[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu May 14 20:03:32 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
99118ac4 by Salvatore Bonaccorso at 2026-05-14T21:03:01+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -164,7 +164,7 @@ CVE-2026-46445 (SOGo before 5.12.7, when PostgreSQL is used, allows SQL injectio
- sogo 5.12.7-1
NOTE: https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 (SOGo-5.12.7)
CVE-2026-46419 (Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2. ...)
- TODO: check
+ NOT-FOR-US: Yubico webauthn-server-core
CVE-2026-45740 (protobufjs compiles protobuf definitions into JavaScript (JS) function ...)
- node-protobufjs <itp> (bug #977564)
CVE-2026-45714 (CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authent ...)
@@ -378,7 +378,7 @@ CVE-2026-42781 (When embedded Packet Velocity Acceleration (ePVA) acceleration i
CVE-2026-42780 (A directory traversal vulnerability exists in BIG-IP SSL Orchestrator ...)
NOT-FOR-US: F5
CVE-2026-42602 (azureauthextension is the Azure Authenticator Extension. From 0.124.0 ...)
- TODO: check
+ NOT-FOR-US: Azure Authenticator ExtensionAzure Authenticator Extension
CVE-2026-42587 (Netty is an asynchronous, event-driven network application framework. ...)
TODO: check
CVE-2026-42586 (Netty is an asynchronous, event-driven network application framework. ...)
@@ -406,23 +406,23 @@ CVE-2026-42561 (Python-Multipart is a streaming multipart parser for Python. Pri
CVE-2026-42557 (jupyterlab is an extensible environment for interactive and reproducib ...)
TODO: check
CVE-2026-42552 (Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the ...)
- TODO: check
+ NOT-FOR-US: Flight
CVE-2026-42551 (Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Requ ...)
- TODO: check
+ NOT-FOR-US: Flight
CVE-2026-42550 (Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Simp ...)
- TODO: check
+ NOT-FOR-US: Flight
CVE-2026-42549 (Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the ...)
- TODO: check
+ NOT-FOR-US: Flight
CVE-2026-42548 (Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flig ...)
- TODO: check
+ NOT-FOR-US: Flight
CVE-2026-42463 (SQLBot is an intelligent Text-to-SQL system based on large language mo ...)
- TODO: check
+ NOT-FOR-US: SQLBot
CVE-2026-42409 (When an HTTP/2 profile and an iRule containing the HTTP::redirector HT ...)
TODO: check
CVE-2026-42408 (When BIG-IP DNS is provisioned, a vulnerability exists in an undisclos ...)
NOT-FOR-US: F5
CVE-2026-42406 (A vulnerability exists in BIG-IP and BIG-IQ systems where a highly pri ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-42290 (protobufjs-cli is the command line add-on for protobuf.js. Prior to 1. ...)
TODO: check
CVE-2026-42266 (jupyterlab is an extensible environment for interactive and reproducib ...)
@@ -1095,21 +1095,21 @@ CVE-2026-42854 (arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-
CVE-2026-42844 (Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privile ...)
NOT-FOR-US: Grav CMS
CVE-2026-42545 (Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2 ...)
- TODO: check
+ NOT-FOR-US: Granian
CVE-2026-42544 (Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2 ...)
- TODO: check
+ NOT-FOR-US: Granian
CVE-2026-42446 (NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0. ...)
- TODO: check
+ NOT-FOR-US: NanaZip
CVE-2026-42445 (NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0. ...)
- TODO: check
+ NOT-FOR-US: NanaZip
CVE-2026-42444 (NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0. ...)
- TODO: check
+ NOT-FOR-US: NanaZip
CVE-2026-42443 (NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0. ...)
- TODO: check
+ NOT-FOR-US: NanaZip
CVE-2026-42442 (NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0. ...)
- TODO: check
+ NOT-FOR-US: NanaZip
CVE-2026-42355 (NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0. ...)
- TODO: check
+ NOT-FOR-US: NanaZip
CVE-2026-42338 (ip-address is a library for parsing and manipulating IPv4 and IPv6 add ...)
TODO: check
CVE-2026-42289 (ChurchCRM is an open-source church management system. Prior to 7.3.2, ...)
