[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 5 11:50:18 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ecbf6ba2 by Moritz Muehlenhoff at 2026-05-05T12:40:45+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -34,7 +34,7 @@ CVE-2026-7780 (A weakness has been identified in Open5GS up to 2.7.7. Affected b
 CVE-2026-7779 (A security flaw has been discovered in Open5GS up to 2.7.7. Affected i ...)
 	- open5gs <itp> (bug #1094791)
 CVE-2026-7776 (Boundary Community Edition and Boundary Enterprise (\u201cBoundary\u20 ...)
-	TODO: check
+	NOT-FOR-US: Boundary
 CVE-2026-7768 (@fastify/accepts-serializer cached serializer-selection results keyed  ...)
 	NOT-FOR-US: @fastify/accepts-serializer
 CVE-2026-7750 (A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This  ...)
@@ -78,7 +78,7 @@ CVE-2026-6499 (Incorrect Permission Assignment for Critical Resource vulnerabili
 CVE-2026-6418 (An issue was discovered in the Shared Account Synchronization componen ...)
 	NOT-FOR-US: PaperCut
 CVE-2026-6321 (fast-uri decoded percent-encoded path separators and dot segments befo ...)
-	TODO: check
+	NOT-FOR-US: Node fast-uri
 CVE-2026-6266 (A flaw was found in the AAP gateway. The user auto-link strategy, intr ...)
 	NOT-FOR-US: Red Hat AAP gateway
 CVE-2026-6255 (The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored ...)
@@ -201,7 +201,7 @@ CVE-2026-42140 (PlantUML Macro is a macro for rendering UML diagrams from simple
 CVE-2026-42138 (Dify is an open-source LLM app development platform. Prior to version  ...)
 	NOT-FOR-US: Dify
 CVE-2026-42092 (titra is an open source time tracking project. In version 0.99.52, the ...)
-	TODO: check
+	NOT-FOR-US: titra
 CVE-2026-42091 (goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the ...)
 	NOT-FOR-US: goshs
 CVE-2026-42090 (Notesnook is a note-taking app focused on user privacy & ease of use.  ...)
@@ -268,7 +268,7 @@ CVE-2026-3120 (Improper Control of Generation of Code ('Code Injection') vulnera
 CVE-2026-38751 (OpenSTAManager version 2.10 and earlier contains an arbitrary file upl ...)
 	TODO: check
 CVE-2026-38669 (wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a ...)
-	TODO: check
+	NOT-FOR-US: cCMS
 CVE-2026-37461 (An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) o ...)
 	TODO: check
 CVE-2026-37459 (An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 all ...)
@@ -276,7 +276,7 @@ CVE-2026-37459 (An integer underflow in FRRouting (FRR) stable/10.0 to stable/10
 CVE-2026-37458 (Missing input validation in the MP_REACH_NLRI component of FRRouting ( ...)
 	TODO: check
 CVE-2026-36365 (An issue in Lymphatus caesium-image-compressor All versions up to and  ...)
-	TODO: check
+	NOT-FOR-US: caesium-image-compressor
 CVE-2026-35228 (Vulnerability in the Oracle MCP Server Helper Tool product of Oracle O ...)
 	TODO: check
 CVE-2026-34882
@@ -312,9 +312,9 @@ CVE-2026-33006 (A timing attack against mod_auth_digest in Apache HTTP Server 2.
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html
 	NOTE: https://github.com/apache/httpd/commit/4833b58c484c4eb8b429887b472bf4967cf88320 (2.4.67-rc1-candidate)
 CVE-2026-32834 (Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earl ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2026-31205 (Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev all ...)
-	TODO: check
+	NOT-FOR-US: Pluck CMS
 CVE-2026-2948 (The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-2868 (The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem ...)
@@ -333,21 +333,21 @@ CVE-2026-29169 (A NULL pointer dereference in mod_dav_lock in Apache HTTP Server
 CVE-2026-29004 (BusyBox before commit 42202bf contains a heap buffer overflow vulnerab ...)
