Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7f87a354 by security tracker role at 2026-02-27T20:14:03+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,161 @@
+CVE-2026-3327 (Authenticated Iframe Injection in Dato CMS Web Previews plugin.
This v ...)
+ TODO: check
+CVE-2026-3304 (Multer is a node.js middleware for handling
`multipart/form-data`. A v ...)
+ TODO: check
+CVE-2026-3277 (The OpenID Connect (OIDC) authentication configuration in
PowerShell ...)
+ TODO: check
+CVE-2026-3223 (Arbitrary file write & potential privilege escalation
exploiting zip s ...)
+ TODO: check
+CVE-2026-2880 (A vulnerability in @fastify/middie versions < 9.2.0 can result
in auth ...)
+ TODO: check
+CVE-2026-2831 (The MailArchiver plugin for WordPress is vulnerable to SQL
Injection v ...)
+ TODO: check
+CVE-2026-2751 (Blind SQL Injection via unsanitized array keys in Service
Dependencies ...)
+ TODO: check
+CVE-2026-2750 (Improper Input Validation vulnerability in Centreon Centreon
Open Tick ...)
+ TODO: check
+CVE-2026-2749 (Vulnerability in Centreon Centreon Open Tickets on Central
Server on L ...)
+ TODO: check
+CVE-2026-2383 (The Simple Download Monitor plugin for WordPress is vulnerable
to Stor ...)
+ TODO: check
+CVE-2026-2362 (The WP Accessibility plugin for WordPress is vulnerable to
Stored DOM- ...)
+ TODO: check
+CVE-2026-2359 (Multer is a node.js middleware for handling
`multipart/form-data`. A v ...)
+ TODO: check
+CVE-2026-2293 (A NestJS application using @nestjs/platform-fastify can allow
bypass o ...)
+ TODO: check
+CVE-2026-2252 (An XML External Entity (XXE) vulnerability allows malicious
user to pe ...)
+ TODO: check
+CVE-2026-2251 (Improper limitation of a pathname to a restricted directory
(Path Trav ...)
+ TODO: check
+CVE-2026-28354 (ClipBucket v5 is an open source video sharing platform. Prior
to versi ...)
+ TODO: check
+CVE-2026-27947 (Group-Office is an enterprise customer relationship management
and gro ...)
+ TODO: check
+CVE-2026-27836 (phpMyFAQ is an open source FAQ web application. Prior to
version 4.0.1 ...)
+ TODO: check
+CVE-2026-27832 (Group-Office is an enterprise customer relationship management
and gro ...)
+ TODO: check
+CVE-2026-27824 (calibre is a cross-platform e-book manager for viewing,
converting, ed ...)
+ TODO: check
+CVE-2026-27810 (calibre is a cross-platform e-book manager for viewing,
converting, ed ...)
+ TODO: check
+CVE-2026-27793 (Seerr is an open-source media request and discovery manager
for Jellyf ...)
+ TODO: check
+CVE-2026-27792 (Seerr is an open-source media request and discovery manager
for Jellyf ...)
+ TODO: check
+CVE-2026-27758 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a c ...)
+ TODO: check
+CVE-2026-27757 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain an ...)
+ TODO: check
+CVE-2026-27756 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a r ...)
+ TODO: check
+CVE-2026-27755 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a w ...)
+ TODO: check
+CVE-2026-27754 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use
the cry ...)
+ TODO: check
+CVE-2026-27753 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain an ...)
+ TODO: check
+CVE-2026-27752 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
transmit au ...)
+ TODO: check
+CVE-2026-27751 (SODOLA SL902-SWTGW124AS firmware versions through 200.1.20
contain a d ...)
+ TODO: check
+CVE-2026-27734 (Beszel is a server monitoring platform. Prior to version
0.18.2, the h ...)
+ TODO: check
+CVE-2026-27707 (Seerr is an open-source media request and discovery manager
for Jellyf ...)
+ TODO: check
+CVE-2026-27583
+ REJECTED
+CVE-2026-27582
+ REJECTED
+CVE-2026-27581
+ REJECTED
+CVE-2026-27580
+ REJECTED
+CVE-2026-27573
+ REJECTED
+CVE-2026-27501
+ REJECTED
+CVE-2026-27500
+ REJECTED
+CVE-2026-27201
+ REJECTED
+CVE-2026-27200
+ REJECTED
+CVE-2026-26997 (ClipBucket v5 is an open source video sharing platform. Prior
to versi ...)
