[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri May 1 21:40:30 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d20f438c by Salvatore Bonaccorso at 2026-05-01T22:40:19+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -82,21 +82,21 @@ CVE-2026-42477 (A heap-based out-of-bounds read vulnerability in RWObj_Reader::r
CVE-2026-42476 (Two heap-based out-of-bounds read vulnerabilities in the STL ASCII fil ...)
TODO: check
CVE-2026-42475 (SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via cr ...)
- TODO: check
+ NOT-FOR-US: MixPHP Framework
CVE-2026-42474 (SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via cr ...)
- TODO: check
+ NOT-FOR-US: MixPHP Framework
CVE-2026-42473 (Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2. ...)
- TODO: check
+ NOT-FOR-US: MixPHP Framework
CVE-2026-42472 (Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2. ...)
- TODO: check
+ NOT-FOR-US: MixPHP Framework
CVE-2026-42471 (Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2. ...)
- TODO: check
+ NOT-FOR-US: MixPHP Framework
CVE-2026-42469 (Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVM ...)
- TODO: check
+ NOT-FOR-US: Open Vehicle Monitoring System
CVE-2026-42468 (Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVM ...)
- TODO: check
+ NOT-FOR-US: Open Vehicle Monitoring System
CVE-2026-42467 (An issue was discovered in Open-SAE-J1939 thru commit b6caf884df46435e ...)
- TODO: check
+ NOT-FOR-US: Open-SAE-J1939
CVE-2026-42404 (Apache Neethi does not impose any restrictions on URIs when manually f ...)
TODO: check
CVE-2026-42403 (Apache Neethi does not properly detect circular references in policy d ...)
@@ -104,7 +104,7 @@ CVE-2026-42403 (Apache Neethi does not properly detect circular references in po
CVE-2026-42402 (Apache Neethi is vulnerable to a Denial of Service attack through algo ...)
TODO: check
CVE-2026-40201 (@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows store ...)
- TODO: check
+ NOT-FOR-US: diplodoc/search-extension
CVE-2026-3772 (The WP Editor plugin for WordPress is vulnerable to Cross-Site Request ...)
NOT-FOR-US: WordPress plugin
CVE-2026-3143 (The Total Upkeep \u2013 WordPress Backup Plugin plus Restore & Migrate ...)
@@ -112,49 +112,49 @@ CVE-2026-3143 (The Total Upkeep \u2013 WordPress Backup Plugin plus Restore & Mi
CVE-2026-3140 (The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Sit ...)
NOT-FOR-US: WordPress plugin
CVE-2026-37554 (An issue was discovered in Vanetza V2X v26.02 allowing remote unauthor ...)
- TODO: check
+ NOT-FOR-US: Vanetza V2X
CVE-2026-37552 (Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2. ...)
- TODO: check
+ NOT-FOR-US: MixPHP Framework
CVE-2026-37541 (Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVM ...)
- TODO: check
+ NOT-FOR-US: Open Vehicle Monitoring System
CVE-2026-37540 (OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerabili ...)
- TODO: check
+ NOT-FOR-US: OpenAMP
CVE-2026-37539 (Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsin ...)
- TODO: check
+ NOT-FOR-US: cannelloni
CVE-2026-37538 (Buffer overflow vulnerability in socketcand 0.4.2 in file socketcand.c ...)
- TODO: check
+ NOT-FOR-US: socketcand
CVE-2026-37537 (collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce43955833680 ...)
- TODO: check
+ NOT-FOR-US: Open-SAE-J1939
CVE-2026-37536 (miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10 ...)
- TODO: check
+ NOT-FOR-US: miaofng/uds-c
CVE-2026-37535 (openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2 ...)
- TODO: check
+ NOT-FOR-US: openxc/isotp-c
CVE-2026-37534 (Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884 ...)
- TODO: check
+ NOT-FOR-US: Open-SAE-J1939
CVE-2026-37532 (AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over ...)
- TODO: check
+ NOT-FOR-US: AGL agl-service-can-low-level
CVE-2026-37531 (AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal ...)
- TODO: check
+ NOT-FOR-US: AGL app-framework-main
CVE-2026-37530 (AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer ove ...)
- TODO: check
+ NOT-FOR-US: AGL agl-service-can-low-level
CVE-2026-37526 (AGL app-framework-binder (afb-daemon) through v19.90.0 allows any loca ...)
- TODO: check
+ NOT-FOR-US: AGL app-framework-binder (afb-daemon)
CVE-2026-37525 (AGL app-framework-binder (afb-daemon) through v19.90.0 contains a priv ...)
- TODO: check
+ NOT-FOR-US: AGL app-framework-binder (afb-daemon)
CVE-2026-37505 (SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/C ...)
- TODO: check
+ NOT-FOR-US: V2Board
CVE-2026-37504 (Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4 ...)
- TODO: check
+ NOT-FOR-US: V2Board
CVE-2026-37503 (Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html fiel ...)
- TODO: check
+ NOT-FOR-US: V2Board
CVE-2026-37457 (An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op ...)
TODO: check
CVE-2026-35233 (An unprivileged attacker can craft a user-space process with a malicio ...)
