Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ec7ed34f by Salvatore Bonaccorso at 2026-07-18T16:15:31+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -98,7 +98,7 @@ CVE-2026-53727 (css_parser is a Ruby CSS parser. From 2.2.0
until 3.0.0, CssPars
CVE-2026-52584 (Buffer Overflow vulnerability in libjxl v.0.11.2 and before
allows a l ...)
TODO: check
CVE-2026-52348 (cool-admin-java 8.0.0 has a SQL injection vulnerability in the
order() ...)
- TODO: check
+ NOT-FOR-US: cool-admin-java
CVE-2026-52203 (An issue in MCMS v.6.1.1 allows a remote attacker to obtain
sensitive ...)
NOT-FOR-US: MCMS
CVE-2026-52199 (An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows
a remot ...)
@@ -114,7 +114,7 @@ CVE-2026-50272 (dd-trace is the Datadog APM client for
Node.js. Prior to 5.100.0
CVE-2026-50271 (Datadog dd-trace-py is the Datadog Python APM client. Prior to
4.8.2, ...)
NOT-FOR-US: Datadog dd-trace-py
CVE-2026-50197 (Skipper is an HTTP router and reverse proxy for service
composition. P ...)
- TODO: check
+ NOT-FOR-US: Zalando Skipper
CVE-2026-50163 (oras-go is a Go library for managing OCI artifacts. Prior to
2.6.2, en ...)
TODO: check
CVE-2026-50162 (oras-go is a Go library for managing OCI artifacts. Prior to
2.6.1, re ...)
@@ -126,39 +126,39 @@ CVE-2026-4942 (IBM i 7.6, 7.5, 7.4, and 7.3 could allow a
remote attacker to sen
CVE-2026-4938 (IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security
Verify ...)
NOT-FOR-US: IBM
CVE-2026-49977 (tarteaucitron.js is a compliant and accessible cookie banner.
Prior to ...)
- TODO: check
+ NOT-FOR-US: tarteaucitron.js
CVE-2026-49852 (joserfc is a Python library that provides an implementation of
several ...)
TODO: check
CVE-2026-49834 (sigstore-go is a Go library for Sigstore signing and
verification. Pri ...)
TODO: check
CVE-2026-49485 (HAPI FHIR is a complete implementation of the HL7 FHIR
standard for he ...)
- TODO: check
+ NOT-FOR-US: HAPI FHIR
CVE-2026-49284 (SimpleSAMLphp versions before 1.18.6 contain an information
disclosure ...)
TODO: check
CVE-2026-48978 (oras-go is a Go library for managing OCI artifacts. Prior to
2.6.1, au ...)
TODO: check
CVE-2026-48819 (Hey API is an ecosystem for turning API specifications into
production ...)
- TODO: check
+ NOT-FOR-US: Hey API
CVE-2026-48504 (OpenTelemetry Rust is the Rust OpenTelemetry implementation.
In 0.32.0 ...)
- TODO: check
+ NOT-FOR-US: OpenTelemetry Rust
CVE-2026-48373 (Acrobat Reader is affected by a Heap-based Buffer Overflow
vulnerabili ...)
NOT-FOR-US: Adobe
CVE-2026-48062 (CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3,
the ext ...)
TODO: check
CVE-2026-48049 (@hapi/inert provides static file and directory handlers for
hapi.js. F ...)
- TODO: check
+ NOT-FOR-US: hapi/inert
CVE-2026-48022 (@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck
strips c ...)
- TODO: check
+ NOT-FOR-US: hapi/wreck
CVE-2026-46420 (setup-php is a GitHub action to set up PHP with extensions,
php.ini co ...)
- TODO: check
+ NOT-FOR-US: setup-php
CVE-2026-45799 (Wire provides gRPC and protocol buffers for Android, Kotlin,
Swift, an ...)
TODO: check
CVE-2026-45785 (OpenMcdf is a fully .NET / C# library to manipulate Compound
File Bina ...)
- TODO: check
+ NOT-FOR-US: OpenMcdf
CVE-2026-45784 (rust-openssl provides OpenSSL bindings for the Rust
programming langua ...)
