[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun May 17 14:30:52 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bd4f0149 by Salvatore Bonaccorso at 2026-05-17T15:30:28+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1951,9 +1951,9 @@ CVE-2026-3073 (GitLab has remediated an issue in GitLab CE/EE affecting all vers
 CVE-2026-3004 (The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cr ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-39806 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...)
-	TODO: check
+	NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
 CVE-2026-39803 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
-	TODO: check
+	NOT-FOR-US: Bandit (mtrudel/bandit, not the same as src:bandit)
 CVE-2026-39459 (A vulnerability exists in iControl REST and the TMOS Shell (tmsh) wher ...)
 	NOT-FOR-US: F5
 CVE-2026-39458 (When a BIG-IP DNS profile enabled with DNS cache is configured on a vi ...)
@@ -2001,11 +2001,11 @@ CVE-2026-33377 (An Editor can overwrite a dashboard not owned by them to acquire
 CVE-2026-33376 (When using an IPv6 allow-list for the Auth Proxy feature, it defaults  ...)
 	TODO: check
 CVE-2026-32993 (Improper sanitization of the `status` query parameter of the `/unprote ...)
-	TODO: check
+	NOT-FOR-US: cPanel
 CVE-2026-32992 (SSL verification is disabled in the DNS Cluster system. This could all ...)
-	TODO: check
+	NOT-FOR-US: cPanel
 CVE-2026-32991 (Improper authorization checks of team members privileges allow a team  ...)
-	TODO: check
+	NOT-FOR-US: cPanel
 CVE-2026-32673 (A vulnerability exists in BIG-IP scripted monitors that may allow an a ...)
 	NOT-FOR-US: F5
 CVE-2026-32643 (A vulnerability exists in BIG-IP and BIG-IQ systems where a highly pri ...)
@@ -3335,17 +3335,17 @@ CVE-2026-32170 (Double free in Windows Rich Text Edit Control allows an authoriz
 CVE-2026-32161 (Concurrent execution using shared resource with improper synchronizati ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-31245 (The mem0 1.0.0 server lacks authentication and authorization controls  ...)
-	TODO: check
+	NOT-FOR-US: mem0
 CVE-2026-31244 (The mem0 1.0.0 server lacks authentication and authorization controls  ...)
-	TODO: check
+	NOT-FOR-US: mem0
 CVE-2026-31243 (The mem0 1.0.0 server lacks authentication and authorization controls  ...)
-	TODO: check
+	NOT-FOR-US: mem0
 CVE-2026-31242 (The mem0 v1.0.0 server lacks authentication and authorization controls ...)
-	TODO: check
+	NOT-FOR-US: mem0
 CVE-2026-31241 (The mem0 1.0.0 server lacks authentication and authorization controls  ...)
-	TODO: check
+	NOT-FOR-US: mem0
 CVE-2026-31240 (The mem0 1.0.0 server lacks authentication and authorization controls  ...)
-	TODO: check
+	NOT-FOR-US: mem0
 CVE-2026-31239 (The mamba language model framework thru 2.2.6 is vulnerable to insecur ...)
 	TODO: check
 CVE-2026-31238 (The Ludwig framework thru 0.10.4 is vulnerable to insecure deserializa ...)
@@ -4170,7 +4170,7 @@ CVE-2026-41256 (jq is a command-line JSON processor. In 1.8.1 and earlier, Top-l
 CVE-2026-41250 (Taiga is a project management platform for startups and agile develope ...)
 	NOT-FOR-US: Taiga
 CVE-2026-41018 (The Elasticsearch logging provider, when configured with a `host` URL  ...)
-	TODO: check
+	NOT-FOR-US: Elasticsearch logging provider for Airflow
 CVE-2026-40636 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale version ...)
 	NOT-FOR-US: Dell / EMC
 CVE-2026-40612 (jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains ...)
@@ -4213,9 +4213,9 @@ CVE-2026-33356 (In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any
 CVE-2026-32658 (Dell Automation Platform versions prior to 2.0.0.0, contains a missing ...)
 	NOT-FOR-US: Dell / EMC
 CVE-2026-31254 (The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e ...)
-	TODO: check
+	NOT-FOR-US: flash-attention project
 CVE-2026-31253 (The flash-attention training framework thru commit e724e2588cbe754beb9 ...)
-	TODO: check
+	NOT-FOR-US: flash-attention training framework
 CVE-2026-31252 (CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-3 ...)
 	NOT-FOR-US: CosyVoice
 CVE-2026-31251 (CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-3 ...)
@@ -4225,9 +4225,9 @@ CVE-2026-31250 (CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (
 CVE-2026-31249 (CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-3 ...)
 	NOT-FOR-US: CosyVoice
 CVE-2026-31248 (Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) ...)
-	TODO: check
+	NOT-FOR-US: Docling
 CVE-2026-31247 (Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) ...)
-	TODO: check
+	NOT-FOR-US: Docling
 CVE-2026-31246 (GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-0 ...)
 	NOT-FOR-US: GPT-Pilot
 CVE-2026-30635 (Command injection vulnerability in automagik-genie 2.5.27 MCP Server a ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd4f01498aff056d450a5304bb145d7ca46ac37c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd4f01498aff056d450a5304bb145d7ca46ac37c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/fe3d86da/attachment.htm>

More information about the debian-security-tracker-commits mailing list