[Git][security-tracker-team/security-tracker][master] automatic NOT-FOR-US entries update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed May 20 08:14:00 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ae820c1f by security tracker role at 2026-05-20T07:13:55+00:00
automatic NOT-FOR-US entries update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3,33 +3,33 @@ CVE-2026-9057 (A broken access control issue has been identified in the Talend A
CVE-2026-9056 (A stored cross-site scripting vulnerability has been found in the Tale ...)
TODO: check
CVE-2026-9010 (The Boost plugin for WordPress is vulnerable to time-based SQL Injecti ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-9003 (E-LAN Hybrid Recording System developed by TONNET has a SQL Injection ...)
TODO: check
CVE-2026-8922 (A flaw was found in Keycloak. When both realm-level and client-level ` ...)
TODO: check
CVE-2026-8912 (The Contest Gallery plugin for WordPress is vulnerable to SQL Injectio ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8827 (The AddressRepository::getSqlQuery() method constructs a database quer ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-8727 (The Crawler extension passes the X-T3Crawler-Meta response header from ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-8726 (The extension fails to properly sanitize user input before using it in ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-8711 (NGINX JavaScript has a vulnerability when the js_fetch_proxydirective ...)
TODO: check
CVE-2026-8706 (Firefox for iOS hosted Reader mode on an unauthenticated local web ser ...)
TODO: check
CVE-2026-8685 (The Infility Global plugin for WordPress is vulnerable to SQL Injectio ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8627 (The Correct Prices plugin for WordPress is vulnerable to Reflected Cro ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8626 (The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8624 (The LJ comments import: reloaded plugin for WordPress is vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8610 (The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8605 (In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerabilit ...)
TODO: check
CVE-2026-8604 (In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker ...)
@@ -39,113 +39,113 @@ CVE-2026-8603 (In ScadaBR version 1.2.0, an OS Command Injection vulnerability c
CVE-2026-8602 (In ScadaBR version 1.2.0, a Missing Authentication for Critical Functi ...)
TODO: check
CVE-2026-8495 (Missing Authorization vulnerability in Drupal Date iCal allows Forcefu ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-8493 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-8492 (Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-8491 (Improper Check for Unusual or Exceptional Conditions vulnerability in ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-8424 (The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8423 (The JaviBola Custom Theme Test plugin for WordPress is vulnerable to C ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8420 (The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8419 (The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Re ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8418 (The Games Catalog plugin for WordPress is vulnerable to Cross-Site Req ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8370 (Execution with unnecessary privileges vulnerability in Broadcom Automi ...)
- TODO: check
+ NOT-FOR-US: Broadcom
CVE-2026-8096 (The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer p ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8073 (The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer p ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-8038 (The Faces of Users plugin for WordPress is vulnerable to Stored Cross- ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7860 (A possible information disclosure vulnerability exists in the Vaadin M ...)
TODO: check
CVE-2026-7637 (The Boost plugin for WordPress is vulnerable to PHP Object Injection i ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7571 (A flaw was found in Keycloak. A low-privilege user, with knowledge of ...)
TODO: check
CVE-2026-7522 (The Advanced Database Cleaner \u2013 Premium plugin for WordPress is v ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7507 (A session fixation vulnerability was found in Keycloak's login-actions ...)
TODO: check
CVE-2026-7504 (A flaw was found in Keycloak's URL validation logic during redirect op ...)
TODO: check
CVE-2026-7472 (The Read More & Accordion plugin for WordPress is vulnerable to time-b ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7467 (The Read More & Accordion plugin for WordPress is vulnerable to Privil ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7462 (The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7460 (mailcow-dockerized contains a stored cross-site scripting vulnerabilit ...)
TODO: check
CVE-2026-7385 (The Decent Comments WordPress plugin before 3.0.2 does not restrict ac ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-7307 (A flaw was found in Keycloak. A remote, unauthenticated attacker can s ...)
TODO: check
CVE-2026-7284 (The Easy Elements for Elementor \u2013 Addons & Website Templates plug ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6871 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-6566 (The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6555 (The ProSolution WP Client plugin for WordPress is vulnerable to Arbitr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6549 (The Logo Manager For Enamad plugin for WordPress is vulnerable to Stor ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6456 (The Account Switcher plugin for WordPress is vulnerable to Privilege E ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6452 (The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6404 (The Anomify AI \u2013 Anomaly Detection and Alerting plugin for WordPr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6401 (The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Reques ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6400 (The Child Height Predictor by Ostheimer plugin for WordPress is vulner ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6399 (The General Options plugin for WordPress is vulnerable to Stored Cross ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6397 (The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6395 (The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Reque ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6394 (The Nexa Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg Ed ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6391 (The Sentence To SEO (keywords, description and tags) plugin for WordPr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6367 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-6366 (Improperly Controlled Modification of Dynamically-Determined Object At ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-6365 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-6354
REJECTED
CVE-2026-6095 (Improper Neutralization of Input During Web Page Generation ("Cross-si ...)
