[Git][security-tracker-team/security-tracker][master] automatic NOT-FOR-US entries update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon May 11 20:14:22 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
15ddebd3 by security tracker role at 2026-05-11T19:14:17+00:00
automatic NOT-FOR-US entries update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,7 @@
CVE-2026-8318 (A security flaw has been discovered in VectifyAI PageIndex up to f50e5 ...)
TODO: check
CVE-2026-8305 (A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-8292 (A security vulnerability has been detected in Open5GS up to 2.7.7. The ...)
TODO: check
CVE-2026-8291 (A weakness has been identified in Open5GS up to 2.7.7. Impacted is the ...)
@@ -31,7 +31,7 @@ CVE-2026-7813 (Authorization vulnerability in pgAdmin 4 server mode affecting Se
CVE-2026-7790 (Uncontrolled Resource Consumption vulnerability in ninenines cowlib (c ...)
TODO: check
CVE-2026-7308 (An authenticated user with upload permission to a hosted repository ca ...)
- TODO: check
+ NOT-FOR-US: Sonatype
CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entro ...)
TODO: check
CVE-2026-6956 (ATutor is vulnerable to Reflected XSS in/install/install.php endpoint. ...)
@@ -51,37 +51,37 @@ CVE-2026-45223 (Crabbox before 0.9.0 contains an authentication bypass vulnerabi
CVE-2026-45222 (Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates th ...)
TODO: check
CVE-2026-45006 (OpenClaw before 2026.4.23 contains an improper access control vulnerab ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45005 (OpenClaw before 2026.4.23 caches resolved webhook route secrets backed ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45004 (OpenClaw before 2026.4.23 contains an arbitrary code execution vulnera ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45003 (OpenClaw before 2026.4.22 allows workspace dotenv files to override co ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45002 (OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerabi ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45001 (OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-45000 (OpenClaw before 2026.4.20 contains a server-side request forgery vulne ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44999 (OpenClaw before 2026.4.20 fails to properly preserve untrusted labels ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44998 (OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44997 (OpenClaw before 2026.4.22 contains a security envelope constraint bypa ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44996 (OpenClaw before 2026.4.15 contains an arbitrary local file read vulner ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44995 (OpenClaw before 2026.4.20 contains an improper environment variable va ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44994 (OpenClaw before 2026.4.22 contains an authentication bypass vulnerabil ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44993 (OpenClaw before 2026.4.20 contains a message classification vulnerabil ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44992 (OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment var ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44991 (OpenClaw before 2026.4.21 contains an authorization bypass vulnerabili ...)
- TODO: check
+ NOT-FOR-US: OpenClaw
CVE-2026-44777 (jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordi ...)
TODO: check
CVE-2026-44738 (Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandb ...)
@@ -95,7 +95,7 @@ CVE-2026-44658 (Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs
CVE-2026-44643 (Angular Expressions provides expressions for the Angular.JS web framew ...)
TODO: check
CVE-2026-44413 (In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users coul ...)
- TODO: check
+ NOT-FOR-US: JetBrains
CVE-2026-44226 (pyLoad is a free and open-source download manager written in Python. P ...)
TODO: check
CVE-2026-44201 (Wagtail is an open source content management system built on Django. P ...)
@@ -129,7 +129,7 @@ CVE-2026-43639 (Bitwarden Server prior to v2026.4.0 contains a missing authoriza
CVE-2026-43638 (Bitwarden Server prior to v2026.4.1 contains a missing authorization v ...)
TODO: check
CVE-2026-42871 (WeGIA is a web manager for charitable institutions. In versions prior ...)
- TODO: check
+ NOT-FOR-US: WeGIA
CVE-2026-42866 (Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix ...)
TODO: check
CVE-2026-42865 (Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the ...)
@@ -195,7 +195,7 @@ CVE-2026-41250 (Taiga is a project management platform for startups and agile de
CVE-2026-41018 (The Elasticsearch logging provider, when configured with a `host` URL ...)
TODO: check
CVE-2026-40636 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2026-40612 (jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains ...)
TODO: check
CVE-2026-3609 (Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vu ...)
@@ -205,7 +205,7 @@ CVE-2026-3320 (Reflected Cross-Site Scripting (XSS) in the latest demo version o
CVE-2026-3319 (Reflected Cross-Site Scripting (XSS) in the latest demo version of the ...)
TODO: check
CVE-2026-3048 (An authenticated administrator who configures or tests LDAP connectivi ...)
- TODO: check
+ NOT-FOR-US: Sonatype
CVE-2026-38569 (HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate ...)
TODO: check
CVE-2026-38568 (HireFlow v1.2 is vulnerable to Incorrect Access Control. The applicati ...)
@@ -215,13 +215,13 @@ CVE-2026-38567 (HireFlow v1.2 is vulnerable to SQL injection in the /login and /
CVE-2026-38566 (HireFlow v1.2 does not implement CSRF token validation on any state-ch ...)
TODO: check
CVE-2026-36983 (D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the fun ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2026-36962 (SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated a ...)
TODO: check
CVE-2026-36906 (Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remo ...)
TODO: check
CVE-2026-35157 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2026-33362 (In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arent ...)
TODO: check
CVE-2026-33361 (In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudE ...)
@@ -233,7 +233,7 @@ CVE-2026-33357 (In Meari client applications embedding "com.meari.sdk" (includin
CVE-2026-33356 (In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authe ...)
TODO: check
CVE-2026-32658 (Dell Automation Platform versions prior to 2.0.0.0, contains a missing ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2026-31254 (The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e ...)
TODO: check
CVE-2026-31253 (The flash-attention training framework thru commit e724e2588cbe754beb9 ...)
@@ -255,15 +255,15 @@ CVE-2026-31246 (GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (
CVE-2026-30635 (Command injection vulnerability in automagik-genie 2.5.27 MCP Server a ...)
TODO: check
CVE-2026-2393 (A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow ve ...)
- TODO: check
+ NOT-FOR-US: mlflow
CVE-2026-26946 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2025-9973 (Due to not validating the organization context when executing adaptive ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-8325 (The software fails to enforce role-based access controls for certain G ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-8154 (In Webhook API invocations, the component accepts user-supplied input ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-65418 (docuFORM Managed Print Service Client 11.11c is vulnerable to a direct ...)
TODO: check
CVE-2025-65417 (docuFORM Managed Print Service Client 11.11c is vulnerable to a reflec ...)
@@ -295,13 +295,13 @@ CVE-2025-61306 (A reflected cross-site scripted (XSS) vulnerability in the dfm-m
CVE-2025-61305 (A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_fi ...)
TODO: check
CVE-2025-43992 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale version ...)
- TODO: check
+ NOT-FOR-US: Dell / EMC
CVE-2025-10908 (Due to a lack of user account state validation during authentication, ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2025-10470 (The Magic Link authentication flow accepts multiple invalid authentica ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2024-0391 (The check user account lock states feature within the email OTP flow f ...)
- TODO: check
+ NOT-FOR-US: WSO2
CVE-2026-42304
- twisted 26.4.0-1
CVE-2026-2291 (dnsmasqs extract_name() function can be abused to cause a heap buffer ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ddebd316c8b831ac15857631b1cfce9083d11a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ddebd316c8b831ac15857631b1cfce9083d11a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260511/18c9a2c5/attachment.htm>
More information about the debian-security-tracker-commits
mailing list