 	TODO: check
 CVE-2026-26956 (vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 i ...)
-	TODO: check
+	NOT-FOR-US: vm2
 CVE-2026-26332 (vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, ...)
-	TODO: check
+	NOT-FOR-US: vm2
 CVE-2026-25863 (Conditional Fields for Contact Form 7 WordPress plugin through version ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2026-25293 (Buffer overflow due to incorrect authorization in PLC FW)
 	NOT-FOR-US: Qualcomm
 CVE-2026-25266 (Memory corruption while processing IOCTL command when device is in pow ...)
 	NOT-FOR-US: Qualcomm
 CVE-2026-24781 (vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, ...)
-	TODO: check
+	NOT-FOR-US: vm2
 CVE-2026-24120 (vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, ...)
-	TODO: check
+	NOT-FOR-US: vm2
 CVE-2026-24118 (vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, ...)
-	TODO: check
+	NOT-FOR-US: vm2
 CVE-2026-24082 (Memory Corruption when copying data from a freed source while executin ...)
 	NOT-FOR-US: Qualcomm
 CVE-2026-24072 (An escalation of privilege bug in various modules in Apache HTTP 2.4.6 ...)
@@ -371,9 +371,9 @@ CVE-2025-70071 (An issue in Assimp v.6.0.2 allows a remote attacker to cause a d
 	- assimp <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2465675
 CVE-2025-67796 (IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that al ...)
-	TODO: check
+	- rdiffweb <itp> (bug #969974)
 CVE-2025-58074 (A privilege escalation vulnerability exists during the installation of ...)
-	TODO: check
+	NOT-FOR-US: Norton
 CVE-2025-47408 (Memory corruption when another driver calls an IOCTL with invalid inpu ...)
 	NOT-FOR-US: Qualcomm
 CVE-2025-47407 (Memory corruption while creating a process on the digital signal proce ...)
@@ -389,11 +389,11 @@ CVE-2025-47403 (Transient DOS when processing a malformed Fast Transition respon
 CVE-2025-47401 (Transient DOS when processing target power rate tables during channel  ...)
 	NOT-FOR-US: Qualcomm
 CVE-2025-14320 (Improper neutralization of input during web page generation ('cross-si ...)
-	TODO: check
+	NOT-FOR-US: Tegsoft
 CVE-2025-13618 (The Mentoring plugin for WordPress is vulnerable to privilege escalati ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-13605 (3onedata modbus gateway device modelGW1101-1D(RS-485)-TB-P (hardware v ...)
-	TODO: check
+	NOT-FOR-US: 3onedata modbus gateway
 CVE-2026-43870
 	[experimental] - thrift 0.23.0-1
 	- thrift <unfixed> (unimportant)
@@ -546,9 +546,9 @@ CVE-2026-42365 (A guessable session cookie vulnerability exists in the Web Inter
 CVE-2026-42364 (An os command injection vulnerability exists in the DdnsSetting.cgi fu ...)
 	NOT-FOR-US: GeoVision
 CVE-2026-29200 (A critical IDOR vulnerability has been discovered in Comet Backup affe ...)
-	TODO: check
+	NOT-FOR-US: Comet Backup
 CVE-2026-29199 (phpBB before 3.3.16 is vulnerable to Host Header Injection that can le ...)
-	TODO: check
+	NOT-FOR-US: phpBB
 CVE-2026-20451 (In slbc, there is a possible out of bounds write due to type confusion ...)
 	NOT-FOR-US: MediaTek
 CVE-2026-20450 (In Modem, there is a possible system crash due to incorrect error hand ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecbf6ba26fe1367070a76328581101c2e11dc7a0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecbf6ba26fe1367070a76328581101c2e11dc7a0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260505/8ade05ae/attachment.htm>

More information about the debian-security-tracker-commits mailing list