pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/doc
Module Name: pkgsrc
Committed By: leot
Date: Thu Feb 26 08:24:45 UTC 2026
Modified Files:
pkgsrc/doc: pkg-vulnerabilities
Log Message:
pkg-vulnerabilities: revert to 1.736
1.737 accidentally added most comments.
Thanks to <wiz>!
To generate a diff of this commit:
cvs rdiff -u -r1.737 -r1.738 pkgsrc/doc/pkg-vulnerabilities
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/doc/pkg-vulnerabilities
diff -u pkgsrc/doc/pkg-vulnerabilities:1.737 pkgsrc/doc/pkg-vulnerabilities:1.738
--- pkgsrc/doc/pkg-vulnerabilities:1.737 Wed Feb 25 22:00:55 2026
+++ pkgsrc/doc/pkg-vulnerabilities Thu Feb 26 08:24:44 2026
@@ -1,13 +1,30 @@
+# $NetBSD: pkg-vulnerabilities,v 1.738 2026/02/26 08:24:44 leot Exp $
#
#FORMAT 1.0.0
#
+# Please read "Handling packages with security problems" in the pkgsrc
+# guide before editing this file.
#
+# Note: NEVER remove entries from this file; this should document *all*
+# known package vulnerabilities so it is entirely appropriate to have
+# multiple entries in this file for a single package, and to contain
+# entries for packages which have been removed from pkgsrc.
#
+# New entries should be added at the end of this file.
#
+# Please ask pkgsrc-security to update the copy on ftp.NetBSD.org after
+# making changes to this file.
#
+# The command to run for this update is "./pkg-vuln-update.sh", but it needs
+# access to the private GPG key for pkgsrc-security.
#
+# If you have comments/additions/corrections, please contact
+# pkgsrc-security%NetBSD.org@localhost.
#
+# Note: If this file format changes, please do not forget to update
+# pkgsrc/mk/scripts/genreadme.awk which also parses this file.
#
+# package type of exploit URL
cfengine<1.5.3nb3 remote-root-shell https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2000-013.txt.asc
navigator<4.75 remote-user-access http://www.cert.org/advisories/CA-2000-15.html
navigator<4.74 remote-user-shell https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2000-011.txt.asc
@@ -1003,6 +1020,7 @@ postgresql-lib<7.3.9 remote-code-executi
postgresql73-lib<7.3.9 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
postgresql74-lib<7.4.7 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
postgresql80-lib<8.0.1 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
+# intagg not installed
#postgresql73-lib-7.3.[0-9]* denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246
#postgresql74-lib-7.4.[0-9]* denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246
#postgresql80-lib-8.0.[0-9]* denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246
@@ -3671,6 +3689,7 @@ gitweb<1.5.6.6 remote-system-access ht
gitweb<1.5.6.6 remote-system-access https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5517
ganglia-monitor-core<3.1.2 remote-system-access http://secunia.com/advisories/33506/
xdg-utils<1.1.0rc1 remote-system-access https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
+# N/A; see https://security-tracker.debian.org/tracker/CVE-2009-0068
#xdg-utils-[0-9]* remote-system-access https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
tnftpd<20081009 cross-site-scripting http://securityreason.com/achievement_securityalert/56
libmikmod<3.2.0 remote-denial-of-service http://secunia.com/advisories/33485/
@@ -12593,6 +12612,7 @@ tcpdump<4.9.2 heap-overflow https://nv
tcpdump<4.9.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2017-11542
tcpdump<4.9.2 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2017-11543
exiv2<0.27 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11553
+# in stills2dv, not libjpeg-turbo-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-9614
libid3tag-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11550
libid3tag-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11551
sox-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11332
@@ -14839,6 +14859,7 @@ awstats-[0-9]* information-disclosure ht
binutils<2.31 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-8945
zabbix<3.4.1 man-in-the-middle https://nvd.nist.gov/vuln/detail/CVE-2017-2825
nasm<2.14 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-10254
+# reported against tiff, see https://gitlab.com/libtiff/libtiff/-/issues/128
jpeg<9d null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2018-10126
mupdf<1.14.0 infinite-loop https://nvd.nist.gov/vuln/detail/CVE-2018-10289
curl<7.52.0 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2016-9586
@@ -18854,6 +18875,7 @@ opensc-[0-9]* arbitrary-file-write https
p5-File-Temp-[0-9]* symlink-attack https://nvd.nist.gov/vuln/detail/CVE-2011-4116
perl-[0-9]* symlink-attack https://nvd.nist.gov/vuln/detail/CVE-2011-4116
p5-Module-Metadata<1.000015 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2013-1437
+# Disputed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726578
#pwgen-[0-9]* weak-password-generator https://nvd.nist.gov/vuln/detail/CVE-2013-4441
py{26,27,33,34}-tornado<3.2.2 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2014-9720