- TODO: check
+ NOT-FOR-US: Drupal core and addons
CVE-2026-6072 (The Oliver POS \u2013 A WooCommerce Point of Sale (POS) plugin for Wor ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-6009 (Java Deserialisation Vulnerability in Jaspersoft Reports Library leads ...)
TODO: check
CVE-2026-5804 (An improper authentication vulnerability was discovered in the Motorol ...)
- TODO: check
+ NOT-FOR-US: Lenovo
CVE-2026-5776 (The Email Encoder WordPress plugin before 2.4.7 does not escape email ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-5511 (In the web management interface of Archer AX72 (SG) v1, the network di ...)
- TODO: check
+ NOT-FOR-US: TPLink
CVE-2026-5293 (The \u8a3a\u65ad\u30b8\u30a7\u30cd\u30ec\u30fc\u30bf\u4f5c\u6210\u30d7 ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-5075 (The All in One SEO plugin for WordPress is vulnerable to Sensitive Inf ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-4885 (The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerabl ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-4883 (The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-4630 (A flaw was found in Keycloak. An authenticated client could exploit an ...)
TODO: check
CVE-2026-47784 (In memcached before 1.6.42, password data for SASL password database a ...)
@@ -159,7 +159,7 @@ CVE-2026-47357 (Terrascan v1.18.3 and prior are vulnerable to Server-Side Reques
CVE-2026-47356 (Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forg ...)
TODO: check
CVE-2026-47323 (Camel-CXF and Camel-Knative Message Header Injection via Missing Inbou ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-47317 (Uncontrolled Recursion vulnerability in Samsung Open Source Escargot a ...)
TODO: check
CVE-2026-47316 (Improper Check or Handling of Exceptional Conditions vulnerability in ...)
@@ -177,29 +177,29 @@ CVE-2026-47107 (Windmill prior to 1.703.2 contains an incorrect default permissi
CVE-2026-47100 (Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a m ...)
TODO: check
CVE-2026-46725 (The extension passes an attacker-controlled cookie directly to PHP's u ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-46724 (The file indexer does not normalize the configured directory path. A b ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-46723 (The additional_tables configuration of the page and tt_content indexer ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-46722 (The OOXML parsing of the file indexer does not disable external entity ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-46721 (The create and edit flows do not restrict which user properties may be ...)
- TODO: check
+ NOT-FOR-US: TYPO3 (core or extensions)
CVE-2026-46586 (Improper Control of Generation of Code ('Code Injection'), Improper Ne ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-45585 (Microsoft is aware of a security feature bypass vulnerability in Windo ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2026-45557 (Technitium DNS Server aggressively tries to fetch missing RRSIG record ...)
TODO: check
CVE-2026-45442 (Missing Authorization vulnerability in Brainstorm Force Presto Player ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin or theme
CVE-2026-45434 (Improper Authentication vulnerability in Apache OFBiz via Password-Cha ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-45187 (Improper Authorization vulnerability in Apache OFBiz Webtools. This i ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-44408 (There is an unauthorized access vulnerability in ZTE MU5250. Due to im ...)
- TODO: check
+ NOT-FOR-US: ZTE
CVE-2026-44392 (Missing authorization vulnerability exists in Movable Type. Under cert ...)
TODO: check
CVE-2026-44159 (Tyler Identity Local (TID-L) uses documented, default administrative c ...)
@@ -221,11 +221,11 @@ CVE-2026-42097 (Sparx Pro Cloud Serverrequires authentication based on requested
CVE-2026-42096 (Sparx Pro Cloud Server is vulnerable to Broken Access Control within c ...)
TODO: check
CVE-2026-41919 (Improper Neutralization of Special Elements used in an LDAP Query ('LD ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-41470 (LIVE555 before 2026.04.22 contains an authorization bypass vulnerabili ...)
TODO: check
CVE-2026-3985 (The Creative Mail \u2013 Easier WordPress & WooCommerce Email Marketin ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-39309 (Trilium Notes is a cross-platform, hierarchical note taking applicatio ...)
TODO: check
CVE-2026-39250 (An authorization vulnerability exists in Innoshop 0.6.0. After logging ...)
