[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri May 8 15:45:05 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7742f061 by Moritz Muehlenhoff at 2026-05-08T16:44:28+02:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1374,7 +1374,7 @@ CVE-2026-33844 (Improper input validation in Azure Managed Instance for Apache C
CVE-2026-33823 (Improper authorization in Microsoft Teams allows an authorized attacke ...)
NOT-FOR-US: Microsoft
CVE-2026-33814 (When processing HTTP/2 SETTINGS frames, transport will enter an infini ...)
- - golang-golang-x-net <unfixed>
+ - golang-golang-x-net <unfixed> (bug #1136030)
NOTE: https://go-review.googlesource.com/c/go/+/761581
NOTE: https://go-review.googlesource.com/c/net/+/761640
NOTE: https://github.com/golang/go/issues/78476
@@ -1836,7 +1836,7 @@ CVE-2026-41484 (OpenTelemetry.Exporter.OneCollector is a .NET exporter that send
CVE-2026-41483 (OpenTelemetry.Resources.Azure is the .NET resource detector for Azure ...)
NOT-FOR-US: OpenTelemetry.Resources.Azure
CVE-2026-41417 (Netty allows request-line validation to be bypassed when a `DefaultHtt ...)
- - netty <unfixed>
+ - netty <unfixed> (bug #1136023)
NOTE: https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv
CVE-2026-41413 (Istio is an open platform to connect, manage, and secure microservices ...)
NOT-FOR-US: Istio
@@ -3751,7 +3751,7 @@ CVE-2026-44331 (In ProFTPD through 1.3.9a before 7666224, a SQL injection vulner
CVE-2026-41950 (Dify before version 1.14.0 contains an authorization bypass vulnerabil ...)
NOT-FOR-US: Dify
CVE-2026-40934 (Jupyter Server is the backend for Jupyter web applications. In version ...)
- - jupyter-server <unfixed>
+ - jupyter-server <unfixed> (bug #1136022)
NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f
CVE-2026-40331 (Masa CMS is an open source content management system. In versions 7.2. ...)
NOT-FOR-US: Masa CMS
@@ -3762,7 +3762,7 @@ CVE-2026-40329 (Masa CMS is an open source content management system. In version
CVE-2026-40280 (Gotenberg is an API-based document conversion tool. In versions 8.30.1 ...)
NOT-FOR-US: Gotenberg
CVE-2026-40110 (Jupyter Server is the backend for Jupyter web applications. In version ...)
- - jupyter-server <unfixed>
+ - jupyter-server <unfixed> (bug #1136022)
NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
NOTE: https://github.com/jupyter-server/jupyter_server/pull/603
NOTE: https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea (v2.18.0)
@@ -3784,7 +3784,7 @@ CVE-2026-35579 (CoreDNS is a DNS server written in Go. In versions prior to 1.14
CVE-2026-35453 (PhpSpreadsheet is a library for reading and writing spreadsheet files. ...)
NOT-FOR-US: PhpSpreadsheet
CVE-2026-35397 (Jupyter Server is the backend for Jupyter web applications. In version ...)
- - jupyter-server <unfixed>
+ - jupyter-server <unfixed> (bug #1136022)
NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3
CVE-2026-34596 (Sandboxie-Plus is an open source sandbox-based isolation software for ...)
NOT-FOR-US: Sandboxie-Plus
@@ -4018,7 +4018,7 @@ CVE-2026-23479 (Redis is an in-memory data structure store. In redis-server from
CVE-2025-66369 (An issue was discovered in MM in Samsung Mobile Processor, Wearable Pr ...)
NOT-FOR-US: Samsung
CVE-2025-61669 (Jupyter Server is the backend for Jupyter web applications. In jupyter ...)
- - jupyter-server <unfixed>
+ - jupyter-server <unfixed> (bug #1136022)
NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w
CVE-2025-52206 (ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the sy ...)