qt5-qtbase<5.15.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2015-9541
@@ -21264,7 +21286,9 @@ py{36,37,38,39}-django>=2.2<2.2.24 acces
py{36,37,38,39}-django>=3<3.2.4 access-bypass https://nvd.nist.gov/vuln/detail/CVE-2021-33571
rabbitmq<3.8.16 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2021-22116
wireshark<3.4.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2021-22222
+# rejected
#ansible-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2021-3532
+# rejected
#ansible-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2021-3533
apache>=2.4.6<2.4.48 authorization-bypass https://nvd.nist.gov/vuln/detail/CVE-2019-17567
apache>=2.4.41<2.4.48 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2020-13950
@@ -21308,6 +21332,7 @@ firefox78<78.11 multiple-vulnerabilitie
mozjs78<78.11 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/
tor-browser<10.0.17 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/
thunderbird<78.11 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2021-26/
+# rejected
#ImageMagick-[0-9]* memory-leak https://nvd.nist.gov/vuln/detail/CVE-2021-34183
ampache<4.4.3 code-injection https://nvd.nist.gov/vuln/detail/CVE-2021-32644
djvulibre-lib<3.5.29 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2021-32490
@@ -21762,7 +21787,9 @@ mbedtls<2.24.0 sensitive-information-dis
mbedtls<2.25.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-36475
mit-krb5<1.18.5 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2021-37750
ffmpeg4<4.4.1 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2021-38171
+# not reproducible? https://github.com/Exiv2/exiv2/issues/759
#exiv2-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-18774
+# not reproducible? https://github.com/Exiv2/exiv2/issues/760
#exiv2-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-18773
exiv2<0.27.1 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2020-18771
plib-[0-9]* integer-overflow https://nvd.nist.gov/vuln/detail/CVE-2021-38714
@@ -22815,6 +22842,7 @@ grafana<8.3.5 information-disclosure ht
htmldoc<1.9.15 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2022-0534
jenkins<2.334 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2022-0538
kate<21.12.2 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2022-23853
+# "can't be fixed" according to https://bugzilla.redhat.com/show_bug.cgi?id=2054686
#git-base-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-24975
php{56,73,74,80,81}-concrete5<9.0 cross-site-request-forgery https://nvd.nist.gov/vuln/detail/CVE-2021-22954
php{56,73,74,80,81}-piwigo-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2021-45357
@@ -23267,6 +23295,7 @@ php{56,73,74,80,81}-piwigo-[0-9]* sql-in
powerdns<4.4.3 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2022-27227
powerdns-recursor<4.4.8 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2022-27227
ruby{25,26,27,30,31}-nokogiri<1.13.4 xml-external-entity https://nvd.nist.gov/vuln/detail/CVE-2022-24836
+# affects ghostpcl, not part of standard ghostscript, see e.g. https://ubuntu.com/security/CVE-2022-1350
#ghostscript-agpl-[0-9]* memory-corruption https://nvd.nist.gov/vuln/detail/CVE-2022-1350
neomutt<20220415 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2022-1328
php{56,73,74,80,81}-memcached<2.1.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2022-26635
@@ -27211,6 +27240,7 @@ chromium<138.0.7204.168 heap-corruption
php{56,73,74,80,81,82,83,84}-xdebug-[0-9]* command-injection https://nvd.nist.gov/vuln/detail/CVE-2015-10141
apache<2.4.65 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2025-54090
py{27,39,310,311,312,313}-mezzanine<6.1.1 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2025-50481
+# disputed because abuse of the commands network protocol is not a violation of the Redis Security Model
#redis-[0-9]* memory-corruption https://nvd.nist.gov/vuln/detail/CVE-2025-46686
thunderbird<140 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
thunderbird<128.12 multiple-vulnerabilities https://www.mozilla.org/security/advisories/mfsa2025-55/
@@ -27252,6 +27282,7 @@ openexr<3.3.3 heap-overflow https://n
openexr<3.3.3 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-48073
openexr<3.3.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-48074
php{56,74,81,82,83,84}-piwigo<15.0.0 sql-injection https://nvd.nist.gov/vuln/detail/CVE-2024-43018
+# https://github.com/jpadilla/pyjwt/issues/1080
#py{27,39,310,311,312,313}-JWT-[0-9]* weak-encryption https://nvd.nist.gov/vuln/detail/CVE-2025-45768
qemu>=10.0.0 unspecified https://nvd.nist.gov/vuln/detail/CVE-2025-54566
qemu>=10.0.0 unspecified https://nvd.nist.gov/vuln/detail/CVE-2025-54567
@@ -27377,6 +27408,7 @@ postgresql-server>=15<15.14 code-injecti
postgresql-server>=16<16.10 code-injection https://nvd.nist.gov/vuln/detail/CVE-2025-8715
postgresql-server>=17<17.6 code-injection https://nvd.nist.gov/vuln/detail/CVE-2025-8715
proftpd<1.3.3d backdoor https://nvd.nist.gov/vuln/detail/CVE-2010-20103
+# disputed, this is how Python's import works
#py{27,39,310,311,312,313}-future-[0-9]* arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2025-50817
