[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue May 19 08:13:40 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2d4facbd by security tracker role at 2026-05-19T07:13:08+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,101 @@
+CVE-2026-8851 (SOGo 5.12.7 contains a SQL injection vulnerability in the Access Contr ...)
+ TODO: check
+CVE-2026-8838 (Unsafe use of Python's eval() on server-received data in the vector_in ...)
+ TODO: check
+CVE-2026-8830 (A flaw was found in Keycloak. An authenticated user can bypass configu ...)
+ TODO: check
+CVE-2026-8814 (Versions of the package exifreader before 4.39.0 are vulnerable to Imp ...)
+ TODO: check
+CVE-2026-8813 (This affects versions of the package exifreader before 4.39.0. A craft ...)
+ TODO: check
+CVE-2026-4137 (In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_ ...)
+ TODO: check
+CVE-2026-47311 (Heap-based buffer overflow vulnerability in Samsung Open Source Escarg ...)
+ TODO: check
+CVE-2026-47310 (Use after free vulnerability in Samsung Open Source Escargot allows Po ...)
+ TODO: check
+CVE-2026-47309 (Uncontrolled Recursion vulnerability in Samsung Open Source Escargot a ...)
+ TODO: check
+CVE-2026-47308 (NULL pointer dereference vulnerability in Samsung Open Source Walrus a ...)
+ TODO: check
+CVE-2026-47307 (NULL pointer dereference vulnerability in Samsung Open Source Walrus a ...)
+ TODO: check
+CVE-2026-47092 (Claude HUD through 0.0.12, patched in commit 234d9aa, contains a comma ...)
+ TODO: check
+CVE-2026-47091 (Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path ...)
+ TODO: check
+CVE-2026-47090 (Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 ...)
+ TODO: check
+CVE-2026-45246 (Summarize prior to 0.15.1 contains an insecure file permission vulnera ...)
+ TODO: check
+CVE-2026-45245 (Summarize prior to 0.15.1 contains a vulnerability in the hover summar ...)
+ TODO: check
+CVE-2026-45244 (Summarize prior to 0.15.1 contains a missing authorization vulnerabili ...)
+ TODO: check
+CVE-2026-33565 (in OpenHarmony v6.0 and prior versions allow a local attacker cause DO ...)
+ TODO: check
+CVE-2026-33514 (Discourse is an open-source discussion platform. In versions prior to ...)
+ TODO: check
+CVE-2026-33234 (AutoGPT is a workflow automation platform for creating, deploying, and ...)
+ TODO: check
+CVE-2026-33233 (AutoGPT is a workflow automation platform for creating, deploying, and ...)
+ TODO: check
+CVE-2026-33232 (AutoGPT is a workflow automation platform for creating, deploying, and ...)
+ TODO: check
+CVE-2026-33052 (Mantis Bug Tracker (MantisBT) is an open source issue tracker. Version ...)
+ TODO: check
+CVE-2026-32994 (The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0 ...)
+ TODO: check
+CVE-2026-32323 (Mullvad VPN is a VPN client app for desktop and mobile. When using mac ...)
+ TODO: check
+CVE-2026-32312 (GLPI is a free asset and IT management software package. In versions 1 ...)
+ TODO: check
+CVE-2026-32244 (Discourse is an open-source discussion platform. In versions prior to ...)
+ TODO: check
+CVE-2026-30950 (AutoGPT is a workflow automation platform for creating, deploying, and ...)
+ TODO: check
+CVE-2026-28751 (in OpenHarmony v6.0 and prior versions allow a local attacker cause DO ...)
+ TODO: check
+CVE-2026-28733 (in OpenHarmony v6.0 and prior versions allow a local attacker arbitrar ...)
+ TODO: check
+CVE-2026-27964 (FacturaScripts is an open source accounting and invoicing software. Ve ...)
+ TODO: check
+CVE-2026-27892 (FacturaScripts is an open source accounting and invoicing software. In ...)
+ TODO: check
+CVE-2026-27891 (FacturaScripts is an open source accounting and invoicing software. Ve ...)
+ TODO: check
+CVE-2026-27781 (in OpenHarmony v6.0 and prior versions allow a local attacker cause DO ...)
+ TODO: check
+CVE-2026-27766 (in OpenHarmony v6.0 and prior versions allow a local attacker cause in ...)
+ TODO: check
+CVE-2026-27737 (BigBlueButton is an open-source virtual classroom. In versions prior t ...)
