[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat May 9 08:13:18 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5ec44e57 by security tracker role at 2026-05-09T07:13:12+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,169 @@
+CVE-2026-8209 (Gibbon versions before v30.0.01 are affected by a path traversal vulne ...)
+	TODO: check
+CVE-2026-8208 (Gibbon versions before v30.0.01 are affected by a local file inclusion ...)
+	TODO: check
+CVE-2026-8207 (Gibbon versions beforev30.0.01 are affected by an authenticated SQL In ...)
+	TODO: check
+CVE-2026-7807 (SmarterTools SmarterMail builds prior to 9560 contain a local file inc ...)
+	TODO: check
+CVE-2026-7652 (The LatePoint plugin for WordPress is vulnerable to Account Takeover v ...)
+	TODO: check
+CVE-2026-6667 (PgBouncer before 1.25.2 did not perform an appropriate authorization c ...)
+	TODO: check
+CVE-2026-6666 (A possible null pointer reference in PgBouncer before 1.25.2 could lea ...)
+	TODO: check
+CVE-2026-6665 (The SCRAM code in PgBouncer before 1.25.2 did not check the return val ...)
+	TODO: check
+CVE-2026-6664 (An integer overflow in network packet parsing code in PgBouncer before ...)
+	TODO: check
+CVE-2026-45130 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
+	TODO: check
+CVE-2026-44987 (SysReptor is a fully customizable pentest reporting platform. Prior to ...)
+	TODO: check
+CVE-2026-44694 (n8n-MCP is an MCP server that provides AI assistants access to n8n nod ...)
+	TODO: check
+CVE-2026-44656 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
+	TODO: check
+CVE-2026-44400 (MailEnable Enterprise Premium 10.55 and earlier contains an improper a ...)
+	TODO: check
+CVE-2026-44313 (Linkwarden is a self-hosted, open-source collaborative bookmark manage ...)
+	TODO: check
+CVE-2026-44286 (FastGPT is an AI Agent building platform. Prior to version 4.14.17, an ...)
+	TODO: check
+CVE-2026-44284 (FastGPT is an AI Agent building platform. Prior to version 4.14.17, Fa ...)
+	TODO: check
+CVE-2026-42560 (auth provides authentication via oauth2, direct and email. From versio ...)
+	TODO: check
+CVE-2026-42556 (Postiz is an AI social media scheduling tool. From version 2.21.6 to b ...)
+	TODO: check
+CVE-2026-42461 (Arcane is an interface for managing Docker containers, images, network ...)
+	TODO: check
+CVE-2026-42456 (AnythingLLM is an application that turns pieces of content into contex ...)
+	TODO: check
+CVE-2026-42455 (Linkwarden is a self-hosted, open-source collaborative bookmark manage ...)
+	TODO: check
+CVE-2026-42454 (Termix is a web-based server management platform with SSH terminal, tu ...)
+	TODO: check
+CVE-2026-42453 (Termix is a web-based server management platform with SSH terminal, tu ...)
+	TODO: check
+CVE-2026-42452 (Termix is a web-based server management platform with SSH terminal, tu ...)
+	TODO: check
+CVE-2026-42451 (Grimmory is a self-hosted digital library. Prior to version 2.3.1, a s ...)
+	TODO: check
+CVE-2026-42354 (Sentry is an error tracking and performance monitoring tool. From vers ...)
+	TODO: check
+CVE-2026-42352 (pygeoapi is a Python server implementation of the OGC API suite of sta ...)
+	TODO: check
+CVE-2026-42351 (pygeoapi is a Python server implementation of the OGC API suite of sta ...)
+	TODO: check
+CVE-2026-42350 (Kargo manages and automates the promotion of software artifacts. Prior ...)
+	TODO: check
+CVE-2026-42346 (Postiz is an AI social media scheduling tool. From version 2.16.6 to b ...)
+	TODO: check
+CVE-2026-42345 (FastGPT is an AI Agent building platform. In versions 4.14.11 and prio ...)
+	TODO: check
+CVE-2026-42344 (FastGPT is an AI Agent building platform. In versions 4.14.11 and prio ...)
+	TODO: check
+CVE-2026-42343 (FastGPT is an AI Agent building platform. In versions 4.14.13 and prio ...)
