[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun May 17 07:50:25 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
02948789 by Salvatore Bonaccorso at 2026-05-17T08:50:03+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -371,7 +371,7 @@ CVE-2026-42458 (Magento Long Term Support (LTS) is an unofficial, community-driv
CVE-2026-42207 (Magento Long Term Support (LTS) is an unofficial, community-driven pro ...)
NOT-FOR-US: Magento LTS (alternative to Magento Community Edition)
CVE-2026-42155 (Magento Long Term Support (LTS) is an unofficial, community-driven pro ...)
- TODO: check
+ NOT-FOR-US: Magento LTS (alternative to Magento Community Edition)
CVE-2026-41971 (Permission control vulnerability in the security control module.Impact ...)
NOT-FOR-US: Huawei
CVE-2026-41970 (Out-of-bounds write vulnerability in the distributed file system modul ...)
@@ -397,9 +397,9 @@ CVE-2026-41961 (Permission control vulnerability in contacts.Impact: Successful
CVE-2026-41960 (Permission control vulnerability in calls.Impact: Successful exploitat ...)
NOT-FOR-US: Huawei
CVE-2026-41553 (PDF Export Module used inDHTMLX'sproducts Gantt and Scheduler is vulne ...)
- TODO: check
+ NOT-FOR-US: DHTMLX
CVE-2026-41552 (PDF Export Module used in DHTMLX's products Gantt and Scheduler is vul ...)
- TODO: check
+ NOT-FOR-US: DHTMLX
CVE-2026-41258 (OpenMRS is an open source electronic medical record system platform. F ...)
TODO: check
CVE-2026-41181 (Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, ...)
@@ -571,7 +571,7 @@ CVE-2026-42327 (rust-openssl provides OpenSSL bindings for the Rust programming
- rust-openssl <unfixed> (bug #1136787)
NOTE: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
CVE-2026-41702 (VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerabil ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2026-3290 (Timing limitations of the HRNG in RS9116 when power save mode is enabl ...)
NOT-FOR-US: Silicon Labs
CVE-2026-2652 (A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows una ...)
@@ -1297,15 +1297,15 @@ CVE-2026-42281 (MagicMirror\xb2 is an open source modular smart mirror platform.
CVE-2026-42186 (OpenBao is an open source identity-based secrets management system. Pr ...)
- openbao <itp> (bug #1069794)
CVE-2026-42159 (Flowsint is an open-source OSINT graph exploration tool designed for c ...)
- TODO: check
+ NOT-FOR-US: Flowsint
CVE-2026-41937 (Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: Vvveb
CVE-2026-41935 (Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability ...)
- TODO: check
+ NOT-FOR-US: Vvveb
CVE-2026-41933 (Vvveb before 1.0.8.3 contains a directory listing information disclosu ...)
- TODO: check
+ NOT-FOR-US: Vvveb
CVE-2026-41932 (Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerabil ...)
- TODO: check
+ NOT-FOR-US: Vvveb
CVE-2026-41888 (Distribution is a toolkit to pack, ship, store, and deliver container ...)
TODO: check
CVE-2026-41615 (Exposure of sensitive information to an unauthorized actor in Microsof ...)
@@ -1853,21 +1853,21 @@ CVE-2026-42266 (jupyterlab is an extensible environment for interactive and repr
CVE-2026-42063 (A vulnerability exists in iControl SOAP where an authenticated attacke ...)
NOT-FOR-US: F5
CVE-2026-42062 (ELECOM wireless LAN access point devices contain an OS command injecti ...)
- TODO: check
+ NOT-FOR-US: ELECOM
CVE-2026-42058 (An authenticated attacker's undisclosed requests to BIG-IP iControl RE ...)
NOT-FOR-US: F5
CVE-2026-42032 (CKAN is an open-source DMS (data management system) for powering data ...)
- TODO: check
+ NOT-FOR-US: CKAN
CVE-2026-42031 (CKAN is an open-source DMS (data management system) for powering data ...)
- TODO: check
+ NOT-FOR-US: CKAN
CVE-2026-41959 (Incorrect permission assignment vulnerabilities exist in BIG-IP and BI ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-41957 (An authenticated remote code execution vulnerability through undisclos ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-41956 (When a classification profile is configured on a UDP virtual server, u ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-41954 (Sensitive information disclosure vulnerability exists in the undisclos ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-41953 (A vulnerability exists in BIG-IP systems where a highly privileged, au ...)
NOT-FOR-US: F5
CVE-2026-41410
@@ -2551,13 +2551,13 @@ CVE-2026-42196 (django-s3file is a lightweight file upload input for Django and
CVE-2026-42191 (OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetr ...)
