Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec7ed34f by Salvatore Bonaccorso at 2026-07-18T16:15:31+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -98,7 +98,7 @@ CVE-2026-53727 (css_parser is a Ruby CSS parser. From 2.2.0 
until 3.0.0, CssPars
 CVE-2026-52584 (Buffer Overflow vulnerability in libjxl v.0.11.2 and before 
allows a l ...)
        TODO: check
 CVE-2026-52348 (cool-admin-java 8.0.0 has a SQL injection vulnerability in the 
order() ...)
-       TODO: check
+       NOT-FOR-US: cool-admin-java
 CVE-2026-52203 (An issue in MCMS v.6.1.1 allows a remote attacker to obtain 
sensitive  ...)
        NOT-FOR-US: MCMS
 CVE-2026-52199 (An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows 
a remot ...)
@@ -114,7 +114,7 @@ CVE-2026-50272 (dd-trace is the Datadog APM client for 
Node.js. Prior to 5.100.0
 CVE-2026-50271 (Datadog dd-trace-py is the Datadog Python APM client. Prior to 
4.8.2,  ...)
        NOT-FOR-US: Datadog dd-trace-py
 CVE-2026-50197 (Skipper is an HTTP router and reverse proxy for service 
composition. P ...)
-       TODO: check
+       NOT-FOR-US: Zalando Skipper
 CVE-2026-50163 (oras-go is a Go library for managing OCI artifacts. Prior to 
2.6.2, en ...)
        TODO: check
 CVE-2026-50162 (oras-go is a Go library for managing OCI artifacts. Prior to 
2.6.1, re ...)
@@ -126,39 +126,39 @@ CVE-2026-4942 (IBM i 7.6, 7.5, 7.4, and 7.3 could allow a 
remote attacker to sen
 CVE-2026-4938 (IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security 
Verify ...)
        NOT-FOR-US: IBM
 CVE-2026-49977 (tarteaucitron.js is a compliant and accessible cookie banner. 
Prior to ...)
-       TODO: check
+       NOT-FOR-US: tarteaucitron.js
 CVE-2026-49852 (joserfc is a Python library that provides an implementation of 
several ...)
        TODO: check
 CVE-2026-49834 (sigstore-go is a Go library for Sigstore signing and 
verification. Pri ...)
        TODO: check
 CVE-2026-49485 (HAPI FHIR is a complete implementation of the HL7 FHIR 
standard for he ...)
-       TODO: check
+       NOT-FOR-US: HAPI FHIR
 CVE-2026-49284 (SimpleSAMLphp versions before 1.18.6 contain an information 
disclosure ...)
        TODO: check
 CVE-2026-48978 (oras-go is a Go library for managing OCI artifacts. Prior to 
2.6.1, au ...)
        TODO: check
 CVE-2026-48819 (Hey API is an ecosystem for turning API specifications into 
production ...)
-       TODO: check
+       NOT-FOR-US: Hey API
 CVE-2026-48504 (OpenTelemetry Rust is the Rust OpenTelemetry implementation. 
In 0.32.0 ...)
-       TODO: check
+       NOT-FOR-US: OpenTelemetry Rust
 CVE-2026-48373 (Acrobat Reader is affected by a Heap-based Buffer Overflow 
vulnerabili ...)
        NOT-FOR-US: Adobe
 CVE-2026-48062 (CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, 
the ext ...)
        TODO: check
 CVE-2026-48049 (@hapi/inert provides static file and directory handlers for 
hapi.js. F ...)
-       TODO: check
+       NOT-FOR-US: hapi/inert
 CVE-2026-48022 (@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck 
strips c ...)
-       TODO: check
+       NOT-FOR-US: hapi/wreck
 CVE-2026-46420 (setup-php is a GitHub action to set up PHP with extensions, 
php.ini co ...)
-       TODO: check
+       NOT-FOR-US: setup-php
 CVE-2026-45799 (Wire provides gRPC and protocol buffers for Android, Kotlin, 
Swift, an ...)
        TODO: check
 CVE-2026-45785 (OpenMcdf is a fully .NET / C# library to manipulate Compound 
File Bina ...)
-       TODO: check
+       NOT-FOR-US: OpenMcdf
 CVE-2026-45784 (rust-openssl provides OpenSSL bindings for the Rust 
programming langua ...)
