[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri May 8 14:38:16 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f52820f5 by Moritz Muehlenhoff at 2026-05-08T15:36:36+02:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -129,11 +129,11 @@ CVE-2026-8098 (A security vulnerability has been detected in code-projects Feedb
CVE-2026-8097 (A security flaw has been discovered in CodeAstro Online Classroom 1.0. ...)
NOT-FOR-US: CodeAstro
CVE-2026-8088 (A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The af ...)
- - gdal <unfixed>
+ - gdal <unfixed> (bug #1135997)
NOTE: https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
NOTE: https://github.com/OSGeo/gdal/issues/14379
CVE-2026-8087 (A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. I ...)
- - gdal <unfixed>
+ - gdal <unfixed> (bug #1135997)
NOTE: https://github.com/OSGeo/gdal/issues/14363
NOTE: https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b (v3.13.0RC1)
CVE-2026-8069 (PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege E ...)
@@ -153,7 +153,7 @@ CVE-2026-6411 (This vulnerability, in the MAXHUB Pivot client application versio
CVE-2026-4935 (The OttoKit: All-in-One Automation Platform WordPress plugin before 1. ...)
NOT-FOR-US: WordPress plugin
CVE-2026-44916 (In OpenStack Ironic through 35.x, instance_info['ks_template'] is rend ...)
- - ironic <unfixed>
+ - ironic <unfixed> (bug #1136005)
NOTE: https://bugs.launchpad.net/ironic/+bug/2148307
NOTE: https://review.opendev.org/c/openstack/ironic/+/987514
CVE-2026-44365
@@ -231,13 +231,13 @@ CVE-2026-42239 (Budibase is an open-source low-code platform. Prior to version 3
NOT-FOR-US: Budibase
CVE-2026-42225 (PJSIP is a free and open source multimedia communication library writt ...)
- pjproject <removed>
- - asterisk <unfixed>
+ - asterisk <unfixed> (bug #1136007)
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx
NOTE: https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920 (2.17)
CVE-2026-42203 (LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or ...)
NOT-FOR-US: LiteLLM
CVE-2026-42150 (wlc is a Weblate command-line client using Weblate's REST API. Prior t ...)
- - wlc <unfixed>
+ - wlc <unfixed> (bug #1136000)
NOTE: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3
NOTE: https://github.com/WeblateOrg/wlc/pull/1327
NOTE: https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469 (2.0.0)
@@ -266,10 +266,10 @@ CVE-2026-41498 (Kimai is an open-source time tracking application. Prior to vers
CVE-2026-41105 (Server-side request forgery (ssrf) in Azure Notification Service allow ...)
NOT-FOR-US: Microsoft
CVE-2026-40214 (In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API d ...)
- - cyborg <unfixed>
+ - cyborg <unfixed> (bug #1136006)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/07/6
CVE-2026-40213 (OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the ...)
- - cyborg <unfixed>
+ - cyborg <unfixed> (bug #1136006)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/07/6
CVE-2026-3508 (An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS Syste ...)
NOT-FOR-US: ASUS
@@ -443,12 +443,12 @@ CVE-2026-8090 (Use-after-free in the DOM: Networking component. This vulnerabili
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-40/#CVE-2026-8090
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-41/#CVE-2026-8090
CVE-2026-8086 (A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This i ...)
- - gdal <unfixed>
+ - gdal <unfixed> (bug #1135997)
NOTE: https://github.com/OSGeo/gdal/issues/14356
NOTE: https://github.com/OSGeo/gdal/pull/14361
NOTE: https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 (v3.12.4RC1)
CVE-2026-8084 (A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This v ...)
- - gdal <unfixed>
+ - gdal <unfixed> (bug #1135997)
NOTE: https://github.com/OSGeo/gdal/issues/14378
NOTE: https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
CVE-2026-8083 (A vulnerability was found in SourceCodester Pharmacy Sales and Invento ...)