NOT-FOR-US: ISPConfig
@@ -9410,13 +9410,13 @@ CVE-2025-59308 (In Mahara before 24.04.10 and 25 before 25.04.1, an institution
CVE-2025-11762 (The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for ...)
NOT-FOR-US: WordPress plugin
CVE-2026-40466 (Improper Input Validation, Improper Control of Generation of Code ('Co ...)
- - activemq <unfixed>
+ - activemq <unfixed> (bug #1136024)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/23/4
CVE-2026-41043 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Bas ...)
- - activemq <unfixed>
+ - activemq <unfixed> (bug #1136024)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/23/5
CVE-2026-41044 (Improper Input Validation, Improper Control of Generation of Code ('Co ...)
- - activemq <unfixed>
+ - activemq <unfixed> (bug #1136024)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/23/6
CVE-2026-6947 (DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Prote ...)
NOT-FOR-US: D-Link
@@ -13443,7 +13443,7 @@ CVE-2026-40259 (SiYuan is an open-source personal knowledge management system. I
CVE-2026-40255 (AdonisJS HTTP Server is a package for handling HTTP requests in the Ad ...)
NOT-FOR-US: AdonisJS HTTP Server
CVE-2026-40253 (openCryptoki is a PKCS#11 library and provides tooling for Linux and A ...)
- - opencryptoki <unfixed>
+ - opencryptoki <unfixed> (bug #1136019)
[trixie] - opencryptoki <no-dsa> (Minor issue)
[bookworm] - opencryptoki <no-dsa> (Minor issue)
[bullseye] - opencryptoki <postponed> (Minor issue; can be fixed in next update)
@@ -16348,7 +16348,7 @@ CVE-2026-34481 (Apache Log4j's JsonTemplateLayout https://logging.apache.org/lo
NOTE: Fixed by: https://github.com/apache/logging-log4j2/commit/2c4dd1db372c59ad73aca88e281635fe30072268 (rel/2.25.4)
CVE-2026-34480 (Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/ma ...)
- apache-log4j2 <unfixed> (bug #1133847)
- - apache-log4j1.2 <undetermined>
+ - apache-log4j1.2 <unfixed> (bug #1136032)
NOTE: https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
NOTE: https://logging.apache.org/security.html#CVE-2026-34480
NOTE: https://github.com/apache/logging-log4j2/pull/4077
@@ -19058,7 +19058,7 @@ CVE-2026-39306 (PraisonAI is a multi-agent teams system. Prior to 1.5.113, Prais
CVE-2026-39305 (PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action ...)
NOT-FOR-US: PraisonAI
CVE-2026-39304 (Denial of Service via Out of Memory vulnerability in Apache ActiveMQ C ...)
- - activemq <unfixed>
+ - activemq <unfixed> (bug #1136024)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/09/17
CVE-2026-35615 (PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_p ...)
NOT-FOR-US: PraisonAI
@@ -19190,7 +19190,7 @@ CVE-2026-34899 (Missing Authorization vulnerability in Eniture technology LTL Fr
CVE-2026-34896 (Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Con ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-34197 (Improper Input Validation, Improper Control of Generation of Code ('Co ...)
- - activemq <unfixed>
+ - activemq <unfixed> (bug #1136024)
NOTE: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
CVE-2026-33866 (MLflow is vulnerable to an authorization bypass affecting the AJAX end ...)
NOT-FOR-US: mlflow
@@ -19203,7 +19203,7 @@ CVE-2026-33815 (Memory-safety vulnerability in github.com/jackc/pgx/v5.)
- golang-github-jackc-pgx-v5 5.9.2-1
NOTE: https://pkg.go.dev/vuln/GO-2026-4771
CVE-2026-33227 (Improper validation and restriction of a classpath path name vulnerabi ...)
- - activemq <unfixed>
+ - activemq <unfixed> (bug #1136024)
NOTE: https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt
CVE-2026-32588 (Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows au ...)
- cassandra <itp> (bug #585905)
@@ -19522,7 +19522,7 @@ CVE-2026-35208 (lichess.org is the forever free, adless and open source chess se
CVE-2026-35203 (ZLMediaKit is a streaming media service framework. the VP9 RTP payload ...)