+ TODO: check
+CVE-2026-27648 (in OpenHarmony v6.0 and prior versions allow a remote attacker arbitra ...)
+ TODO: check
+CVE-2026-27130 (Dokploy is a free, self-hostable Platform as a Service (PaaS). Version ...)
+ TODO: check
+CVE-2026-26978 (FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6 ...)
+ TODO: check
+CVE-2026-25850 (in OpenHarmony v6.0 and prior versions allow a local attacker cause in ...)
+ TODO: check
+CVE-2026-25781 (in OpenHarmony v6.0 and prior versions allow a local attacker cause DO ...)
+ TODO: check
+CVE-2026-25244 (WebdriverIO is a test automation framework for unit, e2e and component ...)
+ TODO: check
+CVE-2026-25110 (in OpenHarmony v6.0 and prior versions allow a local attacker cause DO ...)
+ TODO: check
+CVE-2026-24792 (in OpenHarmony v6.0 and prior versions allow a remote attacker arbitra ...)
+ TODO: check
+CVE-2026-22810 (Joplin is an open source note-taking and to-do application that organi ...)
+ TODO: check
+CVE-2026-22069 (A local privilege escalation vulnerability exists in O+ Connect becaus ...)
+ TODO: check
+CVE-2026-21789 (HCL Connections contains a broken access control vulnerability that ma ...)
+ TODO: check
+CVE-2025-65954 (SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in t ...)
+ TODO: check
+CVE-2025-15609 (The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sens ...)
+ TODO: check
CVE-2026-45137
NOT-FOR-US: Rust anchor-lang
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0144.html
@@ -6669,7 +6767,7 @@ CVE-2026-7263 (In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNo
- php7.4 <not-affected> (Only affects 8.4 and later)
NOTE: https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733
NOTE: https://github.com/php/php-src/commit/d43c523c48960e9ca0bf9c747e9bad8e5121edff
-CVE-2026-8149 (A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on ...)
+CVE-2026-8149 (A vulnerability in Legion of the Bouncy Castle Inc. BC-LTS on Linux, X ...)
NOT-FOR-US: FIPS provider for Bouncycastle, not part of the Debian package for Bouncycastle
CVE-2026-8148 (NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local atta ...)
NOT-FOR-US: NAVER MYBOX Explorer for Windows
@@ -19740,7 +19838,7 @@ CVE-2025-15610 (The .NET Remoting framework used by OpenText Fax (RightFax) incl
NOT-FOR-US: OpenText
CVE-2025-14868 (The Career Section plugin for WordPress is vulnerable to Cross-Site Re ...)
NOT-FOR-US: WordPress plugin
-CVE-2025-14813 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legi ...)
+CVE-2025-14813 (: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Le ...)
NOT-FOR-US: Sparx
CVE-2025-13364 (The WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,List ...)
NOT-FOR-US: WordPress plugin
@@ -38313,6 +38411,7 @@ CVE-2026-26954 (SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, i
CVE-2026-24097 (Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0 ...)
- check-mk <removed>
CVE-2026-23943 (Improper Handling of Highly Compressed Data (Compression Bomb) vulnera ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
@@ -38321,6 +38420,7 @@ CVE-2026-23943 (Improper Handling of Highly Compressed Data (Compression Bomb) v
NOTE: Fixed by: https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3 (OTP-27.3.4.9)
NOTE: Fixed by: https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4 (OTP-26.2.5.18)
CVE-2026-23942 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
@@ -38329,6 +38429,7 @@ CVE-2026-23942 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
NOTE: Fixed by: https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28 (OTP-27.3.4.9)
NOTE: Fixed by: https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759 (OTP-26.2.5.18)
CVE-2026-23941 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
@@ -47690,6 +47791,7 @@ CVE-2026-22341 (Authentication Bypass Using an Alternate Path or Channel vulnera
CVE-2026-21627 (The vulnerability was rooted in how the Tassos Framework plugin handle ...)
NOT-FOR-US: Joomla
CVE-2026-21620 (Relative Path Traversal, Improper Isolation or Compartmentalization vu ...)
+ {DLA-4590-1}
- erlang 1:27.3.4.8+dfsg-1 (bug #1128651)
[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d4facbde943560f181ae3c33473476ec412d85b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d4facbde943560f181ae3c33473476ec412d85b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260519/a86ef440/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list