@@ -486,7 +486,7 @@ CVE-2026-5786 (An Improper Access Control vulnerability in Ivanti EPMM before ve
CVE-2026-5784 (Improper neutralization of input during web page generation ('cross-si ...)
NOT-FOR-US: DivvyDrive
CVE-2026-44742 (Postorius through 1.3.13 does not escape HTML in the message subject w ...)
- - postorius <unfixed>
+ - postorius <unfixed> (bug #1136003)
NOTE: https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b
NOTE: https://gitlab.com/mailman/postorius/-/merge_requests/972
CVE-2026-44407 (A remote denial-of-service vulnerability exists in the ZTE Cloud PC cl ...)
@@ -733,12 +733,12 @@ CVE-2026-43576 (OpenClaw before 2026.4.5 contains a server-side request forgery
CVE-2026-43575 (OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication ...)
NOT-FOR-US: OpenClaw
CVE-2026-42217 (OpenEXR provides the specification and reference implementation of the ...)
- - openexr <unfixed>
+ - openexr <unfixed> (bug #1136001)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/2378
NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c
CVE-2026-42216 (OpenEXR provides the specification and reference implementation of the ...)
- - openexr <unfixed>
+ - openexr <unfixed> (bug #1136001)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4
CVE-2026-42194 (Admidio is an open-source user management solution. Prior to version 5 ...)
NOT-FOR-US: Admidio
@@ -2850,7 +2850,7 @@ CVE-2026-7411 (In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-mileston
CVE-2026-6918 (In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote a ...)
NOT-FOR-US: Eclipse
CVE-2026-6322 (fast-uri normalize() decoded percent-encoded authority delimiters insi ...)
- - node-ajv <unfixed>
+ - node-ajv <unfixed> (bug #1135998)
NOTE: https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
NOTE: https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 (v3.1.2)
NOTE: Embedded fast-uri used and provided as node-fast-uri
@@ -3194,7 +3194,7 @@ CVE-2026-6499 (Incorrect Permission Assignment for Critical Resource vulnerabili
CVE-2026-6418 (An issue was discovered in the Shared Account Synchronization componen ...)
NOT-FOR-US: PaperCut
CVE-2026-6321 (fast-uri decoded percent-encoded path separators and dot segments befo ...)
- - node-ajv <unfixed>
+ - node-ajv <unfixed> (bug #1135998)
NOTE: https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
NOTE: Fixed by: https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35 (v3.1.1)
NOTE: Embedded fast-uri used and provided as node-fast-uri
@@ -3308,12 +3308,12 @@ CVE-2026-42221 (Nginx UI is a web user interface for the Nginx web server. From
CVE-2026-42220 (Nginx UI is a web user interface for the Nginx web server. Prior to ve ...)
NOT-FOR-US: Nginx UI
CVE-2026-42154 (Prometheus is an open-source monitoring system and time series databas ...)
- - prometheus <unfixed>
+ - prometheus <unfixed> (bug #1135999)
NOTE: https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
NOTE: https://github.com/prometheus/prometheus/pull/18584
NOTE: https://github.com/prometheus/prometheus/pull/18585
CVE-2026-42151 (Prometheus is an open-source monitoring system and time series databas ...)
- - prometheus <unfixed>
+ - prometheus <unfixed> (bug #1135999)
NOTE: https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
NOTE: https://github.com/prometheus/prometheus/pull/18587
NOTE: https://github.com/prometheus/prometheus/pull/18590
@@ -3490,7 +3490,7 @@ CVE-2026-29169 (A NULL pointer dereference in mod_dav_lock in Apache HTTP Server
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-29169
NOTE: https://github.com/apache/httpd/commit/225dc070adba11040b774cf641e1d8bc79941643 (2.4.67-rc1-candidate)
CVE-2026-29004 (BusyBox before commit 42202bf contains a heap buffer overflow vulnerab ...)
- - busybox <unfixed>
+ - busybox <unfixed> (bug #1136012)
NOTE: https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a
NOTE: https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409
CVE-2026-26956 (vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 i ...)