@@ -1369,7 +1369,7 @@ CVE-2026-6690 (The LifePress plugin for WordPress is vulnerable to Stored Cross-
CVE-2026-6663 (The GWD Connect plugin for WordPress is vulnerable to missing authoriz ...)
NOT-FOR-US: WordPress plugin
CVE-2026-6402 (webpack-dev-server versions up to and including 5.2.3 are vulnerable t ...)
- TODO: check
+ NOT-FOR-US: webpack-dev-server
CVE-2026-6256 (The Credits Shortcode plugin for WordPress is vulnerable to Stored Cro ...)
NOT-FOR-US: WordPress plugin
CVE-2026-6247 (The scratchblocks for WP plugin for WordPress is vulnerable to Stored ...)
@@ -1387,7 +1387,7 @@ CVE-2026-5340 (The Fancy Image Show plugin for WordPress is vulnerable to Stored
CVE-2026-5146 (Improper access control in the notification management endpoints in De ...)
NOT-FOR-US: Devolutions
CVE-2026-5061 (The consul-template library before version 0.42.0 is vulnerable to a s ...)
- TODO: check
+ NOT-FOR-US: consul-template
CVE-2026-5029 (A remote code execution vulnerability exists inCode Runner MCP Server ...)
NOT-FOR-US: Code Runner MCP Server
CVE-2026-5028 (The Eight Day Week Print Workflow plugin for WordPress is vulnerable t ...)
@@ -1533,7 +1533,7 @@ CVE-2026-42742 (Improper Neutralization of Special Elements used in an SQL Comma
CVE-2026-42741 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-42541 (Kubewarden is a policy engine for Kubernetes. Prior to , An attacker w ...)
- TODO: check
+ NOT-FOR-US: Kubewarden
CVE-2026-42498 (Exposure of HTTP Authentication Header to unexpected hosts during WebS ...)
- tomcat11 11.0.22-1
- tomcat10 <unfixed>
@@ -1544,7 +1544,7 @@ CVE-2026-42498 (Exposure of HTTP Authentication Header to unexpected hosts durin
NOTE: Fixed by: https://github.com/apache/tomcat/commit/169d725788ea6aec217ecac70fe4161c837ba423 (9.0.118)
NOTE: https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb
CVE-2026-42348 (OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. ...)
- TODO: check
+ NOT-FOR-US: OpenTelemetry.OpAmp.Client
CVE-2026-42303 (Fides is an open-source privacy engineering platform. From 2.75.0 to b ...)
TODO: check
CVE-2026-42300 (DevGuard provides vulnerability management for the full software suppl ...)
@@ -2267,11 +2267,11 @@ CVE-2026-42869 (SOCFortress CoPilot focuses on providing a single pane of glass
CVE-2026-42600 (MinIO is a high-performance object storage system. From RELEASE.2022-0 ...)
TODO: check
CVE-2026-42565 (@workos/authkit-session is a toolkit for building WorkOS AuthKit frame ...)
- TODO: check
+ NOT-FOR-US: workos/authkit-session
CVE-2026-42564 (jotty\xb7page is a self-hosted app for your checklists and notes. Prio ...)
- TODO: check
+ NOT-FOR-US: jotty page
CVE-2026-42554 (Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Sit ...)
- TODO: check
+ NOT-FOR-US: Fiber
CVE-2026-42188 (Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: J ...)
TODO: check
CVE-2026-42046 (libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an ...)
@@ -2700,9 +2700,9 @@ CVE-2026-42608 (Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there
CVE-2026-42607 (Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authentic ...)
NOT-FOR-US: Grav CMS
CVE-2026-42603 (OWASP BLT is a QA testing and vulnerability disclosure platform that e ...)
- TODO: check
+ NOT-FOR-US: OWASP BLT
CVE-2026-42349 (Clerk JavaScript is the official JavaScript repository for Clerk authe ...)
- TODO: check
+ NOT-FOR-US: Clerk
CVE-2026-42316 (kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft ...)
TODO: check
CVE-2026-42315 (pyLoad is a free and open-source download manager written in Python. P ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99118ac4c30c61306a87f89e36d01910c97053eb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99118ac4c30c61306a87f89e36d01910c97053eb
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260514/542ef900/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list