+	TODO: check
+CVE-2026-42339 (New API is a large language mode (LLM) gateway and artificial intellig ...)
+	TODO: check
+CVE-2026-42311 (Pillow is a Python imaging library. From version 10.3.0 to before vers ...)
+	TODO: check
+CVE-2026-42310 (Pillow is a Python imaging library. From version 4.2.0 to before versi ...)
+	TODO: check
+CVE-2026-42309 (Pillow is a Python imaging library. From version 11.2.1 to before vers ...)
+	TODO: check
+CVE-2026-42308 (Pillow is a Python imaging library. Prior to version 12.2.0, if a font ...)
+	TODO: check
+CVE-2026-42307 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
+	TODO: check
+CVE-2026-42302 (FastGPT is an AI Agent building platform. From version 4.14.10 to befo ...)
+	TODO: check
+CVE-2026-42301 (pyp2spec generates working Fedora RPM spec file for Python projects. P ...)
+	TODO: check
+CVE-2026-42298 (Postiz is an AI social media scheduling tool. Prior to commit da44801, ...)
+	TODO: check
+CVE-2026-42297 (Argo Workflows is an open source container-native workflow engine for  ...)
+	TODO: check
+CVE-2026-42296 (Argo Workflows is an open source container-native workflow engine for  ...)
+	TODO: check
+CVE-2026-42295 (Argo Workflows is an open source container-native workflow engine for  ...)
+	TODO: check
+CVE-2026-42294 (Argo Workflows is an open source container-native workflow engine for  ...)
+	TODO: check
+CVE-2026-42291 (SysReptor is a fully customizable pentest reporting platform. From ver ...)
+	TODO: check
+CVE-2026-42287 (Emlog is an open source website building system. Prior to version 2.6. ...)
+	TODO: check
+CVE-2026-42286 (Emlog is an open source website building system. Prior to version 2.6. ...)
+	TODO: check
+CVE-2026-42282 (n8n-MCP is an MCP server that provides AI assistants access to n8n nod ...)
+	TODO: check
+CVE-2026-42224 (ipl/web is a set of common web components for php projects. Prior to v ...)
+	TODO: check
+CVE-2026-42213 (SolidCAM-GPPL-IDE is an unofficial, independently developed extension, ...)
+	TODO: check
+CVE-2026-42212 (SolidCAM-GPPL-IDE is an unofficial, independently developed extension, ...)
+	TODO: check
+CVE-2026-42209 (FlashMQ is a MQTT broker/server, designed for multi-CPU environments.  ...)
+	TODO: check
+CVE-2026-42206 (Roadiz is a polymorphic content management system based on a node syst ...)
+	TODO: check
+CVE-2026-42205 (Avo is a framework to create admin panels for Ruby on Rails apps. Prio ...)
+	TODO: check
+CVE-2026-42202 (nova-toggle-5 enables fliping booleans in the index. Prior to version  ...)
+	TODO: check
+CVE-2026-42199 (Grid is a data structure grid for rust. From version 0.17.0 to before  ...)
+	TODO: check
+CVE-2026-42195 (draw.io is a configurable diagramming and whiteboarding application. P ...)
+	TODO: check
+CVE-2026-42193 (Plunk is an open-source email platform built on top of AWS SES. Prior  ...)
+	TODO: check
+CVE-2026-42192 (Plunk is an open-source email platform built on top of AWS SES. Prior  ...)
+	TODO: check
+CVE-2026-42190 (RedwoodSDK is a server-first React framework. From version 1.0.0-beta. ...)
+	TODO: check
+CVE-2026-42189 (Russh is a Rust SSH client & server library. Prior to version 0.60.1,  ...)
+	TODO: check
+CVE-2026-42185 (People is an application to handle users and teams, and distribute per ...)
+	TODO: check
+CVE-2026-42183 (Argo Workflows is an open source container-native workflow engine for  ...)
+	TODO: check
+CVE-2026-42181 (Lemmy is a link aggregator and forum for the fediverse. Prior to versi ...)
+	TODO: check
+CVE-2026-42180 (Lemmy is a link aggregator and forum for the fediverse. Prior to versi ...)
+	TODO: check
+CVE-2026-42176 (Scoold is a Q&A and a knowledge sharing platform for teams. Prior to v ...)