TODO: check
CVE-2026-45704 (Pimcore is an Open Source Data & Experience Management
Platform. Prior ...)
- TODO: check
+ NOT-FOR-US: Pimcore
CVE-2026-45260 (Pimcore is an Open Source Data & Experience Management
Platform. Prior ...)
TODO: check
CVE-2026-44979 (@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when
@hapi/wre ...)
@@ -378,7 +378,7 @@ CVE-2026-47180 (Zeroconf is a pure Python implementation of
multicast DNS servic
NOTE: https://github.com/python-zeroconf/python-zeroconf/pull/1719
NOTE: Fixed by:
https://github.com/python-zeroconf/python-zeroconf/commit/f9e23592137f30fdf7ef710dba065da31c79b1cf
(0.149.5)
CVE-2026-45703 (Pimcore is an Open Source Data & Experience Management
Platform. Prior ...)
- TODO: check
+ NOT-FOR-US: Pimcore
CVE-2026-45162 (Pimcore is an Open Source Data & Experience Management
Platform. Prior ...)
TODO: check
CVE-2026-44722 (pyzipper is a replacement for Python's zipfile that can read
and write ...)
@@ -794,37 +794,37 @@ CVE-2026-46687 (Emlog is an open source website building
system. In 2.6.13 and e
CVE-2026-46686 (Emlog is an open source website building system. In 2.6.13 and
earlier ...)
NOT-FOR-US: Emlog
CVE-2026-46621 (Yamcs is a mission control framework. Prior to 5.12.7, the
Yamcs scrip ...)
- TODO: check
+ NOT-FOR-US: Yamcs
CVE-2026-46562 (Yamcs is a mission control framework. Prior to 5.12.7, the
Nashorn Scr ...)
- TODO: check
+ NOT-FOR-US: Yamcs
CVE-2026-46515 (Frogman provides headless PBX control through MCP and HTTP
API. Prior ...)
- TODO: check
+ NOT-FOR-US: Frogman
CVE-2026-46514 (Frogman provides headless PBX control through MCP and HTTP
API. Prior ...)
- TODO: check
+ NOT-FOR-US: Frogman
CVE-2026-46513 (Frogman provides headless PBX control through MCP and HTTP
API. Prior ...)
- TODO: check
+ NOT-FOR-US: Frogman
CVE-2026-46512 (Frogman provides headless PBX control through MCP and HTTP
API. Prior ...)
- TODO: check
+ NOT-FOR-US: Frogman
CVE-2026-46404 (BigBlueButton is an open-source virtual classroom. Prior to
3.0.23, th ...)
- TODO: check
+ NOT-FOR-US: BigBlueButton
CVE-2026-46378 (Dasel is a command-line tool and library for querying,
modifying, and ...)
TODO: check
CVE-2026-46377 (Dasel is a command-line tool and library for querying,
modifying, and ...)
TODO: check
CVE-2026-46353 (BigBlueButton is an open-source virtual classroom. Prior to
3.0.21, bb ...)
- TODO: check
+ NOT-FOR-US: BigBlueButton
CVE-2026-46351 (BigBlueButton is an open-source virtual classroom. Prior to
3.0.21, bb ...)
- TODO: check
+ NOT-FOR-US: BigBlueButton
CVE-2026-46341 (The Apify MCP server enables AI agents to extract data from
websites u ...)
- TODO: check
+ NOT-FOR-US: Apify MCP server
CVE-2026-46338 (PyMdown Extensions is a set of extensions for the
Python-Markdown mark ...)
TODO: check
CVE-2026-46336 (Manyfold is an open source, self-hosted web application for
managing a ...)
- TODO: check
+ NOT-FOR-US: Manyfold
CVE-2026-45795 (The Janssen Project is an open-source identity and access
management ( ...)
- TODO: check
+ NOT-FOR-US: Janssen Project
CVE-2026-45695 (Kopia is a cross-platform backup tool for Windows, macOS, and
Linux wi ...)
- TODO: check
+ NOT-FOR-US: Kopia
CVE-2026-45612 (rz-libdemangle is a Rizin library for demangling symbols.
Prior to 6bf ...)
