[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat May 30 07:59:15 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8773bdec by Salvatore Bonaccorso at 2026-05-30T08:58:52+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -223,21 +223,21 @@ CVE-2026-44611 (Danelec MacGregor Voyage Data Recorder passwords are stored with
 CVE-2026-44518 (liboqs is a C-language cryptographic library that provides implementat ...)
 	- liboqs <removed>
 CVE-2026-44239 (FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Das ...)
-	TODO: check
+	NOT-FOR-US: FreePBX
 CVE-2026-44238 (FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CD ...)
-	TODO: check
+	NOT-FOR-US: FreePBX
 CVE-2026-44237 (FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api mod ...)
-	TODO: check
+	NOT-FOR-US: FreePBX
 CVE-2026-43917 (Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19 ...)
-	TODO: check
+	NOT-FOR-US: Dokploy
 CVE-2026-42965 (A flaw was found in the OpenShift Router. A user with EndpointSlice wr ...)
-	TODO: check
+	NOT-FOR-US: Red Hat OpenShift Router
 CVE-2026-42951 (An authenticated user can download a backup of theDanelec MacGregor Vo ...)
-	TODO: check
+	NOT-FOR-US: Danelec
 CVE-2026-42941 (TheDanelec MacGregor Voyage Data Recorder  device includes a default u ...)
-	TODO: check
+	NOT-FOR-US: Danelec
 CVE-2026-42929 (Danelec MacGregor Voyage Data Recorder includes default accounts with  ...)
-	TODO: check
+	NOT-FOR-US: Danelec
 CVE-2026-41159 (Mermaid is a JavaScript tool that uses Markdown-inspired text to creat ...)
 	TODO: check
 CVE-2026-41150 (Mermaid is a JavaScript tool that uses Markdown-inspired text to creat ...)
@@ -247,7 +247,7 @@ CVE-2026-40528 (OpenSC before 0.27.0, fixed in commit 0358817, contains a stack
 CVE-2026-40510 (OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack bu ...)
 	TODO: check
 CVE-2026-40425 (The administrator account for the  Danelec MacGregor Voyage Data Recor ...)
-	TODO: check
+	NOT-FOR-US: Danelec
 CVE-2026-3655 (The OTP Login With Phone Number, OTP Verification plugin for WordPress ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-39292 (Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file u ...)
@@ -1237,7 +1237,7 @@ CVE-2026-6226 (The Frontend Admin by DynamiApps plugin for WordPress is vulnerab
 CVE-2026-4944 (vllm-project/vllm version 0.14.1 contains a vulnerability where the `t ...)
 	- vllm <itp> (bug #1095237)
 CVE-2026-4377 (DlinkDWR-X1820 router uses weak default password generated from its IM ...)
-	TODO: check
+	NOT-FOR-US: Dlink
 CVE-2026-4334 (The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-49238 (An issue was discovered in Canonical Multipass before version 1.16.3.  ...)
@@ -1427,11 +1427,11 @@ CVE-2026-44394 (An issue was discovered in OpenStack Keystone before 29.0.2. The
 	NOTE: https://bugs.launchpad.net/keystone/+bug/2150379
 	NOTE: https://security.openstack.org/ossa/OSSA-2026-015.html
 CVE-2026-44358 (Espressif Shared GitHub DangerJS is a reusable GitHub Action CI Danger ...)
-	TODO: check
+	NOT-FOR-US: Espressif Shared GitHub DangerJS
 CVE-2026-43979 (Local Deep Research is an AI-powered research assistant for deep, iter ...)
-	TODO: check
+	NOT-FOR-US: Local Deep Research
 CVE-2026-43898 (SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox- ...)
-	TODO: check
+	NOT-FOR-US: SandboxJS Node module
 CVE-2026-43000 (An issue was discovered in OpenStack Keystone before 29.0.2. When comb ...)
 	- keystone 2:29.0.1-2
 	NOTE: https://bugs.launchpad.net/keystone/+bug/2148477
@@ -1452,13 +1452,13 @@ CVE-2026-41565 (CryptX versions before 0.088_001 for Perl have a stack buffer ov
 	NOTE: Fixed by: https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1 (v0.088)
 	NOTE: Fixed by: https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642 (v0.089)
 CVE-2026-41185 (When Calico is configured with the Azure IPAM plugin, the Calico CNI b ...)
-	TODO: check
+	NOT-FOR-US: Calico
 CVE-2026-41184 (In Calico, the install-cni init container logs the rendered CNI config ...)
-	TODO: check
+	NOT-FOR-US: Calico
 CVE-2026-41160 (EspoCRM is an open source customer relationship management application ...)
-	TODO: check
+	NOT-FOR-US: EspoCRM
 CVE-2026-41141 (EspoCRM is an open source customer relationship management application ...)
-	TODO: check
+	NOT-FOR-US: EspoCRM
 CVE-2026-40914 (A vulnerability exists in Apache Artemis whereby an application using  ...)
 	TODO: check
 CVE-2026-38707 (A command injection vulnerability exists in the IPSec VPN feature of I ...)
@@ -2288,11 +2288,11 @@ CVE-2026-44590 (Sherlock hunts down social media accounts by username across soc
 	NOTE: Only affects the GitHub Actions workflow for the src:sherlock upstream project
 	NOTE: https://github.com/sherlock-project/sherlock/security/advisories/GHSA-v6wr-ccr4-x8g9
 CVE-2026-44247 (Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14 ...)
