[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun May 17 14:08:01 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6df33b8f by Moritz Muehlenhoff at 2026-05-17T15:07:06+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -411,7 +411,7 @@ CVE-2026-39053 (Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue
CVE-2026-39052 (Oinone Pamirs 7.0.0 contains a code execution vulnerability via Script ...)
NOT-FOR-US: Oinone Pamirs
CVE-2026-38728 (An issue in Nodemailer smtp_server before v.3.18.3 allows a remote att ...)
- TODO: check
+ NOT-FOR-US: Node smtp-server
CVE-2026-35194 (Code injection in SQL code generation in Apache Flink 1.15.0 through 1 ...)
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-34253 (A buffer underflow vulnerability has been identified in the ogg123 uti ...)
@@ -623,7 +623,7 @@ CVE-2025-48513 (Use of uninitialized resource within the AMD Platform Management
CVE-2025-48512 (Incorrect default permissions in the installation directory for the AM ...)
TODO: check
CVE-2025-29944 (A buffer overflow vulnerability within AMD Sensor Fusion Hub Driver ca ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2025-29938 (An unchecked return value within the AMD Platform Management Framework ...)
TODO: check
CVE-2025-29937 (An out of bounds read within the AMD Platform Management Framework (PM ...)
@@ -645,7 +645,7 @@ CVE-2024-36345 (Improper input validation in the AMD OverDrive (AOD) System Mana
CVE-2024-36334 (Improper verification of cryptographic signature in the Radeon RGB too ...)
TODO: check
CVE-2024-36333 (A DLL hijacking vulnerability in the AMD Cleanup Utility could allow a ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2024-36332 (Improper isolation of GPU HW register space could allow a privileged a ...)
TODO: check
CVE-2024-36323 (Improper isolation of VCN-JPEG HW register space could allow a malicio ...)
@@ -1247,7 +1247,7 @@ CVE-2026-44312 (css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the
NOTE: Fixed by: https://github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad052666449 (v2.1.0)
NOTE: Fixed by: https://github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18 (v1.22.0)
CVE-2026-44308 (Spring Cloud AWS simplifies using AWS managed services in a Spring and ...)
- TODO: check
+ NOT-FOR-US: Spring Cloud AWS
CVE-2026-44283 (etcd is a distributed key-value store for the data of a distributed sy ...)
- etcd <unfixed> (bug #1136829)
NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
@@ -1325,9 +1325,9 @@ CVE-2026-27680 (Due to improper input handling under certain conditions, SAP Net
CVE-2026-24712 (Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, ...)
TODO: check
CVE-2026-24711 (Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 ha ...)
- TODO: check
+ NOT-FOR-US: CFEngine Enterprise
CVE-2026-24710 (Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 al ...)
- TODO: check
+ NOT-FOR-US: CFEngine Enterprise
CVE-2026-23998 (Fleet is open source device management software. Prior to version 4.81 ...)
NOT-FOR-US: Fleet
CVE-2026-22707 (Strapi is an open source headless content management system. In Strapi ...)
@@ -1337,7 +1337,7 @@ CVE-2026-22706 (Strapi is an open source headless content management system. In
CVE-2026-22599 (Strapi is an open source headless content management system. In versio ...)
NOT-FOR-US: Strapi
CVE-2026-21730 (Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability ...)
- TODO: check
+ NOT-FOR-US: Verba
CVE-2026-20224 (A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, former ...)
NOT-FOR-US: Cisco
CVE-2026-20210 (A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, former ...)
@@ -1347,21 +1347,21 @@ CVE-2026-20209 (A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager,
CVE-2026-20182 (May 2026: This security advisory provides the details and fix informat ...)
NOT-FOR-US: Cisco
CVE-2026-1630 (WEBCON BPS is vulnerable to Reflected XSS via one of parameters used b ...)
- TODO: check
+ NOT-FOR-US: WEBCON BPS
CVE-2025-69443 (Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, w ...)
- TODO: check
+ NOT-FOR-US: coleam00 Archon
CVE-2025-68421 (Comarch ERP Optima client makes use of a hard-coded password for a dat ...)
- TODO: check
+ NOT-FOR-US: Comarch ERP Optima
CVE-2025-68420 (ComarchERP Optima client connects to a database using a high privilege ...)
- TODO: check
+ NOT-FOR-US: Comarch ERP Optima
CVE-2025-64526 (Strapi is an open source headless content management system. In Strapi ...)
NOT-FOR-US: Strapi
CVE-2025-62628 (Unsafe OpenSSL initialization within some AMD optional tools may allow ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2025-62625 (Improper privilege management in the KVM key download component could ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2025-62619 (Missing authentication in the KVM key download endpoint could allow an ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2025-62317 (HCL AION is affected by a vulnerability where sensitive information ma ...)
NOT-FOR-US: HCL
CVE-2025-62316 (HCL AION is affected by a vulnerability where certain security-related ...)