@@ -4083,43 +4083,40 @@ CVE-2026-42778 (The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.
CVE-2026-42485 (AGL agl-service-can-low-level contains a stack buffer overflow in the ...)
NOT-FOR-US: AGL agl-service-can-low-level
CVE-2026-42484 (A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser ...)
- - hashcat <unfixed>
+ - hashcat <unfixed> (bug #1136004)
[trixie] - hashcat <no-dsa> (Minor issue)
[bookworm] - hashcat <no-dsa> (Minor issue)
[bullseye] - hashcat <postponed> (Minor issue; can be fixed in next update)
NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
- TODO: check upstream details
CVE-2026-42483 (A heap-based buffer overflow in the Kerberos hash parser in hashcat v7 ...)
- - hashcat <unfixed>
+ - hashcat <unfixed> (bug #1136004)
[trixie] - hashcat <no-dsa> (Minor issue)
[bookworm] - hashcat <no-dsa> (Minor issue)
[bullseye] - hashcat <postponed> (Minor issue; can be fixed in next update)
NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
- TODO: check upstream details
CVE-2026-42482 (A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_h ...)
- - hashcat <unfixed>
+ - hashcat <unfixed> (bug #1136004)
[trixie] - hashcat <no-dsa> (Minor issue)
[bookworm] - hashcat <no-dsa> (Minor issue)
[bullseye] - hashcat <postponed> (Minor issue; can be fixed in next update)
NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
- TODO: check upstream details
CVE-2026-42481 (Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabil ...)
- - opencascade <unfixed>
+ - opencascade <unfixed> (bug #1136008)
NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
CVE-2026-42480 (A stack-based out-of-bounds read vulnerability in VrmlData_Scene::Read ...)
- - opencascade <unfixed>
+ - opencascade <unfixed> (bug #1136008)
NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
CVE-2026-42479 (An out-of-bounds read vulnerability in VrmlData_IndexedLineSet::TShape ...)
- - opencascade <unfixed>
+ - opencascade <unfixed> (bug #1136008)
NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
CVE-2026-42478 (An issue was discovered in VrmlData_IndexedFaceSet::TShape in the VRML ...)
- - opencascade <unfixed>
+ - opencascade <unfixed> (bug #1136008)
NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
CVE-2026-42477 (A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in ...)
- - opencascade <unfixed>
+ - opencascade <unfixed> (bug #1136008)
NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
CVE-2026-42476 (Two heap-based out-of-bounds read vulnerabilities in the STL ASCII fil ...)
- - opencascade <unfixed>
+ - opencascade <unfixed> (bug #1136008)
NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
CVE-2026-42475 (SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via cr ...)
NOT-FOR-US: MixPHP Framework
@@ -6696,7 +6693,7 @@ CVE-2026-7191 (Improper use of the static-eval npm package in the open source so
CVE-2026-7183 (A vulnerability has been found in aligungr UERANSIM up to 3.2.7. The a ...)
NOT-FOR-US: aligungr UERANSIM
CVE-2026-7179 (A security vulnerability has been detected in OSPG binwalk up to 2.4.3 ...)
- - binwalk <unfixed>
+ - binwalk <unfixed> (bug #1136010)
NOTE: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/binwalk_path_traversal.md
CVE-2026-7178 (A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1 ...)
NOT-FOR-US: ChatGPTNextWeb NextChat
@@ -7449,7 +7446,7 @@ CVE-2026-41477 (Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0
- deskflow <not-affected> (Only affect Deskflow on Windows)
NOTE: https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c
CVE-2026-41476 (Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a ...)
- - deskflow <unfixed>
+ - deskflow <unfixed> (bug #1136009)
[trixie] - deskflow <no-dsa> (Minor issue)
NOTE: https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh
CVE-2026-41475 (BACnet Stack is a BACnet open source protocol stack C library for embe ...)
