack
 CVE-2026-27508 (Smoothwall Express versions prior to 3.1 Update 13 contain a reflected ...)
-	TODO: check
+	NOT-FOR-US: Smoothwall Express
 CVE-2026-26352 (Smoothwall Express versions prior to 3.1 Update 13 contain a stored cr ...)
-	TODO: check
+	NOT-FOR-US: Smoothwall Express
 CVE-2026-25704 (A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCT ...)
 	TODO: check
 CVE-2026-1612 (AL-KO Robolinho Update Software has hard-coded AWS Access and Secret k ...)
-	TODO: check
+	NOT-FOR-US: AL-KO Robolinho Update Software
 CVE-2025-66215 (OpenSC is an open source smart card tools and middleware. Prior to ver ...)
 	TODO: check
 CVE-2025-66038 (OpenSC is an open source smart card tools and middleware. Prior to ver ...)
@@ -144,7 +144,7 @@ CVE-2025-66037 (OpenSC is an open source smart card tools and middleware. Prior
 CVE-2025-49010 (OpenSC is an open source smart card tools and middleware. Prior to ver ...)
 	TODO: check
 CVE-2025-3716 (User enumeration in ESET Protect (on-prem) viaResponse Timing.)
-	TODO: check
+	NOT-FOR-US: ESET
 CVE-2025-15379 (A command injection vulnerability exists in MLflow's model serving con ...)
 	NOT-FOR-US: mlflow
 CVE-2019-25655 (Device Monitoring Studio 8.10.00.8925 contains a denial of service vul ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c6b1f46f12051176092caa5207121adffb0204f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c6b1f46f12051176092caa5207121adffb0204f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260331/9975ac6d/attachment.htm>

More information about the debian-security-tracker-commits mailing list