        TODO: check
 CVE-2026-45704 (Pimcore is an Open Source Data & Experience Management 
Platform. Prior ...)
-       TODO: check
+       NOT-FOR-US: Pimcore
 CVE-2026-45260 (Pimcore is an Open Source Data & Experience Management 
Platform. Prior ...)
        TODO: check
 CVE-2026-44979 (@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when 
@hapi/wre ...)
@@ -378,7 +378,7 @@ CVE-2026-47180 (Zeroconf is a pure Python implementation of 
multicast DNS servic
        NOTE: https://github.com/python-zeroconf/python-zeroconf/pull/1719
        NOTE: Fixed by: 
https://github.com/python-zeroconf/python-zeroconf/commit/f9e23592137f30fdf7ef710dba065da31c79b1cf
 (0.149.5)
 CVE-2026-45703 (Pimcore is an Open Source Data & Experience Management 
Platform. Prior ...)
-       TODO: check
+       NOT-FOR-US: Pimcore
 CVE-2026-45162 (Pimcore is an Open Source Data & Experience Management 
Platform. Prior ...)
        TODO: check
 CVE-2026-44722 (pyzipper is a replacement for Python's zipfile that can read 
and write ...)
@@ -794,37 +794,37 @@ CVE-2026-46687 (Emlog is an open source website building 
system. In 2.6.13 and e
 CVE-2026-46686 (Emlog is an open source website building system. In 2.6.13 and 
earlier ...)
        NOT-FOR-US: Emlog
 CVE-2026-46621 (Yamcs is a mission control framework. Prior to 5.12.7, the 
Yamcs scrip ...)
-       TODO: check
+       NOT-FOR-US: Yamcs
 CVE-2026-46562 (Yamcs is a mission control framework. Prior to 5.12.7, the 
Nashorn Scr ...)
-       TODO: check
+       NOT-FOR-US: Yamcs
 CVE-2026-46515 (Frogman provides headless PBX control through MCP and HTTP 
API. Prior  ...)
-       TODO: check
+       NOT-FOR-US: Frogman
 CVE-2026-46514 (Frogman provides headless PBX control through MCP and HTTP 
API. Prior  ...)
-       TODO: check
+       NOT-FOR-US: Frogman
 CVE-2026-46513 (Frogman provides headless PBX control through MCP and HTTP 
API. Prior  ...)
-       TODO: check
+       NOT-FOR-US: Frogman
 CVE-2026-46512 (Frogman provides headless PBX control through MCP and HTTP 
API. Prior  ...)
-       TODO: check
+       NOT-FOR-US: Frogman
 CVE-2026-46404 (BigBlueButton is an open-source virtual classroom. Prior to 
3.0.23, th ...)
-       TODO: check
+       NOT-FOR-US: BigBlueButton
 CVE-2026-46378 (Dasel is a command-line tool and library for querying, 
modifying, and  ...)
        TODO: check
 CVE-2026-46377 (Dasel is a command-line tool and library for querying, 
modifying, and  ...)
        TODO: check
 CVE-2026-46353 (BigBlueButton is an open-source virtual classroom. Prior to 
3.0.21, bb ...)
-       TODO: check
+       NOT-FOR-US: BigBlueButton
 CVE-2026-46351 (BigBlueButton is an open-source virtual classroom. Prior to 
3.0.21, bb ...)
-       TODO: check
+       NOT-FOR-US: BigBlueButton
 CVE-2026-46341 (The Apify MCP server enables AI agents to extract data from 
websites u ...)
-       TODO: check
+       NOT-FOR-US: Apify MCP server
 CVE-2026-46338 (PyMdown Extensions is a set of extensions for the 
Python-Markdown mark ...)
        TODO: check
 CVE-2026-46336 (Manyfold is an open source, self-hosted web application for 
managing a ...)
-       TODO: check
+       NOT-FOR-US: Manyfold
 CVE-2026-45795 (The Janssen Project is an open-source identity and access 
management ( ...)
-       TODO: check
+       NOT-FOR-US: Janssen Project
 CVE-2026-45695 (Kopia is a cross-platform backup tool for Windows, macOS, and 
Linux wi ...)
-       TODO: check
+       NOT-FOR-US: Kopia
 CVE-2026-45612 (rz-libdemangle is a Rizin library for demangling symbols. 
Prior to 6bf ...)
