[Git][security-tracker-team/security-tracker][master] automatic update

Mon May 18 20:13:30 BST 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d7836221 by security tracker role at 2026-05-18T19:13:24+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,122 @@
-CVE-2026-8788
+CVE-2026-8843 (Creating a "2dsphere_bucket" index on a non-timeseries bucket collecti ...)
+	TODO: check
+CVE-2026-8836 (A vulnerability was found in lwIP up to 2.2.1. Affected is the functio ...)
+	TODO: check
+CVE-2026-8803 (A flaw has been found in opensourcepos Open Source Point of Sale up to ...)
+	TODO: check
+CVE-2026-8802 (A vulnerability was detected in opensourcepos Open Source Point of Sal ...)
+	TODO: check
+CVE-2026-7498 (Improper neutralization of input during web page generation ('cross-si ...)
+	TODO: check
+CVE-2026-7304 (SGLangs multimodal generation runtime is vulnerable to unauthenticated ...)
+	TODO: check
+CVE-2026-7302 (SGLangs multimodal generation runtime is vulnerable to an unauthentica ...)
+	TODO: check
+CVE-2026-7301 (SGLangs multimodal generation runtime scheduler's ROUTER socket binds  ...)
+	TODO: check
+CVE-2026-6902 (A vulnerability in Command-Line Client in P4 Server prior to the 2025. ...)
+	TODO: check
+CVE-2026-6347 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-6346 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-6345 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-6343 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-6342 (Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to ap ...)
+	TODO: check
+CVE-2026-6341 (Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to ha ...)
+	TODO: check
+CVE-2026-6340 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-6339 (Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validat ...)
+	TODO: check
+CVE-2026-6334 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enfo ...)
+	TODO: check
+CVE-2026-6333 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to vali ...)
+	TODO: check
+CVE-2026-5163 (Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership ...)
+	TODO: check
+CVE-2026-4643 (Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent s ...)
+	TODO: check
+CVE-2026-4320 (Authorization Bypass vulnerability in Creartia's ICMS software could a ...)
+	TODO: check
+CVE-2026-4286 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to chec ...)
+	TODO: check
+CVE-2026-4273 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to vali ...)
+	TODO: check
+CVE-2026-45829 (A pre-authentication, code injection vulnerability in version 1.0.0 or ...)
+	TODO: check
+CVE-2026-45495 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability)
+	TODO: check
+CVE-2026-45494 (Microsoft Edge (Chromium-based) Spoofing Vulnerability)
+	TODO: check
+CVE-2026-45492 (Improper input validation in Microsoft Edge (Chromium-based) allows an ...)
+	TODO: check
+CVE-2026-45243 (Summarize prior to 0.15.1 contains a missing authorization vulnerabili ...)
+	TODO: check
+CVE-2026-45242 (Summarize prior to 0.15.1 contains a path traversal vulnerability in t ...)
+	TODO: check
+CVE-2026-45231 (DumbAssets through 1.0.11 contains a stored cross-site scripting vulne ...)
+	TODO: check
+CVE-2026-45230 (DumbAssets through 1.0.11 contains a path traversal vulnerability in t ...)
+	TODO: check
+CVE-2026-42822 (Improper authentication in Azure Local Disconnected Operations allows  ...)
+	TODO: check
+CVE-2026-41949 (Dify version 1.14.1 and prior contain an authorization bypass vulnerab ...)
+	TODO: check
+CVE-2026-41948 (Dify version 1.14.1 and prior contain a path traversal vulnerability t ...)
+	TODO: check
+CVE-2026-41947 (Dify version 1.14.1 and prior contains an authorization bypass vulnera ...)
+	TODO: check
+CVE-2026-41119 (Dell Live Optics Windows and Personal Edition collectors contain an im ...)
+	TODO: check
+CVE-2026-41085 (Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privile ...)
+	TODO: check
+CVE-2026-3637 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-3495 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to esca ...)
+	TODO: check
+CVE-2026-3471 (Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent a ...)
+	TODO: check
+CVE-2026-3117 (Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to pr ...)
+	TODO: check
+CVE-2026-39079 (An issue in prestashop upsshipping all versions through at least 2.4.0 ...)
+	TODO: check
+CVE-2026-38719 (OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability  ...)
+	TODO: check
+CVE-2026-36438 (An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows  ...)
+	TODO: check
+CVE-2026-32849 (NetBSD prior to commit ec8451e contains a signed integer overflow vuln ...)
+	TODO: check
+CVE-2026-32848 (NetBSD prior to commit ec8451e contains a race condition vulnerability ...)
+	TODO: check
+CVE-2026-2325 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-29965 (HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS)  ...)
+	TODO: check
+CVE-2026-29964 (HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulne ...)
+	TODO: check
+CVE-2026-29963 (HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to im ...)
+	TODO: check
+CVE-2026-29962 (HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulne ...)
+	TODO: check
+CVE-2026-28759 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-28732 (Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 1 ...)
