[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat May 2 09:02:30 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b15aa7a3 by Salvatore Bonaccorso at 2026-05-02T10:02:14+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -73,15 +73,15 @@ CVE-2026-43058 (In the Linux kernel, the following vulnerability has been resolv
[trixie] - linux 6.12.85-1
NOTE: https://git.kernel.org/linus/5f8e73bde67e931468bc2a1860d78d72f0c6ba41 (7.1-rc1)
CVE-2026-42788 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
CVE-2026-42786 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
CVE-2026-39807 (Reliance on Untrusted Inputs in a Security Decision vulnerability in m ...)
- TODO: check
+ NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
CVE-2026-39805 (Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel ...)
- TODO: check
+ NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
CVE-2026-39804 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
CVE-2025-8903
REJECTED
CVE-2025-14726 (The Widgets for Social Photo Feed plugin for WordPress is vulnerable t ...)
@@ -255,9 +255,9 @@ CVE-2026-30363 (flipperzero-firmware commit ad2a80 was discovered to contain a s
CVE-2026-26461 (A Command Injection vulnerability in the web management interface in A ...)
NOT-FOR-US: Aver
CVE-2026-23866 (Incomplete validation of AI rich response messages for Instagram Reels ...)
- TODO: check
+ NOT-FOR-US: WhatsApp for iOS and Android
CVE-2026-23863 (An attachment spoofing issue in WhatsApp for Windows prior to v2.3000. ...)
- TODO: check
+ NOT-FOR-US: WhatsApp
CVE-2026-22167 (Software installed and run as a non-privileged user may conduct improp ...)
NOT-FOR-US: Imagination Technologies
CVE-2026-22166 (A web page that contains unusual WebGPU content loaded into the GPU GL ...)
@@ -267,13 +267,13 @@ CVE-2026-22165 (A web page that contains unusual WebGPU content loaded into the
CVE-2026-21996 (An unprivileged attacker can reliably trigger a crash of the dtrace pr ...)
TODO: check
CVE-2025-69606 (Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP ...)
- TODO: check
+ NOT-FOR-US: GSVoIP web panel
CVE-2025-63548 (An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote atta ...)
- TODO: check
+ NOT-FOR-US: Eprosima Micro-XREC-DDS Agent
CVE-2025-63547 (An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote atta ...)
- TODO: check
+ NOT-FOR-US: Eprosima Micro-XREC-DDS Agent
CVE-2025-52347 (An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 ...)
- TODO: check
+ NOT-FOR-US: PassMark
CVE-2026-XXXX [RUSTSEC-2026-0119]
- rust-hickory-proto <unfixed>
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0119.html
@@ -1225,7 +1225,7 @@ CVE-2026-28532 (FRRouting before 10.5.3 contains an integer overflow vulnerabili
NOTE: Fixed by: https://github.com/FRRouting/frr/commit/d3e8aedb87671f38db59b0df908e25e1d4af027d (main)
NOTE: Fixed by: https://github.com/FRRouting/frr/commit/4b02ef93ef15030cb2d3d84a078cfb92e2c0aa84 (frr-10.5.3)
CVE-2026-22726 (Route Services can be leveraged to send app traffic to network destina ...)
- TODO: check
+ NOT-FOR-US: Cloudfoundry
CVE-2026-1577 (IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UN ...)
NOT-FOR-US: IBM
CVE-2025-56568 (Assertion failure vulnerability in the PCO (Protocol Configuration Opt ...)
@@ -1363,11 +1363,11 @@ CVE-2026-31693 (In the Linux kernel, the following vulnerability has been resolv
CVE-2026-2892 (The Otter Blocks plugin for WordPress is vulnerable to Purchase Verifi ...)
NOT-FOR-US: WordPress plugin
CVE-2026-22070 (ColorOS Assistant has an unauthenticated start-download channel, leadi ...)
- TODO: check
+ NOT-FOR-US: Oppo
CVE-2026-1493 (LEX Baza Dokument\xf3w is vulnerable to DOM-based XSS in "em"cookie pa ...)
- TODO: check
+ NOT-FOR-US: LEX Baza Dokumentow
CVE-2025-71284 (Synway SMG Gateway Management Software contains an OS command injectio ...)
- TODO: check
+ NOT-FOR-US: Synway SMG Gateway Management Software
CVE-2025-51850
REJECTED
CVE-2025-51849
@@ -1375,7 +1375,7 @@ CVE-2025-51849
CVE-2025-51847
REJECTED
CVE-2025-51846 (CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, un ...)
- TODO: check
+ NOT-FOR-US: CryptPad
CVE-2025-14576 (Insufficient validation of node IDs in Qt SVG module allows arbitrary ...)
TODO: check
CVE-2025-14543 (Improper Restriction of XML External Entity Reference vulnerability in ...)
@@ -1383,13 +1383,13 @@ CVE-2025-14543 (Improper Restriction of XML External Entity Reference vulnerabil
CVE-2025-13890
REJECTED
CVE-2024-39847 (Unauthenticated attackers can exploit a weakness in the XML parser fun ...)
- TODO: check
+ NOT-FOR-US: 4D server
CVE-2024-13971 (Unauthenticated attackers can exploit a weakness in the XML parser fun ...)
- TODO: check
+ NOT-FOR-US: Lobster_pro
CVE-2022-50993 (Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an un ...)
- TODO: check
+ NOT-FOR-US: Weaver (Fanwei) E-office
CVE-2022-50992 (Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitr ...)