@@ -1389,7 +1389,7 @@ CVE-2025-15023 (Incorrect Authorization vulnerability in Yordam Information Tech
CVE-2025-12008 (Authorization bypass through User-Controlled key vulnerability in APPY ...)
NOT-FOR-US: Yaay Social Media App
CVE-2025-11024 (Improper neutralization of special elements used in an SQL command ('S ...)
- TODO: check
+ NOT-FOR-US: Akili
CVE-2026-6479 (Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an ...)
{DSA-6270-1 DSA-6269-1}
- postgresql-18 18.4-1
@@ -1840,7 +1840,7 @@ CVE-2026-42548 (Flight is an extensible micro-framework for PHP. Prior to 3.18.1
CVE-2026-42463 (SQLBot is an intelligent Text-to-SQL system based on large language mo ...)
NOT-FOR-US: SQLBot
CVE-2026-42409 (When an HTTP/2 profile and an iRule containing the HTTP::redirector HT ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-42408 (When BIG-IP DNS is provisioned, a vulnerability exists in an undisclos ...)
NOT-FOR-US: F5
CVE-2026-42406 (A vulnerability exists in BIG-IP and BIG-IQ systems where a highly pri ...)
@@ -2007,7 +2007,7 @@ CVE-2026-32673 (A vulnerability exists in BIG-IP scripted monitors that may allo
CVE-2026-32643 (A vulnerability exists in BIG-IP and BIG-IQ systems where a highly pri ...)
NOT-FOR-US: F5
CVE-2026-31156 (A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f ...)
- TODO: check
+ NOT-FOR-US: OpenPLC
CVE-2026-30906 (Untrusted search path in the installer for Zoom Rooms for Windows befo ...)
NOT-FOR-US: Zoom
CVE-2026-30905 (External Control of File Name or Path in the Zoom Workplace VDI Plugin ...)
@@ -2021,9 +2021,9 @@ CVE-2026-2695 (A command injection vulnerability was discoveredin TeamViewer DEX
CVE-2026-2515 (The Hostinger Reach \u2013 AI-Powered Email Marketing for WordPress pl ...)
NOT-FOR-US: WordPress plugin
CVE-2026-29206 (Insufficient sanitization of SQL queries in the `sqloptimizer` utility ...)
- TODO: check
+ NOT-FOR-US: cPanel
CVE-2026-29205 (Incorrect privileges management and insufficient path filtering allow ...)
- TODO: check
+ NOT-FOR-US: cPanel
CVE-2026-28758 (When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_adda ...)
NOT-FOR-US: F5
CVE-2026-28383 (A request to the Grafana plugin resources endpoint can cause unbounded ...)
@@ -2039,15 +2039,15 @@ CVE-2026-28374 (Editors could delete any annotation, even those they do not have
CVE-2026-25705 (A vulnerability has been identified in [Rancher's Extensions](https:// ...)
NOT-FOR-US: SUSE
CVE-2026-25107 (ELECOM wireless LAN access point devices use a hard-coded cryptographi ...)
- TODO: check
+ NOT-FOR-US: ELECOM
CVE-2026-24464 (When running in Appliance mode, a directory traversal vulnerability ex ...)
NOT-FOR-US: F5
CVE-2026-22677 (Hermes WebUI prior to 0.51.44 - Release T contains a path traversal vu ...)
- TODO: check
+ NOT-FOR-US: Hermes WebUI
CVE-2026-21821 (The HCL BigFix SCM Reporting site contains an outdated and unsupported ...)
NOT-FOR-US: HCL
CVE-2026-20916 (An authenticated iControl REST user with low privileges can create or ...)
- TODO: check
+ NOT-FOR-US: F5
CVE-2026-1659 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
TODO: check
CVE-2026-1338 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
@@ -2109,21 +2109,21 @@ CVE-2026-0236 (A code injection vulnerability in Palo Alto Networks Prisma\xae B
CVE-2026-0235 (A race condition vulnerability in Palo Alto Networks Prisma\xae Browse ...)
NOT-FOR-US: Palo Alto Networks
CVE-2025-32425 (AutoGPT is a platform that allows users to create, deploy, and manage ...)
- TODO: check
+ NOT-FOR-US: AutoGPT
CVE-2025-29338 (NXP moal.ko Wi-Fi driver 5.1.7.10 FW version from v17.92.1.p149.43 To ...)
- TODO: check
+ NOT-FOR-US: NXPAutoGPT
CVE-2025-28344 (striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in fu ...)
- TODO: check
+ NOT-FOR-US: striso-control-firmware
CVE-2025-28343 (striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in fu ...)
- TODO: check
+ NOT-FOR-US: striso-control-firmware
CVE-2025-27853 (The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) al ...)
- TODO: check
+ NOT-FOR-US: Garmin
CVE-2025-27852 (The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) al ...)
- TODO: check
+ NOT-FOR-US: Garmin
CVE-2025-27851 (The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) al ...)