+	TODO: check
+CVE-2026-26462 (Offline Hospital Management System 5.3.0 allows remote code execution  ...)
+	TODO: check
+CVE-2026-20685 (An attacker in a privileged network position may be able to leak sensi ...)
+	TODO: check
+CVE-2026-0983 (Denial-of-service condition in M-Files Server versions before 26.5.160 ...)
+	TODO: check
+CVE-2025-57282 (ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.)
+	TODO: check
+CVE-2025-56352 (In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-1 ...)
+	TODO: check
+CVE-2026-8788 (Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric inje ...)
 	NOT-FOR-US: Net::Statsd::Lite Perl module
 CVE-2026-8786 (A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affecte ...)
 	NOT-FOR-US: Tencent
@@ -874,45 +992,59 @@ CVE-2023-31316 (Improperly preserved integrity of hardware configuration state d
 CVE-2023-31309 (Improper validation in Power Management Firmware (PMFW) may allow an a ...)
 	TODO: check
 CVE-2026-44068
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44068
 CVE-2026-44066
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44066
 CVE-2026-44064
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44064
 CVE-2026-44062
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44062
 CVE-2026-44060
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44060
 CVE-2026-44057
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44057
 CVE-2026-44055
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44055
 CVE-2026-44054
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44054
 CVE-2026-44052
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44052
 CVE-2026-44051
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44051
 CVE-2026-44050
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44050
 CVE-2026-44049
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44049
 CVE-2026-44048
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44048
 CVE-2026-44047
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44047
 CVE-2026-7837
@@ -988,21 +1120,27 @@ CVE-2026-44073
 	NOTE: https://netatalk.io/security/CVE-2026-44073
 	NOTE: No security impact per upstream assessment
 CVE-2026-44076
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-44076
 CVE-2026-45356
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-45356
 CVE-2026-45355
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-45355
 CVE-2026-45354
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-45354
 CVE-2026-45699
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-45699
 CVE-2026-45698
+	{DSA-6280-1}
 	- netatalk <unfixed>
 	NOTE: https://netatalk.io/security/CVE-2026-45698
 CVE-2026-8509 (Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 ...)
@@ -2398,7 +2536,7 @@ CVE-2020-37168 (Ecommerce Systempay 1.0 contains a weak cryptographic implementa
 CVE-2026-8500 (Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.  Web: ...)
 	NOT-FOR-US: Web::Passwd Perl module
 CVE-2026-42945 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ ...)
-	{DSA-6278-1}
+	{DSA-6278-1 DLA-4589-1}
 	- nginx 1.30.0-3
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/13/7
 	NOTE: https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
@@ -2406,7 +2544,7 @@ CVE-2026-42945 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx
 	NOTE: https://nginx.org/en/security_advisories.html
 	NOTE: https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 (release-1.30.1)
 CVE-2026-42946 (A vulnerability exists in the ngx_http_scgi_moduleand ngx_http_uwsgi_m ...)
-	{DSA-6278-1}
+	{DSA-6278-1 DLA-4589-1}
 	- nginx 1.30.0-4
 	NOTE: https://my.f5.com/manage/s/article/K000161027
 	NOTE: https://nginx.org/en/security_advisories.html
@@ -2430,13 +2568,13 @@ CVE-2026-42926 (When NGINX Open Source is configured to proxy HTTP/2 traffic by
 	NOTE: https://github.com/nginx/nginx/commit/ce3362cfd5c3e1434a6151cfa585b89114389da7 (release-1.30.1)
 	NOTE: https://github.com/nginx/nginx/commit/a0e742944db64d8a547cc2e7a0ba4c2e85cd4b98 (release-1.30.1)
 CVE-2026-40701 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ ...)
-	{DSA-6278-1}
+	{DSA-6278-1 DLA-4589-1}
 	- nginx 1.30.0-4
 	NOTE: https://my.f5.com/manage/s/article/K000161021
 	NOTE: https://nginx.org/en/security_advisories.html
 	NOTE: https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 (release-1.30.1)
 CVE-2026-42934 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ ...)
-	{DSA-6278-1}
+	{DSA-6278-1 DLA-4589-1}
 	- nginx 1.30.0-4
 	NOTE: https://my.f5.com/manage/s/article/K000161028
 	NOTE: https://nginx.org/en/security_advisories.html
@@ -3076,7 +3214,8 @@ CVE-2026-4859 (The SP Blog Designer plugin for WordPress is vulnerable to Stored
 	NOT-FOR-US: WordPress plugin
 CVE-2026-4827 (CWE\u2011331: Insufficient Entropy vulnerability exists that could lea ...)
 	NOT-FOR-US: Schneider Electric
-CVE-2026-4663 (The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing ...)
+CVE-2026-4663
+	REJECTED
 	NOT-FOR-US: WordPress plugin
 CVE-2026-4301 (The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin f ...)
