[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri May 22 08:12:54 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d3c74b37 by security tracker role at 2026-05-22T07:12:46+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,168 @@
-CVE-2026-5091
+CVE-2026-9264 (A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic ...)
+ TODO: check
+CVE-2026-9104 (The Draft List plugin for WordPress is vulnerable to Stored Cross-Site ...)
+ TODO: check
+CVE-2026-9054 (An attacker sending tcp, il, rudp, rudp, or gre packets with a length ...)
+ TODO: check
+CVE-2026-9053 (Mothra would respect a default value given by a website for HTML file ...)
+ TODO: check
+CVE-2026-9018 (The Easy Elements for Elementor \u2013 Addons & Website Templates plug ...)
+ TODO: check
+CVE-2026-8435 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8434 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8433 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8432 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8428 (Concrete CMS 9.5.0 and below emits a CSRF token in the local_available ...)
+ TODO: check
+CVE-2026-8427 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8426 (Concrete CMS 9.5.0 and below does not validate a CSRF token before pro ...)
+ TODO: check
+CVE-2026-8421 (Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the inst ...)
+ TODO: check
+CVE-2026-8417 (Concrete CMS 9.5.0 and below does not validate a CSRF token before pro ...)
+ TODO: check
+CVE-2026-8416 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8415 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8414 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8413 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8412 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8411 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8410 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8409 (Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forger ...)
+ TODO: check
+CVE-2026-8352
+ REJECTED
+CVE-2026-8350 (Concrete CMS 9.5.0 and below is vulnerable to missing authorization in ...)
+ TODO: check
+CVE-2026-8337 (Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys.To be vu ...)
+ TODO: check
+CVE-2026-8327 (Concrete CMS below 9.5.0 and below is vulnerable to password change wi ...)
+ TODO: check
+CVE-2026-8245 (Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy ...)
+ TODO: check
+CVE-2026-8240 (Concrete CMS 9.5.0 and below isvulnerable to unauthenticated page meta ...)
+ TODO: check
+CVE-2026-8239 (Concrete CMS 9.5.0 and below is vulnerable to IDOR.The'/ccm/frontend/c ...)
+ TODO: check
+CVE-2026-8238 (Concrete CMS 9.5.0 and below is vulnerable to IDOR.The'/ccm/frontend/c ...)
+ TODO: check
+CVE-2026-8237 (Concrete CMS 9.5.0 and below is vulnerable to IDOR.The `/ccm/frontend/ ...)
+ TODO: check
+CVE-2026-8236 (Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a mis ...)
+ TODO: check
+CVE-2026-8205 (Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in ...)
+ TODO: check
+CVE-2026-8204 (Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in ...)
+ TODO: check
+CVE-2026-8203 (Concrete CMS 9.5.0 and below has Stored XSS on the height parameter.Th ...)
+ TODO: check
+CVE-2026-8197 (Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth int ...)
+ TODO: check
+CVE-2026-8140 (Concrete CMS 9.5.0 and below does not validate a CSRF token before pro ...)
+ TODO: check
+CVE-2026-8139 (Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external- ...)
+ TODO: check
+CVE-2026-8135 (Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution d ...)
+ TODO: check
+CVE-2026-8134 (Concrete CMS 9.5.0 and below fails to sanitize path traversal sequence ...)
+ TODO: check
+CVE-2026-7890 (In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a fee ...)
+ TODO: check
+CVE-2026-7887 (For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler ...)
+ TODO: check
+CVE-2026-7886 (Concrete CMS 9.5.0 and below is vulnerable toIDOR in AddMessage/Update ...)
+ TODO: check
+CVE-2026-7882 (Concrete CMS 9.5.0 and below is vulnerable to unauthorized file delet ...)
+ TODO: check
+CVE-2026-7881 (Concrete CMS 9.5.0 and below is subject toInsecure Direct Object Refer ...)
+ TODO: check
+CVE-2026-7879 (In Concrete CMS 9.5.0 and below, the submit_password() method in concr ...)
+ TODO: check
+CVE-2026-7509 (The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Si ...)
+ TODO: check
+CVE-2026-7249 (The Location Weather plugin for WordPress is vulnerable to unauthorize ...)
+ TODO: check
+CVE-2026-6960 (The BookingPress Pro plugin for WordPress is vulnerable to arbitrary f ...)
+ TODO: check
+CVE-2026-6864 (The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to R ...)
+ TODO: check
+CVE-2026-6826 (Concrete CMS 9.5.0 and below is vulnerable tounauthenticated file usag ...)
+ TODO: check
+CVE-2026-5297
+ REJECTED
+CVE-2026-4929 (Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scri ...)
+ TODO: check
+CVE-2026-4843 (The GSheet For Woo Importer plugin for WordPress is vulnerable to unau ...)
+ TODO: check
+CVE-2026-4834 (The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via ...)
+ TODO: check
+CVE-2026-4093 (In the Drupal 7 Term Reference Tree module, two stored XSS vectors exi ...)
+ TODO: check
+CVE-2026-4070 (The Alfie \u2013 Feed Plugin plugin for WordPress is vulnerable to Cro ...)
+ TODO: check
+CVE-2026-47114 (IINA before 1.4.3 contains a user-assisted command execution vulnerabi ...)
+ TODO: check
+CVE-2026-47102 (LiteLLM prior to 1.83.10 allows a user to modify their own user_role v ...)
+ TODO: check
+CVE-2026-47101 (LiteLLM prior to 1.83.14 allows an authenticated internal_user to crea ...)
+ TODO: check
+CVE-2026-46598 (For certain crafted inputs, a 'ed25519.PrivateKey' was created by cast ...)