+ TODO: check
+CVE-2026-26862 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to
DOM-base ...)
+ TODO: check
+CVE-2026-26861 (CleverTap Web SDK version 1.15.2 and earlier is vulnerable to
Cross-Si ...)
+ TODO: check
+CVE-2026-25147 (OpenEMR is a free and open source electronic health records
and medica ...)
+ TODO: check
+CVE-2026-24488 (OpenEMR is a free and open source electronic health records
and medica ...)
+ TODO: check
+CVE-2026-24352 (PluXml CMS allows a user's session identifier to be set before
authent ...)
+ TODO: check
+CVE-2026-24351 (PluXml CMS is vulnerable to Stored XSS in Static Pages editing
functio ...)
+ TODO: check
+CVE-2026-24350 (PluXml CMS is vulnerable to Stored XSS in file uploading
functionality ...)
+ TODO: check
+CVE-2026-22717 (Out-of-bound read vulnerability in VMware Workstation 25H1 and
below o ...)
+ TODO: check
+CVE-2026-22716 (Out-of-bound write vulnerability in VMware Workstation 25H1
and below ...)
+ TODO: check
+CVE-2026-21660 (Hardcoded Email Credentials Saved as Plaintext in Firmware
(CWE-256: P ...)
+ TODO: check
+CVE-2026-21659 (Unauthenticated Remote Code Execution and Information
Disclosure due t ...)
+ TODO: check
+CVE-2026-21658 (Unauthenticated Remote Code Execution i.e Improper Control of
Generati ...)
+ TODO: check
+CVE-2026-21657 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
+ TODO: check
+CVE-2026-21656 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
+ TODO: check
+CVE-2026-21654 (Improper Neutralization of Special Elements used in an OS
Command ('OS ...)
+ TODO: check
+CVE-2026-21619 (Uncontrolled Resource Consumption, Deserialization of
Untrusted Data v ...)
+ TODO: check
+CVE-2026-1627 (An attacker may exploit the use of outdated and weak MAC
algorithms in ...)
+ TODO: check
+CVE-2026-1626 (An attacker may exploit the use of weak CBC-based cipher suites
in the ...)
+ TODO: check
+CVE-2026-1434 (Omega-PSIR is vulnerable to Reflected XSS via the lang
parameter. An a ...)
+ TODO: check
+CVE-2026-1305 (The Japanized for WooCommerce plugin for WordPress is
vulnerable to Im ...)
+ TODO: check
+CVE-2025-69437 (PublicCMS v5.202506.d and earlier is vulnerable to stored XSS.
Uploade ...)
+ TODO: check
+CVE-2025-15498 (Pro3W CMS if vulnerable toSQL injection attacks.Improper
neutralizatio ...)
+ TODO: check
+CVE-2025-14142 (The Electric Enquiries plugin for WordPress is vulnerable to
Stored Cr ...)
+ TODO: check
+CVE-2025-11950 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
+ TODO: check
+CVE-2025-11252 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2025-11251 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2024-10938 (The OVRI Payment plugin for WordPress contains malicious
.htaccess fil ...)
+ TODO: check
+CVE-2019-25497 (osCommerce 2.3.4.1 contains a SQL injection vulnerability that
allows ...)
+ TODO: check
+CVE-2019-25496 (osCommerce 2.3.4.1 contains a SQL injection vulnerability that
allows ...)
+ TODO: check
+CVE-2019-25495 (osCommerce 2.3.4.1 contains a SQL injection vulnerability that
allows ...)
+ TODO: check
+CVE-2019-25494 (Homey BNB V4 contains an SQL injection vulnerability in the
administra ...)
+ TODO: check
+CVE-2019-25493 (Homey BNB V4 contains an SQL injection vulnerability that
allows unaut ...)
+ TODO: check
+CVE-2019-25492 (Homey BNB V4 contains an SQL injection vulnerability that
allows unaut ...)
+ TODO: check
+CVE-2019-25491 (Homey BNB V4 contains an SQL injection vulnerability that
allows unaut ...)
+ TODO: check
+CVE-2019-25490 (Homey BNB V4 contains a SQL injection vulnerability that
allows unauth ...)
