[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 13 10:37:56 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
963d0a58 by Moritz Muehlenhoff at 2026-05-13T11:37:37+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5,23 +5,23 @@ CVE-2026-8336 (After invoking $_internalJsEmit, which is not intended to be dire
 CVE-2026-8202 (Using a densely populated chars mask and a large input string in the M ...)
 	TODO: check
 CVE-2026-8201 (A use-after-free vulnerability exists in MongoDB's Field-Level Encrypt ...)
-	TODO: check
+	- mongodb <removed>
 CVE-2026-8200 (When schema validation is enabled on a collection and an update or ins ...)
-	TODO: check
+	- mongodb <removed>
 CVE-2026-8199 (An authenticated user can cause excess memory usage via bitwise match  ...)
-	TODO: check
+	- mongodb <removed>
 CVE-2026-8108 (The installation of Fuji Tellus adds a driver to the kernel which gran ...)
-	TODO: check
+	NOT-FOR-US: Fuji Tellus
 CVE-2026-8053 (An issue in MongoDB Server's time-series collection implementation all ...)
-	TODO: check
+	- mongodb <removed>
 CVE-2026-8052 (HashiCorp Nomad\u2019s exec2 task driver prior to 0.1.2 is vulnerable  ...)
-	TODO: check
+	- nomad <removed>
 CVE-2026-7635 (The coreActivity: Activity Logging for WordPress plugin for WordPress  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-7619 (The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-7474 (HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to  ...)
-	TODO: check
+	- nomad <removed>
 CVE-2026-7051 (The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPre ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-6965 (The Tutor LMS \u2013 eLearning and online course solution plugin for W ...)
@@ -29,21 +29,21 @@ CVE-2026-6965 (The Tutor LMS \u2013 eLearning and online course solution plugin
 CVE-2026-6962 (The Cost of Goods: Product Cost & Profit Calculator for WooCommerce pl ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-6959 (HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to  ...)
-	TODO: check
+	- nomad <removed>
 CVE-2026-6929 (The JoomSport \u2013 for Sports: Team & League, Football, Hockey & mor ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-6888 (Successful exploitation of the SQL injection vulnerability could allow ...)
-	TODO: check
+	NOT-FOR-US: Advantech SaaS Composer
 CVE-2026-6828 (The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Co ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-5371 (The MonsterInsights \u2013 Google Analytics Dashboard for WordPress (W ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-45227 (Heym before 0.0.21 contains a sandbox escape vulnerability in the cust ...)
-	TODO: check
+	NOT-FOR-US: Heym
 CVE-2026-45226 (Heym before 0.0.21 contains an authorization bypass vulnerability in w ...)
-	TODO: check
+	NOT-FOR-US: Heym
 CVE-2026-45225 (Heym before 0.0.21 contains a path traversal vulnerability in the file ...)
-	TODO: check
+	NOT-FOR-US: Heym
 CVE-2026-44874 (A vulnerability exists in the web-based management interface of an AOS ...)
 	NOT-FOR-US: HPE
 CVE-2026-44873 (A session management vulnerability in AOS-8 allows previously authenti ...)
@@ -91,15 +91,15 @@ CVE-2026-44853 (Command injection vulnerabilities exist in the web-based managem
 CVE-2026-44852 (An authenticated remote code execution vulnerability exists in the AOS ...)
 	NOT-FOR-US: HPE
 CVE-2026-44612 (Bytello Share (Windows Edition) installer executable provided by Bytel ...)
-	TODO: check
+	NOT-FOR-US: Bytello
 CVE-2026-44548 (ChurchCRM is an open-source church management system. Prior to 7.3.2,  ...)
 	NOT-FOR-US: ChurchCRM
 CVE-2026-44547 (ChurchCRM is an open-source church management system. From 7.2.0 to 7. ...)
 	NOT-FOR-US: ChurchCRM
 CVE-2026-44403 (Wing FTP Server 8.1.2 contains an authenticated remote code execution  ...)
-	TODO: check
+	NOT-FOR-US: Wing FTP Server
 CVE-2026-44352 (Flowsint is an open-source OSINT graph exploration tool designed for c ...)
-	TODO: check
+	NOT-FOR-US: Flowsint
 CVE-2026-44347 (Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux ...)
 	TODO: check
 CVE-2026-44341 (GoJobs is a REST API for a Job Board platform. The application exposes ...)
@@ -145,9 +145,9 @@ CVE-2026-44225 (Pulpy is a lightweight, cross-platform desktop application packa
 CVE-2026-44224 (Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, ...)
 	TODO: check
 CVE-2026-44223 (vLLM is an inference and serving engine for large language models (LLM ...)
-	TODO: check
+	- vllm <itp> (bug #1095237)
 CVE-2026-44222 (vLLM is an inference and serving engine for large language models (LLM ...)
-	TODO: check
+	- vllm <itp> (bug #1095237)
 CVE-2026-44221 (ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users an ...)
 	TODO: check
 CVE-2026-44220 (ciguard is a static security auditor for CI/CD pipelines. From 0.8.0 t ...)
@@ -163,11 +163,11 @@ CVE-2026-44215 (NanaZip is an open source file archive. From 5.0.1252.0 to befor
 CVE-2026-44015 (Nginx UI is a web user interface for the Nginx web server. In 2.3.4 an ...)
 	TODO: check
 CVE-2026-44012 (Craft CMS is a content management system (CMS). From 5.0.0-RC1 to befo ...)
-	TODO: check
+	NOT-FOR-US: Craft CMS
 CVE-2026-44011 (Craft CMS is a content management system (CMS). From 4.0.0 to before 4 ...)
-	TODO: check
+	NOT-FOR-US: Craft CMS
 CVE-2026-44010 (Craft CMS is a content management system (CMS). From 4.0.0 to before 4 ...)
-	TODO: check
+	NOT-FOR-US: Craft CMS
 CVE-2026-43948 (wger is a free, open-source workout and fitness manager. Prior to 2.6, ...)
 	TODO: check
 CVE-2026-43685 (A Remote Code Execution vulnerability in Claris FileMaker Cloud allowe ...)
@@ -15435,6 +15435,7 @@ CVE-2026-5958 (When sed is invoked with both -i (in-place edit) and --follow-sym
 	[bookworm] - sed <no-dsa> (Minor issue)
 	[bullseye] - sed <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=commit;h=6b9b43c55ccd3beadbc0094b983c82bdb389f33b
+	NOTE: https://www.openwall.com/lists/oss-security/2026/05/13/1
 CVE-2026-5760 (SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Executio ...)
 	NOT-FOR-US: SGLang
 CVE-2026-4048 (OS Command Injection Remote Code Execution Vulnerability in UI in Prog ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/963d0a589c14e53564c322f87430efda0f7771d8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/963d0a589c14e53564c322f87430efda0f7771d8
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260513/41f27643/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list