+ TODO: check
+CVE-2026-46597 (An incorrectly placed cast from bytes to int allowed for server-side p ...)
+ TODO: check
+CVE-2026-46595 (Previously, CVE-2024-45337 fixed an authorization bypass for misused s ...)
+ TODO: check
+CVE-2026-44409 (There is an an information disclosure vulnerability in ZTE MU5250. Due ...)
+ TODO: check
+CVE-2026-42508 (Previously, a revoked 'SignatureKey' belonging to a CA was not correct ...)
+ TODO: check
+CVE-2026-3481 (The WP Blockade plugin for WordPress is vulnerable to Reflected Cross- ...)
+ TODO: check
+CVE-2026-39835 (SSH servers which use CertChecker as a public key callback without set ...)
+ TODO: check
+CVE-2026-39834 (When writing data larger than 4GB in a single Write call on an SSH cha ...)
+ TODO: check
+CVE-2026-39833 (The in-memory keyring returned by NewKeyring() silently accepted keys ...)
+ TODO: check
+CVE-2026-39832 (When adding a key to a remote agent constraint extensions such as rest ...)
+ TODO: check
+CVE-2026-39831 (The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nis ...)
+ TODO: check
+CVE-2026-39830 (A malicious SSH peer could send unsolicited global request responses t ...)
+ TODO: check
+CVE-2026-39829 (The RSA and DSA public key parsers did not enforce size limits on key ...)
+ TODO: check
+CVE-2026-39828 (When an SSH server authentication callback returned PartialSuccessErro ...)
+ TODO: check
+CVE-2026-39827 (An authenticated SSH client that repeatedly opened channels which were ...)
+ TODO: check
+CVE-2026-34911 (A malicious actor with access to the network and low privileges could ...)
+ TODO: check
+CVE-2026-34910 (A malicious actor with access to the network could exploit an Improper ...)
+ TODO: check
+CVE-2026-34909 (A malicious actor with access to the network could exploit a Path Trav ...)
+ TODO: check
+CVE-2026-34908 (A malicious actor with access to the network could exploit an Improper ...)
+ TODO: check
+CVE-2026-33000 (A malicious actor with access to the network and high privileges could ...)
+ TODO: check
+CVE-2026-2518 (The FastX theme for WordPress is vulnerable to unauthorized limited pl ...)
+ TODO: check
+CVE-2026-22678 (Webmin before 2.641 contains a stored cross-site scripting vulnerabili ...)
+ TODO: check
+CVE-2026-5091 (Catalyst::Plugin::Authentication versions through 0.10024 for Perl is ...)
- libcatalyst-plugin-authentication-perl <unfixed>
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40281889/
NOTE: https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e (v0.10_025)
@@ -17603,10 +17767,12 @@ CVE-2025-36074 (IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.
CVE-2025-10549 (EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnera ...)
NOT-FOR-US: EfficientLab Controlio
CVE-2026-40215
+ {DSA-6289-1}
- openvpn 2.7.2-1
NOTE: https://community.openvpn.net/Security%20Announcements/CVE-2026-40215
NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/4a2c827c2536aa03a1d6c7cc916689a46c067187 (v2.7.2)
CVE-2026-35058
+ {DSA-6289-1}
- openvpn 2.7.2-1
NOTE: https://community.openvpn.net/Security%20Announcements/CVE-2026-35058
NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/607e2fcb9cbcff785abfa372c7a59029767b5ed9 (v2.7.2)
@@ -19834,7 +20000,7 @@ CVE-2026-6773 (Denial-of-service due to integer overflow in the Graphics: WebGPU
- firefox 150.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6773
CVE-2026-6772 (Incorrect boundary conditions in the Libraries component in NSS. This ...)
- {DSA-6229-1 DSA-6225-1 DLA-4549-1 DLA-4546-1}
+ {DSA-6290-1 DSA-6229-1 DSA-6225-1 DLA-4549-1 DLA-4546-1}
- firefox 150.0-1
- firefox-esr 140.10.0esr-1
- thunderbird 1:140.10.0esr-1
@@ -19871,7 +20037,7 @@ CVE-2026-6768 (Mitigation bypass in the Networking: Cookies component. This vuln
- firefox 150.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6768
CVE-2026-6767 (Other issue in the Libraries component in NSS. This vulnerability was ...)
- {DSA-6229-1 DSA-6225-1 DLA-4549-1 DLA-4546-1}
+ {DSA-6290-1 DSA-6229-1 DSA-6225-1 DLA-4549-1 DLA-4546-1}
- firefox 150.0-1
- firefox-esr 140.10.0esr-1
- thunderbird 1:140.10.0esr-1
@@ -19881,7 +20047,7 @@ CVE-2026-6767 (Other issue in the Libraries component in NSS. This vulnerability
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/#CVE-2026-6767
NOTE: https://hg.mozilla.org/projects/nss/rev/4e693e8b5c0d
CVE-2026-6766 (Incorrect boundary conditions in the Libraries component in NSS. This ...)
- {DSA-6229-1 DSA-6225-1 DLA-4549-1 DLA-4546-1}
+ {DSA-6290-1 DSA-6229-1 DSA-6225-1 DLA-4549-1 DLA-4546-1}
- firefox 150.0-1
- firefox-esr 140.10.0esr-1
- thunderbird 1:140.10.0esr-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3c74b37e031a27cad2bac6a3b621ea6bed18157
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3c74b37e031a27cad2bac6a3b621ea6bed18157
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260522/b02fd631/attachment.htm>
More information about the debian-security-tracker-commits
mailing list