+	TODO: check
+CVE-2026-42174 (Kirby is an open-source content management system. Prior to versions 4 ...)
+	TODO: check
+CVE-2026-42160 (Data Space Portal is an open-source Software as a Service (SaaS) solut ...)
+	TODO: check
+CVE-2026-42137 (Kirby is an open-source content management system. Prior to versions 4 ...)
+	TODO: check
+CVE-2026-42069 (Kirby is an open-source content management system. Prior to versions 4 ...)
+	TODO: check
+CVE-2026-42051 (Kirby is an open-source content management system. Prior to versions 4 ...)
+	TODO: check
+CVE-2026-41705 (Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnera ...)
+	TODO: check
+CVE-2026-41520 (Cilium is a networking, observability, and security solution with an e ...)
+	TODO: check
+CVE-2026-41517 (Emlog is an open source website building system. Prior to version 2.6. ...)
+	TODO: check
+CVE-2026-41495 (n8n-MCP is an MCP server that provides AI assistants access to n8n nod ...)
+	TODO: check
+CVE-2026-41486 (Ray is an AI compute engine. From version 2.54.0 to before version 2.5 ...)
+	TODO: check
+CVE-2026-41432 (New API is a large language mode (LLM) gateway and artificial intellig ...)
+	TODO: check
+CVE-2026-41311 (LiquidJS is a Shopify / GitHub Pages compatible template engine in pur ...)
+	TODO: check
+CVE-2025-15634 (A missing authorization vulnerability in HCL BigFix WebUI allows an au ...)
+	TODO: check
+CVE-2025-15633 (An improper authorization vulnerability in HCL BigFix WebUI allows an  ...)
+	TODO: check
 CVE-2026-XXXX [Fix security vulnerabilities and code quality issues in 9.8]
 	- calibre 9.8.0+ds+~0.10.5-1 (bug #1135543)
 	NOTE: https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
@@ -8362,7 +8528,7 @@ CVE-2026-7040 (Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a
 	NOT-FOR-US: Text::Minify::XS Perl module
 CVE-2026-25710
 	NOT-FOR-US: plasma-login-manager
-CVE-2026-41682
+CVE-2026-41682 (pupnp is an SDK for development of UPnP device and control point appli ...)
 	- pupnp 1:1.14.31-1
 	[trixie] - pupnp <no-dsa> (Minor issue)
 	NOTE: https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58
@@ -10117,7 +10283,7 @@ CVE-2026-22020 [updated libpng in Oracle Java]
 	- openjdk-17 <not-affected> (Specific to Oracle binary distribution, Debian uses system libpng)
 	- openjdk-21 <not-affected> (Specific to Oracle binary distribution, Debian uses system libpng)
 	- openjdk-25 <not-affected> (Specific to Oracle binary distribution, Debian uses system libpng)
-CVE-2026-41163 [Privilege escalation if setuid root, via ptrace]
+CVE-2026-41163 (bubblewrap is a low-level unprivileged sandboxing tool. From version 0 ...)
 	- bubblewrap 0.11.2-1 (bug #1134704)
 	[trixie] - bubblewrap <no-dsa> (Minor issue)
 	[bookworm] - bubblewrap <not-affected> (Vulnerable code not present)
@@ -174987,7 +175153,7 @@ CVE-2024-12315 (The Export All Posts, Products, Orders, Refunds & Users plugin f
 	NOT-FOR-US: WordPress plugin
 CVE-2024-12296 (The Apus Framework plugin for WordPress is vulnerable to unauthorized  ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2024-12251 (In Progress\xae Telerik\xae UI for WinUI versions prior to 2025 Q1 (3. ...)
+CVE-2024-12251 (In Progress Telerik UI for WinUI versions prior to 2025 Q1 (3.0.0), a  ...)
 	NOT-FOR-US: Progress Telerik
 CVE-2024-12213 (The WP Job Board Pro plugin for WordPress is vulnerable to privilege e ...)
 	NOT-FOR-US: WordPress plugin



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ec44e577e002fc7460bbb86ea33ad0ed314054e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ec44e577e002fc7460bbb86ea33ad0ed314054e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260509/685c85af/attachment.htm>

More information about the debian-security-tracker-commits mailing list