- TODO: check
+ NOT-FOR-US: Weaver (Fanwei) E-cology
CVE-2026-39402
- lxc 1:7.0.0-1
[trixie] - lxc <no-dsa> (Minor issue)
@@ -1682,7 +1682,7 @@ CVE-2026-1858 (wget2 accepts a server certificate with incorrect Key Usage (KU)
CVE-2025-50328 (A vulnerability in B1 Free Archiver v1.5.86 allows files extracted fro ...)
NOT-FOR-US: B1 Free Archiver
CVE-2025-13030 (All versions of the package django-mdeditor are vulnerable to Missing ...)
- TODO: check
+ NOT-FOR-US: django-mdeditor
CVE-2018-25318 (Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vuln ...)
NOT-FOR-US: Tenda
CVE-2018-25317 (Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a ...)
@@ -2750,15 +2750,15 @@ CVE-2026-28747 (A weak key generation vulnerability exists in specific firmware
CVE-2026-27785 (Specific firmware versions of Milesight AIOT camera firmware contain h ...)
NOT-FOR-US: Milesight cameras
CVE-2026-20766 (An out-of-bounds memory access vulnerability exists in specific firmwa ...)
- TODO: check
+ NOT-FOR-US: Milesight cameras
CVE-2026-1460 (A post-authentication command injection vulnerability in the \u201cDom ...)
NOT-FOR-US: Zyxel
CVE-2026-0711 (A post-authentication command injection vulnerability in the EasyMesh- ...)
NOT-FOR-US: Zyxel
CVE-2025-69428 (An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to ...)
- TODO: check
+ NOT-FOR-US: Pro-Bit
CVE-2024-46636 (NASA Earth Observing System Data and Information System (EOSDIS) MODAP ...)
- TODO: check
+ NOT-FOR-US: NASA Earth Observing System Data and Information System (EOSDIS) MODAPS
CVE-2026-42167 (mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute ar ...)
- proftpd-dfsg 1.3.9~dfsg-5 (bug #1135119)
NOTE: https://github.com/proftpd/proftpd/issues/2052
@@ -4715,7 +4715,7 @@ CVE-2025-66286 (An API design flaw in WebKitGTK and WPE WebKit allows untrusted
NOTE: webkit API limitation
NOTE: https://bugs.webkit.org/show_bug.cgi?id=259787
CVE-2025-62373 (Pipecat is an open-source Python framework for building real-time voic ...)
- TODO: check
+ NOT-FOR-US: Pipecat
CVE-2025-62110 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2025-62104 (Missing Authorization vulnerability in Navneil Naicker ACF Galerie 4 a ...)
@@ -5989,7 +5989,7 @@ CVE-2026-1395 (The Gutentools plugin for WordPress is vulnerable to Stored Cross
CVE-2026-1379 (The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Si ...)
NOT-FOR-US: WordPress plugin
CVE-2026-0539 (Incorrect Default Permissions in pcvisit service binary on Windows all ...)
- TODO: check
+ NOT-FOR-US: pcvisit
CVE-2025-9957 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
- gitlab <unfixed>
CVE-2025-6016 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
@@ -6001,31 +6001,31 @@ CVE-2025-3922 (GitLab has remediated an issue in GitLab CE/EE affecting all vers
CVE-2025-0186 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
- gitlab <unfixed>
CVE-2024-58344 (Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerab ...)
- TODO: check
+ NOT-FOR-US: Carbon Forum
CVE-2018-25272 (ELBA5 5.8.0 contains a remote code execution vulnerability that allows ...)
- TODO: check
+ NOT-FOR-US: ELBA5
CVE-2018-25271 (Textpad 8.1.2 contains a denial of service vulnerability that allows l ...)
- TODO: check
+ NOT-FOR-US: Textpad
CVE-2018-25270 (ThinkPHP 5.0.23 contains a remote code execution vulnerability that al ...)
- TODO: check
+ NOT-FOR-US: ThinkPHP
CVE-2018-25269 (ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that al ...)
- TODO: check
+ NOT-FOR-US: IceWarp
CVE-2018-25268 (LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that a ...)
- TODO: check
+ NOT-FOR-US: LanSpy
CVE-2018-25267 (UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in ...)
- TODO: check
+ NOT-FOR-US: UltraISO
CVE-2018-25266 (Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the ...)
- TODO: check
+ NOT-FOR-US: Angry IP Scanner
CVE-2018-25265 (LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the ...)
- TODO: check
+ NOT-FOR-US: LanSpy
CVE-2018-25262 (Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerab ...)
- TODO: check
+ NOT-FOR-US: Angry IP Scanner
CVE-2018-25261 (Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Iperius Backup
CVE-2018-25260 (MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the ...)
- TODO: check
+ NOT-FOR-US: MAGIX Music Editor
CVE-2018-25259 (Terminal Services Manager 3.1 contains a stack-based buffer overflow v ...)
- TODO: check
+ NOT-FOR-US: Terminal Services Manager
CVE-2014-125120
REJECTED
CVE-2013-10056
@@ -15032,7 +15032,7 @@ CVE-2019-25679 (RealTerm Serial Terminal 2.0.0.70 contains a structured exceptio
CVE-2019-25678 (C4G Basic Laboratory Information System 3.4 contains multiple SQL inje ...)
NOT-FOR-US: C4G Basic Laboratory Information System
CVE-2019-25677 (WinRAR 5.61 contains a denial of service vulnerability that allows loc ...)
- TODO: check
+ NOT-FOR-US: WinRAR
CVE-2019-25676 (Ask Expert Script 3.0.5 contains cross-site scripting and SQL injectio ...)
NOT-FOR-US: Ask Expert Script
CVE-2019-25675 (eDirectory contains multiple SQL injection vulnerabilities that allow ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b15aa7a3b50bead2aa6239cc54a0c20039466f6d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b15aa7a3b50bead2aa6239cc54a0c20039466f6d
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260502/df895e27/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list