 	NOT-FOR-US: WordPress plugin
@@ -6897,10 +7036,10 @@ CVE-2026-8094 (Other issue in the WebRTC component. This vulnerability was fixed
 	- thunderbird 1:140.10.2esr-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-41/#CVE-2026-8094
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-44/#CVE-2026-8094
-CVE-2026-8093 (Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs  ...)
+CVE-2026-8093 (Memory safety bugs present in Firefox 150.0.1. Some of these bugs show ...)
 	- firefox 150.0.2-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-40/#CVE-2026-8093
-CVE-2026-8092 (Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird ...)
+CVE-2026-8092 (Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10 ...)
 	{DSA-6267-1 DSA-6254-1 DLA-4582-1 DLA-4575-1}
 	- firefox 150.0.2-1
 	- firefox-esr 140.10.2esr-1
@@ -12343,7 +12482,7 @@ CVE-2026-33845 (A flaw in GnuTLS DTLS handshake parsing allows malformed fragmen
 	NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-3
 	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1811
 	NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413 (3.8.13)
-CVE-2026-42009
+CVE-2026-42009 (A flaw was found in gnutls. A remote attacker could exploit an issue i ...)
 	- gnutls28 3.8.13-1 (bug #1135319)
 	NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-2
 	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1848
@@ -32880,6 +33019,7 @@ CVE-2026-32853 (LibVNCServer versions 0.9.15 and prior (fixed incommit 009008e)
 	NOTE: https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
 	NOTE: Fixed by: https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931
 CVE-2026-32647 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_ ...)
+	{DLA-4589-1}
 	- nginx 1.28.3-1
 	[trixie] - nginx 1.26.3-3+deb13u3
 	[bookworm] - nginx 1.22.1-9+deb12u5
@@ -32910,24 +33050,28 @@ CVE-2026-28755 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx
 	NOTE: https://my.f5.com/manage/s/article/K000160368
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 (release-1.28.3)
 CVE-2026-28753 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_ ...)
+	{DLA-4589-1}
 	- nginx 1.28.3-1
 	[trixie] - nginx 1.26.3-3+deb13u3
 	[bookworm] - nginx 1.22.1-9+deb12u5
 	NOTE: https://my.f5.com/manage/s/article/K000160367
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f (release-1.28.3)
 CVE-2026-27784 (The 32-bit implementation of NGINX Open Source has a vulnerability in  ...)
+	{DLA-4589-1}
 	- nginx 1.28.3-1
 	[trixie] - nginx 1.26.3-3+deb13u3
 	[bookworm] - nginx 1.22.1-9+deb12u5
 	NOTE: https://my.f5.com/manage/s/article/K000160364
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 (release-1.28.3)
 CVE-2026-27654 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_ ...)
+	{DLA-4589-1}
 	- nginx 1.28.3-1
 	[trixie] - nginx 1.26.3-3+deb13u3
 	[bookworm] - nginx 1.22.1-9+deb12u5
 	NOTE: https://my.f5.com/manage/s/article/K000160382
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 (release-1.28.3)
 CVE-2026-27651 (When the ngx_mail_auth_http_modulemodule is enabled on NGINX Plus or N ...)
+	{DLA-4589-1}
 	- nginx 1.28.3-1
 	[trixie] - nginx 1.26.3-3+deb13u3
 	[bookworm] - nginx 1.22.1-9+deb12u5
@@ -54507,7 +54651,7 @@ CVE-2026-20098 (A vulnerability in the Certificate Management feature of Cisco M
 CVE-2026-20056 (A vulnerability in the Dynamic Vectoring and Streaming (DVS) Engine im ...)
 	NOT-FOR-US: Cisco
 CVE-2026-1642 (A vulnerability exists in NGINX OSS and NGINX Plus when configured to  ...)
-	{DSA-6131-1}
+	{DSA-6131-1 DLA-4589-1}
 	- nginx 1.28.1-3 (bug #1127053)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/02/05/1
 	NOTE: https://my.f5.com/manage/s/article/K000159824
@@ -121031,6 +121175,7 @@ CVE-2024-12303 (An issue has been discovered in GitLab CE/EE affecting all versi
 CVE-2024-10219 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
 	- gitlab <unfixed>
 CVE-2025-53859 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_ ...)
+	{DLA-4589-1}
 	[experimental] - nginx 1.28.0-2
 	- nginx 1.28.0-3 (bug #1111138)
 	[trixie] - nginx 1.26.3-3+deb13u1
@@ -352280,8 +352425,8 @@ CVE-2023-24217 (AgileBio Electronic Lab Notebook v4.234 was discovered to contai
 	NOT-FOR-US: AgileBio Electronic Lab Notebook
 CVE-2023-24216
 	RESERVED
-CVE-2023-24215
-	RESERVED
+CVE-2023-24215 (Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G ...)
+	TODO: check
 CVE-2023-24214
 	RESERVED
 CVE-2023-24213



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d783622123c2ad5b12ff1c12047cadfb419b63fd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d783622123c2ad5b12ff1c12047cadfb419b63fd
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/95db0295/attachment-0001.htm>