-	TODO: check
+	NOT-FOR-US: Volcano
 CVE-2026-42877 (FacturaScripts is an open source accounting and invoicing software. In ...)
-	TODO: check
+	NOT-FOR-US: FacturaScripts
 CVE-2026-42197 (RELATE is a web-based courseware package. Versions prior to commit 555 ...)
-	TODO: check
+	NOT-FOR-US: RELATE
 CVE-2026-3173 (The Meta Field Block plugin for WordPress is vulnerable to Insecure Di ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-33552 (Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Acce ...)
@@ -2655,9 +2655,9 @@ CVE-2026-44316 (free5GC is an open-source implementation of the 5G core network.
 CVE-2026-44315 (free5GC is an open-source implementation of the 5G core network. Prior ...)
 	NOT-FOR-US: free5GC
 CVE-2026-42879 (FacturaScripts is an open source accounting and invoicing software. In ...)
-	TODO: check
+	NOT-FOR-US: FacturaScripts
 CVE-2026-42878 (FacturaScripts is an open source accounting and invoicing software. Pr ...)
-	TODO: check
+	NOT-FOR-US: FacturaScripts
 CVE-2026-42791 (Improper Certificate Validation vulnerability in Erlang OTP public_key ...)
 	- erlang 1:27.3.4.12+dfsg-1
 	[bookworm] - erlang <not-affected> (Vulnerable code not present)
@@ -2751,109 +2751,109 @@ CVE-2026-42726 (Missing Authorization vulnerability in Strategy11 Team AWP Class
 CVE-2026-42725 (Authorization Bypass Through User-Controlled Key vulnerability in WP W ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-42553 (Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated atta ...)
-	TODO: check
+	NOT-FOR-US: Cinny
 CVE-2026-42459 (free5GC is an open-source implementation of the 5G core network. Prior ...)
-	TODO: check
+	NOT-FOR-US: free5GC
 CVE-2026-42328 (go-ipld-prime is an implementation of the InterPlanetary Linked Data ( ...)
-	TODO: check
+	NOT-FOR-US: go-ipld-prime
 CVE-2026-42280 (Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to ...)
-	TODO: check
+	NOT-FOR-US: Auth0 Auth0.js library
 CVE-2026-42184 (Tauri is a framework for building binaries for all major desktop platf ...)
-	TODO: check
+	NOT-FOR-US: Tauri
 CVE-2026-42083 (free5GC is an open-source implementation of the 5G core network. Prior ...)
-	TODO: check
+	NOT-FOR-US: free5GC
 CVE-2026-42082 (free5GC is an open-source implementation of the 5G core network. Prior ...)
-	TODO: check
+	NOT-FOR-US: free5GC
 CVE-2026-42081 (free5GC is an open-source implementation of the 5G core network. Prior ...)
-	TODO: check
+	NOT-FOR-US: free5GC
 CVE-2026-41704 (AgentClient#handle_method (lines 264-303) processes every NATS reply.  ...)
 	TODO: check
 CVE-2026-41009 (When the director sends a long-running request (e.g. compile_package), ...)
 	TODO: check
 CVE-2026-40852 (A highly authenticated attacker can alter the config generator injecti ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40851 (A local attacker can perform a confusion attack on the cfgparser via a ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40850 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40849 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40848 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40847 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40846 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40845 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40844 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40843 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40842 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40841 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40840 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40839 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40838 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40837 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40836 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40835 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40834 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40833 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40832 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40831 (An low privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40830 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40829 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40828 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40827 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40826 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40825 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40824 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40823 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40822 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40821 (A high privileged remote attacker can exploit an unauthenticated SQL I ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40819 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40818 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40817 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40816 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40815 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40814 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40813 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40812 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40811 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-40810 (An unauthenticated remote attacker can exploit an unauthenticated SQL  ...)
-	TODO: check
+	NOT-FOR-US: MB connect line
 CVE-2026-3897 (The Livemesh Addons for Beaver Builder plugin for WordPress is vulnera ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-3896 (The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to  ...)
@@ -4729,9 +4729,9 @@ CVE-2026-44444 (Lumiverse is a full-featured AI chat application. Prior to 0.9.7
 CVE-2026-44443 (Lumiverse is a full-featured AI chat application. Prior to 0.9.7, cons ...)
 	NOT-FOR-US: Lumiverse
 CVE-2026-44214 (eventsource-encoder encodes events as well-formed EventSource/Server S ...)
-	TODO: check
+	NOT-FOR-US: eventsource-encoder
 CVE-2026-44213 (The OpenTelemetry.Exporter.Instana exports telemetry to Instana backen ...)
-	TODO: check
+	NOT-FOR-US: OpenTelemetry.Exporter.Instana
 CVE-2026-44209 (Banks generates meaningful LLM prompts using a template language that  ...)
 	NOT-FOR-US: Banks
 CVE-2026-43988 (Vanetza is an open-source implementation of the ETSI C-ITS protocol su ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8773bdec13e2f52191bb9d4336355d00f476848c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8773bdec13e2f52191bb9d4336355d00f476848c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260530/b57ebe18/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list