[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Mar 31 08:13:44 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ede2c45d by security tracker role at 2026-03-31T07:13:34+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,157 @@
+CVE-2026-5185 (A security flaw has been discovered in Nothings stb_image up to 2.30. ...)
+ TODO: check
+CVE-2026-5184 (A vulnerability was identified in TRENDnet TEW-713RE up to 1.02. The i ...)
+ TODO: check
+CVE-2026-5183 (A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The a ...)
+ TODO: check
+CVE-2026-5182 (A vulnerability was found in SourceCodester Teacher Record System 1.0. ...)
+ TODO: check
+CVE-2026-5181 (A vulnerability has been found in SourceCodester Simple Doctors Appoin ...)
+ TODO: check
+CVE-2026-5180 (A flaw has been found in SourceCodester Simple Doctors Appointment Sys ...)
+ TODO: check
+CVE-2026-5179 (A vulnerability was detected in SourceCodester Simple Doctors Appointm ...)
+ TODO: check
+CVE-2026-5178 (A security vulnerability has been detected in Totolink A3300R 17.0.0cu ...)
+ TODO: check
+CVE-2026-5177 (A weakness has been identified in Totolink A3300R 17.0.0cu.557_b202210 ...)
+ TODO: check
+CVE-2026-5176 (A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b2 ...)
+ TODO: check
+CVE-2026-5157 (A vulnerability was identified in code-projects Online Food Ordering S ...)
+ TODO: check
+CVE-2026-5156 (A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the ...)
+ TODO: check
+CVE-2026-5155 (A vulnerability was found in Tenda CH22 1.0.0.1. This affects the func ...)
+ TODO: check
+CVE-2026-5154 (A vulnerability has been found in Tenda CH22 1.0.0.1/1.If. The impacte ...)
+ TODO: check
+CVE-2026-5153 (A flaw has been found in Tenda CH22 1.0.0.1. The affected element is t ...)
+ TODO: check
+CVE-2026-5152 (A vulnerability was detected in Tenda CH22 1.0.0.1. Impacted is the fu ...)
+ TODO: check
+CVE-2026-5150 (A security vulnerability has been detected in code-projects Accounting ...)
+ TODO: check
+CVE-2026-5148 (A weakness has been identified in YunaiV yudao-cloud up to 2026.01. Th ...)
+ TODO: check
+CVE-2026-5130 (The Debugger & Troubleshooter plugin for WordPress was vulnerable to U ...)
+ TODO: check
+CVE-2026-5115 (The PaperCut NG/MF (specifically, the embedded application for Konica ...)
+ TODO: check
+CVE-2026-4794 (Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF ...)
+ TODO: check
+CVE-2026-4789 (Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unre ...)
+ TODO: check
+CVE-2026-4257 (The Contact Form by Supsystic plugin for WordPress is vulnerable to Se ...)
+ TODO: check
+CVE-2026-4146 (The Loco Translate plugin for WordPress is vulnerable to Reflected Cro ...)
+ TODO: check
+CVE-2026-4020 (The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Infor ...)
+ TODO: check
+CVE-2026-3881 (The Performance Monitor WordPress plugin through 1.0.6 does not valida ...)
+ TODO: check
+CVE-2026-3300 (The Everest Forms Pro plugin for WordPress is vulnerable to Remote Cod ...)
+ TODO: check
+CVE-2026-34881 (OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Se ...)
+ TODO: check
+CVE-2026-34558 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production ...)
+ TODO: check
+CVE-2026-34557 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production ...)
+ TODO: check
+CVE-2026-34073 (cryptography is a package designed to expose cryptographic primitives ...)
+ TODO: check
+CVE-2026-34070 (LangChain is a framework for building agents and LLM-powered applicati ...)
+ TODO: check
+CVE-2026-34060 (Ruby LSP is an implementation of the language server protocol for Ruby ...)
+ TODO: check
+CVE-2026-34054 (vcpkg is a free and open-source C/C++ package manager. Prior to versio ...)
+ TODO: check
+CVE-2026-34043 (Serialize JavaScript to a superset of JSON that includes regular expre ...)
+ TODO: check
+CVE-2026-34042 (act is a project which allows for local running of github actions. Pri ...)
+ TODO: check
+CVE-2026-34041 (act is a project which allows for local running of github actions. Pri ...)
+ TODO: check
+CVE-2026-34040 (Moby is an open source container framework. Prior to version 29.3.1, a ...)