NOT-FOR-US: ZLMediaKit
CVE-2026-35201 (Discount is an implementation of John Gruber's Markdown markup languag ...)
- - discount <unfixed>
+ - discount <unfixed> (bug #1136025)
[trixie] - discount <no-dsa> (Minor issue)
[bookworm] - discount <no-dsa> (Minor issue)
[bullseye] - discount <postponed> (Minor issue)
@@ -19765,13 +19765,13 @@ CVE-2026-34989 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a prod
CVE-2026-34986 (Go JOSE provides an implementation of the Javascript Object Signing an ...)
- golang-github-go-jose-go-jose 4.1.4-1
[trixie] - golang-github-go-jose-go-jose <no-dsa> (Minor issue)
- - golang-github-go-jose-go-jose.v3 <unfixed>
+ - golang-github-go-jose-go-jose.v3 <unfixed> (bug #1136026)
[trixie] - golang-github-go-jose-go-jose.v3 <no-dsa> (Minor issue)
- - golang-gopkg-square-go-jose.v2 <unfixed>
+ - golang-gopkg-square-go-jose.v2 <unfixed> (bug #1136028)
[trixie] - golang-gopkg-square-go-jose.v2 <no-dsa> (Minor issue)
[bookworm] - golang-gopkg-square-go-jose.v2 <no-dsa> (Minor issue)
[bullseye] - golang-gopkg-square-go-jose.v2 <postponed> (Minor issue)
- - golang-gopkg-square-go-jose.v1 <unfixed>
+ - golang-gopkg-square-go-jose.v1 <unfixed> (bug #1136027)
[trixie] - golang-gopkg-square-go-jose.v1 <no-dsa> (Minor issue)
[bookworm] - golang-gopkg-square-go-jose.v1 <no-dsa> (Minor issue)
[bullseye] - golang-gopkg-square-go-jose.v1 <postponed> (Minor issue)
@@ -23225,7 +23225,7 @@ CVE-2026-34042 (act is a project which allows for local running of github action
CVE-2026-34041 (act is a project which allows for local running of github actions. Pri ...)
NOT-FOR-US: nektos act
CVE-2026-34040 (Moby is an open source container framework. Prior to version 29.3.1, a ...)
- - docker.io <unfixed>
+ - docker.io <unfixed> (bug #1136031)
[trixie] - docker.io <no-dsa> (Minor issue)
[bookworm] - docker.io <no-dsa> (Minor issue)
NOTE: https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2
@@ -23234,7 +23234,7 @@ CVE-2026-34040 (Moby is an open source container framework. Prior to version 29.
CVE-2026-34036 (Dolibarr is an enterprise resource planning (ERP) and customer relatio ...)
- dolibarr <removed>
CVE-2026-33997 (Moby is an open source container framework. Prior to version 29.3.1, a ...)
- - docker.io <unfixed>
+ - docker.io <unfixed> (bug #1136031)
[trixie] - docker.io <no-dsa> (Minor issue)
[bookworm] - docker.io <no-dsa> (Minor issue)
NOTE: https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9
@@ -31175,7 +31175,7 @@ CVE-2026-3207 (Configuration issuein Java Management Extensions (JMX) in TIBCO B
CVE-2026-32981 (A path traversal vulnerability was identified in Ray Dashboard (defaul ...)
NOT-FOR-US: Ray Dashboard
CVE-2026-32837 (miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1d ...)
- - miniaudio <unfixed>
+ - miniaudio <unfixed> (bug #1136029)
[trixie] - miniaudio <no-dsa> (Minor issue)
NOTE: https://github.com/mackron/miniaudio/issues/1101
CVE-2026-32836 (dr_libsdr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7742f061e049e9680513c3833538c61d885f2fb5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7742f061e049e9680513c3833538c61d885f2fb5
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260508/97193e41/attachment.htm>
More information about the debian-security-tracker-commits
mailing list