TODO: check
CVE-2026-30363 (flipperzero-firmware commit ad2a80 was discovered to contain a stack o ...)
- TODO: check
+ NOT-FOR-US: flipperzero-firmware
CVE-2026-26461 (A Command Injection vulnerability in the web management interface in A ...)
- TODO: check
+ NOT-FOR-US: Aver
CVE-2026-23866 (Incomplete validation of AI rich response messages for Instagram Reels ...)
TODO: check
CVE-2026-23863 (An attachment spoofing issue in WhatsApp for Windows prior to v2.3000. ...)
@@ -1184,7 +1184,7 @@ CVE-2026-40600 (Chartbrew is an open-source web application that can connect dir
CVE-2026-40595 (Chartbrew is an open-source web application that can connect directly ...)
NOT-FOR-US: Chartbrew
CVE-2026-39457 (When exchanging data over a socket, libnv uses select(2) to wait for d ...)
- TODO: check
+ NOT-FOR-US: libnv in FreeBSD
CVE-2026-38940 (Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 a ...)
NOT-FOR-US: RafyMrX TOKO-ONLINE-ROTI
CVE-2026-38939 (Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 ...)
@@ -1226,9 +1226,9 @@ CVE-2026-36756 (A Server-Side Request Forgery (SSRF) in the /plugins/-/install-f
CVE-2026-36340 (An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote at ...)
NOT-FOR-US: Krayin CRM
CVE-2026-35547 (When processing the header of an incoming message, libnv failed to pro ...)
- TODO: check
+ NOT-FOR-US: libnv in FreeBSD
CVE-2026-35514 (Chartbrew is an open-source web application that can connect directly ...)
- TODO: check
+ NOT-FOR-US: Chartbrew
CVE-2026-34998
REJECTED
CVE-2026-34997
@@ -2383,7 +2383,7 @@ CVE-2026-40551 (mpGabinet performs client-side authentication. An attacker with
CVE-2026-40550 (mpGabinet is vulnerable to Privilege Escalation due to excessive datab ...)
NOT-FOR-US: mpGabinet
CVE-2026-3323 (An unsecured configuration interface on affected devices allows unauth ...)
- TODO: check
+ NOT-FOR-US: VEGA Grieshaber KG
CVE-2026-38949 (Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 ...)
NOT-FOR-US: HTMLy
CVE-2026-38948 (Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and ...)
@@ -2391,7 +2391,7 @@ CVE-2026-38948 (Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5
CVE-2026-38651 (Authentication Bypass vulnerability exists in Netmaker versions prior ...)
NOT-FOR-US: Netmaker
CVE-2026-27760 (OpenCATS prior to commit 3002a29 contains a PHP code injection vulnera ...)
- TODO: check
+ NOT-FOR-US: OpenCATS
CVE-2025-67223 (The Aranda File Server (AFS) component in Aranda Software Aranda Servi ...)
NOT-FOR-US: Aranda Service Desk
CVE-2025-60889 (Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 ...)
@@ -2627,15 +2627,15 @@ CVE-2026-3087 (If `shutil.unpack_archive()` is given a ZIP archive with an absol
NOTE: https://github.com/python/cpython/pull/146591
NOTE: https://github.com/python/cpython/issues/146581
CVE-2026-32649 (A command injection vulnerability exists in the web server of specific ...)
- TODO: check
+ NOT-FOR-US: Milesight cameras
CVE-2026-32644 (Specific firmware versions of Milesight AIOT cameras use SSL certifica ...)
- TODO: check
+ NOT-FOR-US: Milesight cameras
CVE-2026-29971 (A reflected cross-site scripting (XSS) vulnerability exists in WebFile ...)
- TODO: check
+ NOT-FOR-US: WebFileSys
CVE-2026-28747 (A weak key generation vulnerability exists in specific firmware versio ...)
- TODO: check
+ NOT-FOR-US: Milesight cameras
CVE-2026-27785 (Specific firmware versions of Milesight AIOT camera firmware contain h ...)
- TODO: check
+ NOT-FOR-US: Milesight cameras
CVE-2026-20766 (An out-of-bounds memory access vulnerability exists in specific firmwa ...)
TODO: check
CVE-2026-1460 (A post-authentication command injection vulnerability in the \u201cDom ...)
@@ -4430,7 +4430,7 @@ CVE-2026-27843 (A vulnerability exists inSenseLive X3050's web management interf
CVE-2026-27841 (A vulnerability inSenseLiveX3050's web management interface allows sta ...)
NOT-FOR-US: SenseLive
CVE-2026-26210 (KTransformers through 0.5.3 contains an unsafe deserialization vulnera ...)
- TODO: check
+ NOT-FOR-US: KTransformers
CVE-2026-26150 (Server-side request forgery (ssrf) in Microsoft Purview allows an unau ...)
NOT-FOR-US: Microsoft
CVE-2026-25874 (LeRobot through 0.5.1 contains an unsafe deserialization vulnerability ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d20f438ca4fe85fb43711402076946b61f2fc40f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d20f438ca4fe85fb43711402076946b61f2fc40f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260501/3f3dfa54/attachment.htm>
More information about the debian-security-tracker-commits
mailing list