TODO: check
CVE-2026-42158 (Flowsint is an open-source OSINT graph exploration tool designed for c ...)
- TODO: check
+ NOT-FOR-US: Flowsint
CVE-2026-42157 (Flowsint is an open-source OSINT graph exploration tool designed for c ...)
- TODO: check
+ NOT-FOR-US: Flowsint
CVE-2026-42156 (Flowsint is an open-source OSINT graph exploration tool designed for c ...)
- TODO: check
+ NOT-FOR-US: Flowsint
CVE-2026-41901 (Thymeleaf is a server-side Java template engine for web and standalone ...)
- TODO: check
+ NOT-FOR-US: Thymeleaf
CVE-2026-41195 (mosparo is the modern solution to protect your online forms from spam. ...)
TODO: check
CVE-2026-40902 (PhpSpreadsheet is a pure PHP library for reading and writing spreadshe ...)
@@ -2986,16 +2986,16 @@ CVE-2026-42177 (linux-entra-sso is a browser plugin for Linux to SSO on Microsof
CVE-2026-42175 (requests-hardened is a library that overrides the default behaviors of ...)
TODO: check
CVE-2026-42141 (Xibo is an open source digital signage platform with a web content man ...)
- TODO: check
+ NOT-FOR-US: Xibo
CVE-2026-42048 (Langflow is a tool for building and deploying AI-powered agents and wo ...)
- TODO: check
+ NOT-FOR-US: Langflow
CVE-2026-42045 (LobeHub is a work-and-lifestyle space to find, build, and collaborate ...)
- TODO: check
+ NOT-FOR-US: LobeHub
CVE-2026-42006 (An attacker can cause uncontrolled memory usage with excessive bracing ...)
- dovecot 1:2.4.4+dfsg1-1 (bug #1136444)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/12/6
CVE-2026-41895 (changedetection.io is a free open source web page change detection too ...)
- TODO: check
+ NOT-FOR-US: changedetection.io
CVE-2026-41713 (A malicious user could craft input that is stored in conversation memo ...)
NOT-FOR-US: VMware
CVE-2026-41712 (Spring AI's chat memory component contained a problematic default that ...)
@@ -3013,7 +3013,7 @@ CVE-2026-41610 (Improper neutralization of input during web page generation ('cr
CVE-2026-41551 (A vulnerability has been identified in ROS# (All versions < V2.2.2). A ...)
NOT-FOR-US: Siemens
CVE-2026-41513 (Horilla is an HR and CRM software. In 1.5.0, the notification endpoint ...)
- TODO: check
+ NOT-FOR-US: Horilla
CVE-2026-41293 (Improper Input Validation vulnerability in Apache Tomcat. This issue ...)
- tomcat11 11.0.22-1
- tomcat10 <unfixed>
@@ -3710,11 +3710,11 @@ CVE-2026-42188 (Geyser is a bridge between Minecraft: Bedrock Edition and Minecr
CVE-2026-42046 (libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an ...)
TODO: check
CVE-2026-41872 ("Kura Sushi Official App" provided by EPG, Inc. is vulnerable to impro ...)
- TODO: check
+ NOT-FOR-US: Kura Sushi Official App
CVE-2026-41530 (The automatic folder creation feature of Lhaz and Lhaz+ provided by Ch ...)
- TODO: check
+ NOT-FOR-US: Lhaz
CVE-2026-41489 (Pi-hole is a DNS sinkhole that protects devices from unwanted content ...)
- TODO: check
+ NOT-FOR-US: Pi-Hole
CVE-2026-40137 (SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthentic ...)
NOT-FOR-US: SAP
CVE-2026-40136 (SAP Financial Consolidation allows an authenticated attacker to discon ...)
@@ -4148,7 +4148,7 @@ CVE-2026-42313 (pyLoad is a free and open-source download manager written in Pyt
CVE-2026-42312 (pyLoad is a free and open-source download manager written in Python. P ...)
- pyload <itp> (bug #1001980)
CVE-2026-41951 (Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which ...)
- TODO: check
+ NOT-FOR-US: GROWI
CVE-2026-41431 (Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a ...)
TODO: check
CVE-2026-41257 (jq is a command-line JSON processor. In 1.8.1 and earlier, the jq byte ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02948789499c8d8a4992213a1c0a1bd8d636d96a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02948789499c8d8a4992213a1c0a1bd8d636d96a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/401145ea/attachment.htm>
More information about the debian-security-tracker-commits
mailing list