@@ -9437,7 +9434,7 @@ CVE-2026-35349 (A vulnerability in the rm utility of uutils coreutils allows a b
NOTE: https://github.com/uutils/coreutils/pull/9706
NOTE: Fixed by: https://github.com/uutils/coreutils/commit/5e5968cdbc6618acd6c2402a8a98b503f278835e (0.7.0)
CVE-2026-35348 (The sort utility in uutils coreutils is vulnerable to a process panic ...)
- - rust-coreutils <unfixed>
+ - rust-coreutils <unfixed> (bug #1135996)
[trixie] - rust-coreutils <no-dsa> (Minor issue)
[bookworm] - rust-coreutils <no-dsa> (Minor issue)
NOTE: https://github.com/uutils/coreutils/issues/9696
@@ -9455,12 +9452,12 @@ CVE-2026-35346 (The comm utility in uutils coreutils silently corrupts data by p
NOTE: https://github.com/uutils/coreutils/pull/10206
NOTE: Fixed by: https://github.com/uutils/coreutils/commit/b9372e509ea9b278fe13763237067a261bb8c946 (0.6.0)
CVE-2026-35345 (A vulnerability in the tail utility of uutils coreutils allows for the ...)
- - rust-coreutils <unfixed>
+ - rust-coreutils <unfixed> (bug #1135994)
[trixie] - rust-coreutils <no-dsa> (Minor issue)
[bookworm] - rust-coreutils <no-dsa> (Minor issue)
NOTE: https://github.com/uutils/coreutils/issues/10328
CVE-2026-35344 (The dd utility in uutils coreutils suppresses errors during file trunc ...)
- - rust-coreutils <unfixed>
+ - rust-coreutils <unfixed> (bug #1135993)
[trixie] - rust-coreutils <no-dsa> (Minor issue)
[bookworm] - rust-coreutils <no-dsa> (Minor issue)
NOTE: https://github.com/uutils/coreutils/issues/9745
@@ -9477,7 +9474,7 @@ CVE-2026-35342 (The mktemp utility in uutils coreutils fails to properly handle
NOTE: https://github.com/uutils/coreutils/pull/10566
NOTE: Fixed by (merge): https://github.com/uutils/coreutils/commit/eb25ec328b226d8fbbaa4058bf9187165bf06d51 (0.6.0)
CVE-2026-35341 (A vulnerability in uutils coreutils mkfifo allows for the unauthorized ...)
- - rust-coreutils <unfixed>
+ - rust-coreutils <unfixed> (bug #1135992)
[trixie] - rust-coreutils <no-dsa> (Minor issue)
[bookworm] - rust-coreutils <no-dsa> (Minor issue)
NOTE: https://github.com/uutils/coreutils/issues/10020
@@ -27513,7 +27510,7 @@ CVE-2026-4539 (A security flaw has been discovered in pygments up to 2.19.2. The
NOTE: https://github.com/pygments/pygments/pull/3064
NOTE: Fixed by: https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc (2.20.0)
CVE-2026-4538 (A vulnerability was identified in PyTorch 2.10.0. The affected element ...)
- - pytorch <unfixed>
+ - pytorch <unfixed> (bug #1136002)
[trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
@@ -54967,7 +54964,7 @@ CVE-2025-24090 (A permissions issue was addressed with additional restrictions.
CVE-2025-24089 (A permissions issue was addressed with additional restrictions. This i ...)
NOT-FOR-US: Apple
CVE-2025-15104 (Nu Html Checker (validator.nu) contains a restriction bypass that allo ...)
- - vnu <unfixed>
+ - vnu <unfixed> (bug #1136011)
NOTE: https://github.com/validator/validator/issues/2033
NOTE: https://github.com/validator/validator/commit/b95c4190258db2769cff67cc09d323432bd7a99e (26.4.16)
CVE-2025-15032 (Missing about:blank indicator in custom-sized new windows in Dia befor ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f52820f597a37757784bd553b0bb3f5dd8ee8994
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f52820f597a37757784bd553b0bb3f5dd8ee8994
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260508/229ef534/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list