@@ -249,7 +249,7 @@ CVE-2026-36827 (A command injection vulnerability exists in Panabit PAP-XM320 up
CVE-2026-35593 (Trilium Notes is an open-source, cross-platform hierarchical note taki ...)
TODO: check
CVE-2026-35086 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-34970 (Mantis Bug Tracker (MantisBT) is an open source issue tracker. Version ...)
TODO: check
CVE-2026-34883 (An issue was discovered in the Portrait Dell Color Management applicat ...)
@@ -279,7 +279,7 @@ CVE-2026-34233 (CtrlPanel is open-source billing software for hosting providers.
CVE-2026-34216 (CtrlPanel is open-source billing software for hosting providers. In ve ...)
TODO: check
CVE-2026-34154 (Discourse is an open-source discussion platform. In versions prior to ...)
- TODO: check
+ NOT-FOR-US: Discourse
CVE-2026-33741 (EspoCRM is an open source customer relationship management application ...)
TODO: check
CVE-2026-33642 (Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and b ...)
@@ -303,23 +303,23 @@ CVE-2026-32738 (libheif is a HEIF and AVIF file format decoder and encoder. In v
CVE-2026-32134 (NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. ...)
TODO: check
CVE-2026-31986 (Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. Th ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31910 (Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. Thi ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31909 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31906 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31388 (Improper Access Control vulnerability in Apache OFBiz in multi-tenant ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31387 (Improper Authentication vulnerability in Apache OFBiz. This issue aff ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31380 (Improper Neutralization of Special Elements used in an Expression Lang ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31379 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31378 (Improper Input Validation vulnerability in Apache OFBiz. This issue a ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-31072 (The JSONSerializer and CBORSerializer in APScheduler (all versions inc ...)
TODO: check
CVE-2026-31071 (API endpoints in LalanaChami Pharmacy Management System (commit 5c3d02 ...)
@@ -333,37 +333,37 @@ CVE-2026-30118 (scalar/astro v0.1.13 was discovered to contain a Server-Side Req
CVE-2026-30117 (scalar/astro v0.1.13 was discovered to contain an arbitrary file uploa ...)
TODO: check
CVE-2026-2955 (The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is v ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2026-2611 (In MLflow version 3.9.0, the MLflow Assistant feature introduced impro ...)
- TODO: check
+ NOT-FOR-US: mlflow
CVE-2026-2587 (A critical Remote Code Execution (RCE) vulnerability was identified in ...)
- TODO: check
+ NOT-FOR-US: Eclipse
CVE-2026-2586 (An authenticated Remote Code Execution (RCE) vulnerability was identif ...)
- TODO: check
+ NOT-FOR-US: Eclipse
CVE-2026-29226 (Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via C ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-29220 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-29207 (Improper Neutralization of Special Elements Used in a Template Engine ...)
- TODO: check
+ NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-27173 (JWT tokens that were used by workers in Kubernetes Executors have been ...)
TODO: check
CVE-2026-24215 (NVIDIA Triton Inference Server contains a vulnerability in the DALI ba ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24214 (NVIDIA Triton Inference Server contains a vulnerability in the DALI ba ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24213 (NVIDIA Triton Inference Server contains a vulnerability in the DALI ba ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24210 (NVIDIA Triton Inference Server contains a vulnerability where an attac ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24209 (NVIDIA Triton Inference Server contains a vulnerability where an attac ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24208 (NVIDIA Triton Inference Server contains a vulnerability where an attac ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24207 (NVIDIA Triton Inference Server contains a vulnerability where an attac ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24206 (NVIDIA Triton Inference Server contains a vulnerability where an attac ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2026-24163 (NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testin ...)
TODO: check
CVE-2026-24160 (NVIDIA TRT-LLM for any platform contains a vulnerability where an atta ...)
@@ -393,7 +393,7 @@ CVE-2025-33255 (NVIDIA TRT-LLM for any platform contains a vulnerability in MPI
CVE-2025-15645 (Ledger Nano X, Flex, and Stax devices contain a denial of service vuln ...)
TODO: check
CVE-2025-15369 (The Xpro Addons \u2014 140+ Widgets for Elementor plugin for WordPress ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2025-14575 (An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS b ...)
TODO: check
CVE-2024-36343 (Improper input validation in the System Management Mode (SMM) communic ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae820c1f22b2783ee2a1bbf4e0b0e89c2b5c890b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae820c1f22b2783ee2a1bbf4e0b0e89c2b5c890b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260520/03d9eab2/attachment.htm>
More information about the debian-security-tracker-commits
mailing list