+ TODO: check
+CVE-2026-34036 (Dolibarr is an enterprise resource planning (ERP) and customer relatio ...)
+ TODO: check
+CVE-2026-33997 (Moby is an open source container framework. Prior to version 29.3.1, a ...)
+ TODO: check
+CVE-2026-33026 (Nginx UI is a web user interface for the Nginx web server. Prior to ve ...)
+ TODO: check
+CVE-2026-32884 (Botan is a C++ cryptography library. Prior to version 3.11.0, during p ...)
+ TODO: check
+CVE-2026-32883 (Botan is a C++ cryptography library. From version 3.0.0 to before vers ...)
+ TODO: check
+CVE-2026-32877 (Botan is a C++ cryptography library. From version 2.3.0 to before vers ...)
+ TODO: check
+CVE-2026-32794 (Improper Certificate Validation vulnerability in Apache Airflow Provid ...)
+ TODO: check
+CVE-2026-32734 (baserCMS is a website development framework. Prior to version 5.2.3, b ...)
+ TODO: check
+CVE-2026-32727 (SciTokens is a reference library for generating and using SciTokens. P ...)
+ TODO: check
+CVE-2026-32716 (SciTokens is a reference library for generating and using SciTokens. P ...)
+ TODO: check
+CVE-2026-32714 (SciTokens is a reference library for generating and using SciTokens. P ...)
+ TODO: check
+CVE-2026-32696 (NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. ...)
+ TODO: check
+CVE-2026-32275 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
+ TODO: check
+CVE-2026-31946 (OpenOlat is an open source web-based e-learning platform for teaching, ...)
+ TODO: check
+CVE-2026-31831 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
+ TODO: check
+CVE-2026-31804 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
+ TODO: check
+CVE-2026-31799 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
+ TODO: check
+CVE-2026-30940 (baserCMS is a website development framework. Prior to version 5.2.3, a ...)
+ TODO: check
+CVE-2026-30880 (baserCMS is a website development framework. Prior to version 5.2.3, b ...)
+ TODO: check
+CVE-2026-30879 (baserCMS is a website development framework. Prior to version 5.2.3, b ...)
+ TODO: check
+CVE-2026-30878 (baserCMS is a website development framework. Prior to version 5.2.3, a ...)
+ TODO: check
+CVE-2026-30877 (baserCMS is a website development framework. Prior to version 5.2.3, t ...)
+ TODO: check
+CVE-2026-30313 (DSAI-Cline's command auto-approval module contains a critical OS comma ...)
+ TODO: check
+CVE-2026-30308 (In its design for automatic terminal command execution, HAI Build Code ...)
+ TODO: check
+CVE-2026-30307 (Roo Code's command auto-approval module contains a critical OS command ...)
+ TODO: check
+CVE-2026-30306 (In its design for automatic terminal command execution, SakaDev offers ...)
+ TODO: check
+CVE-2026-30305 (Syntx's command auto-approval module contains a critical OS command in ...)
+ TODO: check
+CVE-2026-28505 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
+ TODO: check
+CVE-2026-28228 (OpenOlat is an open source web-based e-learning platform for teaching, ...)
+ TODO: check
+CVE-2026-27697 (baserCMS is a website development framework. Prior to version 5.2.3, b ...)
+ TODO: check
+CVE-2026-27599 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production ...)
+ TODO: check
+CVE-2026-27018 (Gotenberg is an API for converting document formats. Prior to version ...)
+ TODO: check
+CVE-2026-25627 (NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. ...)
+ TODO: check
+CVE-2026-21861 (baserCMS is a website development framework. Prior to version 5.2.3, b ...)
+ TODO: check
+CVE-2026-1877 (The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Si ...)
+ TODO: check
+CVE-2026-1834 (The Ibtana \u2013 WordPress Website Builder plugin for WordPress is vu ...)
+ TODO: check
+CVE-2026-1797 (The Appointment Booking and Scheduler Plugin \u2013 Truebooker plugin ...)
+ TODO: check
+CVE-2026-1710 (The WooPayments: Integrated WooCommerce Payments plugin for WordPress ...)
+ TODO: check
+CVE-2025-32957 (baserCMS is a website development framework. Prior to version 5.2.3, t ...)
+ TODO: check
CVE-2026-5170 (A user with access to the cluster with a limited set of privilege acti ...)