TODO: check
CVE-2026-45576 (zrok is software for sharing web services, files, and network
resource ...)
@@ -1228,9 +1228,9 @@ CVE-2026-48795 (AdonisJS is a TypeScript-first web
framework. From 10.1.3 until
CVE-2026-46684 (DataEase is an open source data visualization and analysis
tool. Prior ...)
NOT-FOR-US: DataEase
CVE-2026-46421 (The SAP Cloud Application Programming Model is a tool for
building ent ...)
- TODO: check
+ NOT-FOR-US: SAP Cloud Application Programming Model
CVE-2026-46339 (9Router is an AI router & token saver. From 0.4.30 until
0.4.37, 9Rout ...)
- TODO: check
+ NOT-FOR-US: 9Router
CVE-2026-45738 (Argo CD is a declarative, GitOps continuous delivery tool for
Kubernet ...)
NOT-FOR-US: Argo CD
CVE-2026-45737 (Argo CD is a declarative, GitOps continuous delivery tool for
Kubernet ...)
@@ -1719,19 +1719,19 @@ CVE-2026-47159 (Vaultwarden is a Bitwarden-compatible
server written in Rust. Pr
CVE-2026-47158 (Vaultwarden is a Bitwarden-compatible server written in Rust.
Prior to ...)
- vaultwarden <itp> (bug #1067023)
CVE-2026-46709 (Tabby (formerly Terminus) is a highly configurable terminal
emulator. ...)
- TODO: check
+ NOT-FOR-US: Tabby (formerly Terminus, but not the same as src:terminus)
CVE-2026-46485 (Dashy is a self-hostable personal dashboard. Prior to 4.0.8,
Dashy dep ...)
- TODO: check
+ NOT-FOR-US: Dashy
CVE-2026-46459 (ICU Scandinavia Boomerang is vulnerable to a missing
authentication fl ...)
- TODO: check
+ NOT-FOR-US: ICU Scandinavia Boomerang
CVE-2026-46458 (ICU Scandinavia Boomerang is vulnerable to an information
disclosure f ...)
- TODO: check
+ NOT-FOR-US: ICU Scandinavia Boomerang
CVE-2026-45806 (Penpot is an open-source design tool for design and code
collaboration ...)
- TODO: check
+ NOT-FOR-US: Penpot
CVE-2026-45805 (Penpot is an open-source design tool for design and code
collaboration ...)
- TODO: check
+ NOT-FOR-US: Penpot
CVE-2026-45804 (Diffusers is the a library for pretrained diffusion models.
Prior to 0 ...)
- TODO: check
+ NOT-FOR-US: Diffusers
CVE-2026-45337 (Better Auth is an authentication and authorization library for
TypeScr ...)
TODO: check
CVE-2026-45150 (Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser
did not ...)
@@ -3208,7 +3208,7 @@ CVE-2026-48816 (sigstore-js provides JavaScript libraries
for interacting with S
CVE-2026-48815 (sigstore-js provides JavaScript libraries for interacting with
Sigstor ...)
NOT-FOR-US: sigstore-js
CVE-2026-48801 (linkify-it is a links recognition library with full Unicode
support. P ...)
- TODO: check
+ NOT-FOR-US: linkify-it Node.js module
CVE-2026-48758 (sigstore-js provides JavaScript libraries for interacting with
Sigstor ...)
NOT-FOR-US: sigstore-js
CVE-2026-48581 (Insufficient granularity of access control in Microsoft
Surface allows ...)
@@ -6899,7 +6899,7 @@ CVE-2026-59890 (setuptools is a package that allows users
to download, build, in
- setuptools <not-affected> (Only affects setuptools on macOS APFS/HFS+)
NOTE:
https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c
CVE-2026-59887 (linkify-it is a links recognition library with full Unicode
support. P ...)
- TODO: check
+ NOT-FOR-US: linkify-it Node.js module
CVE-2026-59883 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.3,
CookieJar di ...)
- guzzle 7.12.3-1
[trixie] - guzzle <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec7ed34f1346dfaeb1a3dd386e4c833101103fd4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec7ed34f1346dfaeb1a3dd386e4c833101103fd4
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits