[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 8 09:32:33 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9c2afed2 by Moritz Muehlenhoff at 2026-05-08T10:31:39+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -168,17 +168,17 @@ CVE-2026-42501 (A malicious module proxy can exploit a flaw in the go command's
 CVE-2026-42499 (Pathological inputs could cause DoS through consumePhrase when parsing ...)
 	TODO: check
 CVE-2026-42449 (n8n-MCP is an MCP server that provides AI assistants access to n8n nod ...)
-	TODO: check
+	NOT-FOR-US: n8n-MCP
 CVE-2026-42279 (solidtime is an open-source time-tracking app. In version 0.12.0, the  ...)
-	TODO: check
+	NOT-FOR-US: solidtime
 CVE-2026-42278 (UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6e ...)
-	TODO: check
+	NOT-FOR-US: UltraDAG
 CVE-2026-42277 (Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, an ...)
 	NOT-FOR-US: Onyx
 CVE-2026-42276 (Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, an ...)
 	NOT-FOR-US: Onyx
 CVE-2026-42275 (zrok is software for sharing web services, files, and network resource ...)
-	TODO: check
+	NOT-FOR-US: zrok
 CVE-2026-42274 (Heimdall is a cloud native Identity Aware Proxy and Access Control Dec ...)
 	NOT-FOR-US: Heimdall
 CVE-2026-42273 (Heimdall is a cloud native Identity Aware Proxy and Access Control Dec ...)
@@ -194,11 +194,11 @@ CVE-2026-42264 (Axios is a promise based HTTP client for the browser and Node.js
 CVE-2026-42261 (PromptHub is an all-in-one AI toolbox for prompt, skill, and agent man ...)
 	NOT-FOR-US: PromptHub
 CVE-2026-42259 (Saltcorn is an extensible, open source, no-code database application b ...)
-	TODO: check
+	NOT-FOR-US: Saltcorn
 CVE-2026-42241 (ParquetSharp is a .NET library for reading and writing Apache Parquet  ...)
-	TODO: check
+	NOT-FOR-US: ParquetSharp
 CVE-2026-42239 (Budibase is an open-source low-code platform. Prior to version 3.35.10 ...)
-	TODO: check
+	NOT-FOR-US: Budibase
 CVE-2026-42225 (PJSIP is a free and open source multimedia communication library writt ...)
 	TODO: check
 CVE-2026-42203 (LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or  ...)
@@ -214,9 +214,9 @@ CVE-2026-41928 (Vvveb before 1.0.8.2 contains an information disclosure vulnerab
 CVE-2026-41900 (OpenLearnX is an open-source, decentralized learning and assessment pl ...)
 	NOT-FOR-US: OpenLearnX
 CVE-2026-41692 (i18nextify is a JavaScript library that adds website internationalizat ...)
-	TODO: check
+	NOT-FOR-US: Node i18nextify
 CVE-2026-41691 (Copilot said: i18nextify is a JavaScript library that adds i18nextify  ...)
-	TODO: check
+	NOT-FOR-US: Node i18nextify
 CVE-2026-41646 (Nuclei is a vulnerability scanner built on a simple YAML-based DSL. Fr ...)
 	NOT-FOR-US: Nuclei
 CVE-2026-41645 (Nuclei is a vulnerability scanner built on a simple YAML-based DSL. Fr ...)
@@ -284,11 +284,11 @@ CVE-2025-69599 (RayVentory Scan Engine through 12.6 Update 8 allows attackers to
 CVE-2025-67888 (An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209.  ...)
 	TODO: check
 CVE-2025-67887 (1C-Bitrix through 25.100.500 allows Remote Code Execution because an a ...)
-	TODO: check
+	NOT-FOR-US: 1C-Bitrix
 CVE-2025-67886 (Bitrix24 through 25.100.300 allows Remote Code Execution because an ac ...)
-	TODO: check
+	NOT-FOR-US: Bitrix24
 CVE-2025-55449 (AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_B ...)
-	TODO: check
+	NOT-FOR-US: AstrBotDevs AstrBot
 CVE-2024-53326 (LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserializa ...)
 	TODO: check
 CVE-2024-51092 (LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary  ...)
@@ -312,15 +312,15 @@ CVE-2024-27686 (Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allo
 CVE-2023-47268 (In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6. ...)
 	TODO: check
 CVE-2023-46453 (Certain GL.iNet devices with 4.x firmware allow authentication bypass  ...)
-	TODO: check
+	NOT-FOR-US: GL.iNet devices
 CVE-2023-42346 (Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an  ...)
-	TODO: check
+	NOT-FOR-US: Alkacon OpenCms
 CVE-2023-42345 (A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exis ...)
-	TODO: check
+	NOT-FOR-US: Alkacon OpenCms
 CVE-2023-42344 (Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers  ...)
-	TODO: check
+	NOT-FOR-US: Alkacon OpenCms
 CVE-2023-42343 (A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1  ...)
-	TODO: check
+	NOT-FOR-US: Alkacon OpenCms
 CVE-2026-8094 (Other issue in the WebRTC component. This vulnerability was fixed in F ...)
 	- firefox-esr 140.10.2esr-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-41/#CVE-2026-8094



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2afed268cd406b6a821af5a903f85be40d3e8c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2afed268cd406b6a821af5a903f85be40d3e8c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260508/190b89fa/attachment.htm>

More information about the debian-security-tracker-commits mailing list