- mongodb <removed>
NOTE: https://jira.mongodb.org/browse/SERVER-101758
@@ -1775,39 +1929,39 @@ CVE-2025-14807 (IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is v
NOT-FOR-US: IBM
CVE-2025-14684 (IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8 ...)
NOT-FOR-US: IBM
-CVE-2026-33952 [DoS via WINPR_ASSERT in rts_read_auth_verifier_no_checks]
+CVE-2026-33952 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93
-CVE-2026-33977 [DoS via WINPR_ASSERT in IMA ADPCM audio decoder (dsp.c:331)]
+CVE-2026-33977 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5
-CVE-2026-33995 [double free in kerberos_AcceptSecurityContext and kerberos_IntitalizeSecurityContextA]
+CVE-2026-33995 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mv25-f4p2-5mxx
-CVE-2026-33984 [ClearCodec resize_vbar_entry() Heap OOB Write]
+CVE-2026-33984 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8469-2xcx-frf6
-CVE-2026-33983 [Progressive Codec Quant BYTE Underflow - UB + CPU DoS]
+CVE-2026-33983 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gfm-4p52-h478
-CVE-2026-33985 [ClearCodec Glyph Cache Count Desync - Heap OOB Read]
+CVE-2026-33985 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x6gr-8p7h-5h85
-CVE-2026-33986 [H.264 YUV Buffer Dimension Desync - Heap OOB Write]
+CVE-2026-33986 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97
-CVE-2026-33987 [Persistent Cache bmpSize Desync - Heap OOB Write]
+CVE-2026-33987 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc
-CVE-2026-33982 [Persistent Cache Allocator Mismatch - Heap OOB Read]
+CVE-2026-33982 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- freerdp2 <removed>
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jm9-2925-g4v2
@@ -3401,27 +3555,27 @@ CVE-2026-3889 (Spoofing issue in Thunderbird. This vulnerability affects Thunder
CVE-2026-3836
- dnf5 <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2445770
-CVE-2026-21717
+CVE-2026-21717 (A flaw in V8's string hashing mechanism causes integer-like strings to ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#hashdos-in-v8-cve-2026-21717---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/af5c144ebcf9814ef5dc74555bbdcd2a4cb20a12 (v20.20.2)
-CVE-2026-21716
+CVE-2026-21716 (An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and ` ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#cve-2024-36137-patch-bypass---filehandlechmodchown-cve-2026-21716---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/012330956669e06864a674917de352d2d69ff51c (v20.20.2)
-CVE-2026-21715
+CVE-2026-21715 (A flaw in Node.js Permission Model filesystem enforcement leaves `fs.r ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#permission-model-bypass-in-realpathsyncnative-allows-file-existence-disclosure-cve-2026-21715---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/00830712bc623ba04b08856462a56b79e29f5cc3 (v20.20.2)
-CVE-2026-21714
+CVE-2026-21714 (A memory leak occurs in Node.js HTTP/2 servers when a client sends WIN ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#memory-leak-in-nodejs-http2-server-via-window_update-on-stream-0-leads-to-resource-exhaustion-cve-2026-21714---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/a0c73425da4c95fbcf6c13b7fe8921301290b8e6 (v20.20.2)
-CVE-2026-21713
+CVE-2026-21713 (A flaw in Node.js HMAC verification uses a non-constant-time compariso ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#timing-side-channel-in-hmac-verification-via-memcmp-in-crypto_hmaccc-leads-to-potential-mac-forgery-cve-2026-21713---medium
@@ -3429,10 +3583,10 @@ CVE-2026-21713
CVE-2026-21712 (A flaw in Node.js URL processing causes an assertion failure in native ...)
- nodejs <not-affected> (Vulnerable code not present)
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#assertion-error-in-node_urlcc-via-malformed-url-format-leads-to-nodejs-crash-cve-2026-21712---medium
-CVE-2026-21711
+CVE-2026-21711 (A flaw in Node.js Permission Model network enforcement leaves Unix Dom ...)
- nodejs <not-affected> (Vulnerable code not present)
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#nodejs-permission-model-bypass-uds-server-bindlisten-works-without---allow-net-cve-2026-21711---medium
-CVE-2026-21710
+CVE-2026-21710 (A flaw in Node.js HTTP request handling causes an uncaught `TypeError` ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede2c45dca59f09a3a02f9d7f46012c3f9614176
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede2c45dca59f09a3a02f9d7f46012c3f9614176
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260331/3c1ec7f9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list