- TODO: check
+ NOT-FOR-US: Garmin
CVE-2025-27850 (The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) al ...)
- TODO: check
+ NOT-FOR-US: Garmin
CVE-2025-15345 (The MapGeo \u2013 Interactive Geo Maps plugin for WordPress is vulnera ...)
NOT-FOR-US: WordPress plugin
CVE-2025-14870 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
@@ -2137,41 +2137,41 @@ CVE-2025-13874 (GitLab has remediated an issue in GitLab CE/EE affecting all ver
CVE-2025-12669 (GitLab has remediated an issue in GitLab CE/EE affecting all versions ...)
TODO: check
CVE-2024-55045 (Firmament-Autopilot FMT-Firmware commit de5aec was discovered to conta ...)
- TODO: check
+ NOT-FOR-US: Firmament-Autopilot FMT-Firmware
CVE-2024-51395 (Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e0 ...)
- TODO: check
+ NOT-FOR-US: Ardupiot Copter
CVE-2024-51394 (Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e0 ...)
- TODO: check
+ NOT-FOR-US: Ardupiot Copter
CVE-2024-48519 (Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b04516 ...)
- TODO: check
+ NOT-FOR-US: Ardupiot Copter
CVE-2024-47091 (Privilege escalation in the mk_mysql agent plugin on Windows in Checkm ...)
TODO: check
CVE-2020-37226 (Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerabi ...)
- TODO: check
+ NOT-FOR-US: Joomla addon
CVE-2020-37225 (Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scr ...)
- TODO: check
+ NOT-FOR-US: Powie WHOIS Domain Check
CVE-2020-37224 (Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerabi ...)
- TODO: check
+ NOT-FOR-US: Joomla addon
CVE-2020-37223 (IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerabi ...)
- TODO: check
+ NOT-FOR-US: IObit Uninstaller
CVE-2020-37222 (Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerabi ...)
- TODO: check
+ NOT-FOR-US: Kuicms Php EE
CVE-2020-37221 (Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that al ...)
- TODO: check
+ NOT-FOR-US: Atomic Alarm Clock
CVE-2020-37220 (Huawei HG630 V2 router contains an authentication bypass vulnerability ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2020-37219 (Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability ...)
- TODO: check
+ NOT-FOR-US: Joomla addon
CVE-2020-37218 (Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in th ...)
- TODO: check
+ NOT-FOR-US: Joomla addon
CVE-2020-37217 (Easy2Pilot 7 contains a cross-site request forgery vulnerability that ...)
- TODO: check
+ NOT-FOR-US: Easy2Pilot
CVE-2020-37174 (WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2020-37169 (WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2020-37168 (Ecommerce Systempay 1.0 contains a weak cryptographic implementation v ...)
- TODO: check
+ NOT-FOR-US: Ecommerce Systempay
CVE-2026-8500 (Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web: ...)
NOT-FOR-US: Web::Passwd Perl module
CVE-2026-42945 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ ...)
@@ -2633,11 +2633,11 @@ CVE-2026-34645 (Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p
CVE-2026-33570 (PowerSYSTEM Center REST API endpoint for devices allows a low privileg ...)
NOT-FOR-US: PowerSYSTEM Center
CVE-2026-32661 (Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailS ...)
- TODO: check
+ NOT-FOR-US: GUARDIANWALL
CVE-2026-2725 (Incorrect authorization in the "submitted together" feature in Gerrit ...)
TODO: check
CVE-2026-26289 (PowerSYSTEM Center REST API endpoint for device account export allows ...)
- TODO: check
+ NOT-FOR-US: PowerSYSTEM Center REST API
CVE-2026-23827 (A heap-based buffer overflow vulnerability exists in a Network managem ...)
NOT-FOR-US: HPE
CVE-2026-23826 (A vulnerability in a network management service of AOS-8 Operating Sys ...)
@@ -2671,11 +2671,11 @@ CVE-2025-9988 (The Broadstreet plugin for WordPress is vulnerable to unauthorize
CVE-2025-9987 (The Broadstreet plugin for WordPress is vulnerable to Sensitive Inform ...)
NOT-FOR-US: WordPress plugin
CVE-2025-65088 (An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt ...)
- TODO: check
+ NOT-FOR-US: Ashlar-Vellum
CVE-2025-65087 (An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt ...)
- TODO: check
+ NOT-FOR-US: Ashlar-Vellum
CVE-2025-65086 (An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobal ...)
- TODO: check
+ NOT-FOR-US: Ashlar-Vellum
CVE-2025-62627 (An untrusted pointer dereference in the ionic cloud driver for VMWare ...)
TODO: check
CVE-2025-62624 (A heap-based buffer overflow in the ionic cloud driver for VMware ESXi ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6df33b8f5a90c8308d0d5b0d0ce28f880e62ff24
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6df33b8f5a90c8308d0d5b0d0ce28f880e62ff24
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/9986e2cb/attachment.htm>
More information about the debian-security-tracker-commits
mailing list