+ TODO: check
+CVE-2019-25489 (Homey BNB V4 contains a SQL injection vulnerability that
allows unauth ...)
+ TODO: check
CVE-2026-3302 (A weakness has been identified in SourceCodester Doctor
Appointment Sy ...)
NOT-FOR-US: SourceCodester
CVE-2026-3301 (A security flaw has been discovered in Totolink N300RH
6.1c.1353_B2019 ...)
@@ -514,7 +672,7 @@ CVE-2026-27837 (Dottie provides nested object access and
manipulation in JavaScr
NOTE:
https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
NOTE: Fixed by:
https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
(v2.0.7)
NOTE: CVE exists because of an incomplete fix for CVE-2023-26132.
-CVE-2026-27831 (rldns is an open source DNS server. Version 2.3 has a
heap-based out-o ...)
+CVE-2026-27831 (rldns is an open source DNS server. Version 1.3 has a
heap-based out-o ...)
NOT-FOR-US: rldns
CVE-2026-27830 (c3p0, a JDBC Connection pooling library, is vulnerable to
attack via m ...)
- c3p0 <unfixed>
@@ -1492,6 +1650,7 @@ CVE-2026-2777 (Privilege escalation in the Messaging
System component. This vuln
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/#CVE-2026-2777
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/#CVE-2026-2777
CVE-2026-2776 (Sandbox escape due to incorrect boundary conditions in the
Telemetry c ...)
+ {DSA-6148-1}
- firefox <unfixed>
- firefox-esr 140.8.0esr-1
- thunderbird <unfixed>
@@ -6365,7 +6524,7 @@ CVE-2025-15520 (The RegistrationMagic WordPress plugin
before 6.0.7.2 checks no
NOT-FOR-US: WordPress plugin
CVE-2024-21961 (Improper restriction of operations within the bounds of a
memory buffe ...)
NOT-FOR-US: AMD
-CVE-2020-37167 (ClamAV ClamBC bytecode interpreter contains a vulnerability in
functio ...)
+CVE-2020-37167 (ClamAV versions prior to 0.102.0, fixed in 0.103.0-rc, ClamBC
bytecode ...)
- clamav <undetermined>
NOTE: https://www.exploit-db.com/exploits/47687
TODO: check upstream status
@@ -47644,7 +47803,7 @@ CVE-2025-62727 (Starlette is a lightweight ASGI
framework/toolkit. Starting in v
[bullseye] - starlette <postponed> (minor issue; DoS)
NOTE:
https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
NOTE: Fixed by:
https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
(0.49.1)
-CVE-2025-12150
+CVE-2025-12150 (A flaw was found in Keycloak\u2019s WebAuthn registration
component. T ...)
- keycloak <itp> (bug #1088287)
CVE-2025-9313 (An unauthenticated user can connect to a publicly accessible
database ...)
NOT-FOR-US: Asseco mMedica
@@ -50582,7 +50741,7 @@ CVE-2025-60500 (QDocs Smart School Management System
7.1 allows authenticated us
NOT-FOR-US: QDocs Smart School Management System
CVE-2025-60427 (LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to
Broken ...)
NOT-FOR-US: LibreTime
-CVE-2025-60344 (An unauthenticated Local File Inclusion (LFI) vulnerability in
D-Link ...)
+CVE-2025-60344 (A path traversal (directory traversal) vulnerability in D-Link
DSR ser ...)
NOT-FOR-US: D-Link
CVE-2025-60280 (Cross-Site Scripting (XSS) vulnerability in Bang Resto v1.0
could allo ...)
NOT-FOR-US: Bang Resto
@@ -167227,7 +167386,7 @@ CVE-2024-50408 (Deserialization of Untrusted Data
vulnerability in Kiboko Labs N
NOT-FOR-US: WordPress plugin
CVE-2024-49771 (MPXJ is an open source library to read and write project plans
from a ...)
NOT-FOR-US: Packwood MPXJ
-CVE-2025-10990
+CVE-2025-10990 (A flaw was found in REXML. A remote attacker could exploit
inefficient ...)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2398216
NOTE: check if RedHat specific incomplete fix for CVE-2024-49761 and
for us a NFU
CVE-2024-49761 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9
has a ReD ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f87a354c4222f06182804dac5639897964caa03
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f87a354c4222f06182804dac5639897964caa03
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
