[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat May 16 13:06:33 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cce36715 by Salvatore Bonaccorso at 2026-05-16T14:06:06+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -411,7 +411,7 @@ CVE-2026-45369 (python-utcp is the python implementation of UTCP. Prior to 1.1.3
 CVE-2026-45248 (Hedera Guardian through 3.5.1 contains an authentication bypass vulner ...)
 	NOT-FOR-US: Hedera Guardian
 CVE-2026-44700 (Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior ...)
-	TODO: check
+	NOT-FOR-US: Elixir WebRTC
 CVE-2026-44679 (Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10 ...)
 	NOT-FOR-US: Tuist
 CVE-2026-44678 (Tuist is a virtual platform team for Swift app devs. In 1.180.8 and ea ...)
@@ -1169,7 +1169,7 @@ CVE-2026-44216 (Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43
 	- rust-wasmtime 36.0.8+dfsg-1
 	NOTE: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg
 CVE-2026-43644 (podinfo through 6.11.2 contains a reflected cross-site scripting vulne ...)
-	TODO: check
+	NOT-FOR-US: podinfo
 CVE-2026-42897 (Improper neutralization of input during web page generation ('cross-si ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-42881 (STIGQter is an open-source reimplementation of DISA's STIG Viewer. Fro ...)
@@ -1195,9 +1195,9 @@ CVE-2026-42590 (Gotenberg is a Docker-powered stateless API for PDF files. Prior
 CVE-2026-42589 (Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8. ...)
 	NOT-FOR-US: Gotenberg
 CVE-2026-42572 (Hatchet is a platform for orchestrating background tasks, AI agents, a ...)
-	TODO: check
+	NOT-FOR-US: Hatchet
 CVE-2026-42559 (RMCP is an official Rust SDK for the Model Context Protocol. Prior to  ...)
-	TODO: check
+	NOT-FOR-US: RMCP
 CVE-2026-42555 (Valtimo is an open-source business process automation platform. com.ri ...)
 	NOT-FOR-US: Valtimo
 CVE-2026-42457 (vCluster Platform provides a Kubernetes platform for managing virtual  ...)
@@ -2887,7 +2887,7 @@ CVE-2026-42303 (Fides is an open-source privacy engineering platform. From 2.75.
 CVE-2026-42300 (DevGuard provides vulnerability management for the full software suppl ...)
 	NOT-FOR-US: DevGuard
 CVE-2026-42260 (Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for ...)
-	TODO: check
+	NOT-FOR-US: Open-WebSearch
 CVE-2026-42177 (linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entr ...)
 	TODO: check
 CVE-2026-42175 (requests-hardened is a library that overrides the default behaviors of ...)
@@ -3485,15 +3485,15 @@ CVE-2026-7255 (** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excess
 CVE-2026-45430 (The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not prope ...)
 	NOT-FOR-US: Salesforce module for Backdrop CMS
 CVE-2026-45393 (Reserved. Details will be published at disclosure.)
-	TODO: check
+	NOT-FOR-US: Cribl
 CVE-2026-45392 (Reserved. Details will be published at disclosure.)
-	TODO: check
+	NOT-FOR-US: Cribl
 CVE-2026-45391 (Reserved. Details will be published at disclosure.)
-	TODO: check
+	NOT-FOR-US: Cribl
 CVE-2026-45362 (Sangoma Switchvox before 8.4 places cleartext SIP authentication crede ...)
 	NOT-FOR-US: Sangoma Switchvox
 CVE-2026-45321 (On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious ...)
-	TODO: check
+	NOT-FOR-US: Backdoored TanStack packages
 CVE-2026-45026 (WeGIA is a web manager for charitable institutions. In versions prior  ...)
 	NOT-FOR-US: WeGIA
 CVE-2026-45025 (WeGIA is a web manager for charitable institutions. In versions prior  ...)
@@ -3954,7 +3954,7 @@ CVE-2026-44659 (Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Brows
 CVE-2026-44658 (Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs enter ...)
 	NOT-FOR-US: Zen
 CVE-2026-44643 (Angular Expressions provides expressions for the Angular.JS web framew ...)
-	TODO: check
+	NOT-FOR-US: Angular Expressions
 CVE-2026-44413 (In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users coul ...)
 	NOT-FOR-US: JetBrains
 CVE-2026-44226 (pyLoad is a free and open-source download manager written in Python. P ...)
@@ -4525,7 +4525,7 @@ CVE-2026-42575 (apko allows users to build and publish OCI container images buil
 CVE-2026-42574 (apko allows users to build and publish OCI container images built from ...)
 	NOT-FOR-US: apko
 CVE-2026-42571 (Pelican is a platform for creating data federations. From versions 7.2 ...)
-	TODO: check
+	NOT-FOR-US: PelicanPlatform Pelican (not the same as src:pelican)
 CVE-2026-42569 (phpVMS is a PHP application to run and simulate an airline. Prior to v ...)
 	NOT-FOR-US: phpVMS
 CVE-2026-42562 (Plainpad is a self hosted note taking app. Prior to version 1.1.1, Pla ...)
@@ -4621,7 +4621,7 @@ CVE-2026-44286 (FastGPT is an AI Agent building platform. Prior to version 4.14.
 CVE-2026-44284 (FastGPT is an AI Agent building platform. Prior to version 4.14.17, Fa ...)
 	NOT-FOR-US: FastGPT
 CVE-2026-42560 (auth provides authentication via oauth2, direct and email. From versio ...)
-	TODO: check
+	NOT-FOR-US: go-pkgz/auth
 CVE-2026-42556 (Postiz is an AI social media scheduling tool. From version 2.21.6 to b ...)
 	NOT-FOR-US: Postiz
 CVE-2026-42461 (Arcane is an interface for managing Docker containers, images, network ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cce3671536e4d3af9f6ad436525a8c8da611b791

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cce3671536e4d3af9f6ad436525a8c8da611b791
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260516/92929a90/attachment.htm>

More information about the debian-security-tracker-commits mailing list