        TODO: check
 CVE-2026-45576 (zrok is software for sharing web services, files, and network 
resource ...)
@@ -1228,9 +1228,9 @@ CVE-2026-48795 (AdonisJS is a TypeScript-first web 
framework. From 10.1.3 until
 CVE-2026-46684 (DataEase is an open source data visualization and analysis 
tool. Prior ...)
        NOT-FOR-US: DataEase
 CVE-2026-46421 (The SAP Cloud Application Programming Model is a tool for 
building ent ...)
-       TODO: check
+       NOT-FOR-US: SAP Cloud Application Programming Model
 CVE-2026-46339 (9Router is an AI router & token saver. From 0.4.30 until 
0.4.37, 9Rout ...)
-       TODO: check
+       NOT-FOR-US: 9Router
 CVE-2026-45738 (Argo CD is a declarative, GitOps continuous delivery tool for 
Kubernet ...)
        NOT-FOR-US: Argo CD
 CVE-2026-45737 (Argo CD is a declarative, GitOps continuous delivery tool for 
Kubernet ...)
@@ -1719,19 +1719,19 @@ CVE-2026-47159 (Vaultwarden is a Bitwarden-compatible 
server written in Rust. Pr
 CVE-2026-47158 (Vaultwarden is a Bitwarden-compatible server written in Rust. 
Prior to ...)
        - vaultwarden <itp> (bug #1067023)
 CVE-2026-46709 (Tabby (formerly Terminus) is a highly configurable terminal 
emulator.  ...)
-       TODO: check
+       NOT-FOR-US: Tabby (formerly Terminus, but not the same as src:terminus)
 CVE-2026-46485 (Dashy is a self-hostable personal dashboard. Prior to 4.0.8, 
Dashy dep ...)
-       TODO: check
+       NOT-FOR-US: Dashy
 CVE-2026-46459 (ICU Scandinavia Boomerang is vulnerable to a missing 
authentication fl ...)
-       TODO: check
+       NOT-FOR-US: ICU Scandinavia Boomerang
 CVE-2026-46458 (ICU Scandinavia Boomerang is vulnerable to an information 
disclosure f ...)
-       TODO: check
+       NOT-FOR-US: ICU Scandinavia Boomerang
 CVE-2026-45806 (Penpot is an open-source design tool for design and code 
collaboration ...)
-       TODO: check
+       NOT-FOR-US: Penpot
 CVE-2026-45805 (Penpot is an open-source design tool for design and code 
collaboration ...)
-       TODO: check
+       NOT-FOR-US: Penpot
 CVE-2026-45804 (Diffusers is the a library for pretrained diffusion models. 
Prior to 0 ...)
-       TODO: check
+       NOT-FOR-US: Diffusers
 CVE-2026-45337 (Better Auth is an authentication and authorization library for 
TypeScr ...)
        TODO: check
 CVE-2026-45150 (Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser 
did not ...)
@@ -3208,7 +3208,7 @@ CVE-2026-48816 (sigstore-js provides JavaScript libraries 
for interacting with S
 CVE-2026-48815 (sigstore-js provides JavaScript libraries for interacting with 
Sigstor ...)
        NOT-FOR-US: sigstore-js
 CVE-2026-48801 (linkify-it is a links recognition library with full Unicode 
support. P ...)
-       TODO: check
+       NOT-FOR-US: linkify-it Node.js module
 CVE-2026-48758 (sigstore-js provides JavaScript libraries for interacting with 
Sigstor ...)
        NOT-FOR-US: sigstore-js
 CVE-2026-48581 (Insufficient granularity of access control in Microsoft 
Surface allows ...)
@@ -6899,7 +6899,7 @@ CVE-2026-59890 (setuptools is a package that allows users 
to download, build, in
        - setuptools <not-affected> (Only affects setuptools on macOS APFS/HFS+)
        NOTE: 
https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c
 CVE-2026-59887 (linkify-it is a links recognition library with full Unicode 
support. P ...)
-       TODO: check
+       NOT-FOR-US: linkify-it Node.js module
 CVE-2026-59883 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, 
CookieJar di ...)
        - guzzle 7.12.3-1
        [trixie] - guzzle <no-dsa> (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec7ed34f1346dfaeb1a3dd386e4c833101103fd4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec7ed34f1346dfaeb1a3dd386e4c833101103fd4
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to