py{27,39,310,311,312,313}-pdf<6.0.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-55197
retroarch<1.21.0 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2025-9136
@@ -27533,6 +27565,7 @@ xenkernel418-[0-9]* race-condition htt
xenkernel420<4.20.2 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-27466
xenkernel420<4.20.2 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-58142
xenkernel420<4.20.2 race-condition https://nvd.nist.gov/vuln/detail/CVE-2025-58143
+# xenkernel for ARM, not packaged in pkgsrc
#xenkernel-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-58144
#xenkernel-[0-9]* privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2025-58145
zabbix-server-{mysql,postgresql}>=7.0<7.0.14 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-27238
@@ -27712,6 +27745,7 @@ ap24-auth-openidc<2.4.13.2 denial-of-ser
ap24-auth-openidc<2.4.15.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24814
ap24-auth-openidc<2.4.16.11 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-31492
ap24-auth-openidc<2.4.13.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-3891
+# disputed by upstream, see https://modsecurity.org/20241011/about-cve-2024-46292-2024-october/
#ap24-modsecurity-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-46292
ap24-modsecurity<2.9.9 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-47947
ffmpeg5<5.1.7 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2025-59728
@@ -28090,6 +28124,7 @@ dav1d<1.2.0 denial-of-service https://nv
dav1d<1.4.0 integer-overflow https://nvd.nist.gov/vuln/detail/CVE-2024-1580
dbus<1.15.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-34969
dmidecode<3.5 arbitrary-file-write https://nvd.nist.gov/vuln/detail/CVE-2023-30630
+# not an issue in pkgsrc due how it is installed
#dnscrypt-proxy-[0-9]* privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2024-36587
dnsdist>=1.9.0<1.9.4 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-25581
dnsdist<1.9.10 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-30193
@@ -28363,8 +28398,13 @@ frr<10.1.2 invalid-validation https://nv
tiff<4.7.0 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-3164
ganglia-webfrontend-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2024-52762
ganglia-webfrontend-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2024-52763
+# disputed by the GCC project as missed hardening bug, not a vulnerability
#gcc-[0-9]* security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-4039
+# not considered a vulnerability issue, --no-absolute-filenames option should
+# be used instead:
+# <https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html>
#gcpio-[0-9]* symlink-attack https://nvd.nist.gov/vuln/detail/CVE-2023-7216
+# not reproducible, rejected by uptsream
#gdal-lib-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-29480
gdb<14.1 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-39128
gdb<14.0 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-39129
@@ -28461,6 +28501,7 @@ zabbix-agent<6.0.18 code-injection https
gindent<2.2.14 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-40305
gindent<2.2.14 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2024-0911
git-base<2.6.1 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2024-50338
+# disputed: https://lore.kernel.org/git/aQd_iisOrwX909Fr%fruit.crustytoothpaste.net@localhost/T/#t
#git-base-[0-9]* input-validation https://nvd.nist.gov/vuln/detail/CVE-2024-52005
git-base<2.26.1 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2024-52006
git-lfs<3.6.1 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2024-53263
@@ -28478,6 +28519,7 @@ glib2<2.82.5 integer-overflow https://nv
glib2<2.84.2 buffer-underflow https://nvd.nist.gov/vuln/detail/CVE-2025-4373
global<6.6.13 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2024-38448
glslang-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-3010
+# disputed by upstream, considered a feature
#gnome-settings-daemon-[0-9]* unspecified https://nvd.nist.gov/vuln/detail/CVE-2024-38394
gnome-shell<44.5 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-43090
gnome-shell<44.5 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-50977
@@ -28658,6 +28700,7 @@ bitcoin<30.0 denial-of-service https://n
bitcoin<30.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-54605
consul<1.22.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-11374
consul<1.22.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-11375
+# Questionable, needs to change the configuration files, see <https://www.openwall.com/lists/oss-security/2025/10/27/1>
#dnsmasq-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-12198
#dnsmasq-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-12199
#dnsmasq-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-12200
@@ -28715,6 +28758,7 @@ moodle<5.0.3 improper-authentication h
moodle<5.0.3 brute-force https://nvd.nist.gov/vuln/detail/CVE-2025-62399
moodle<5.0.3 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-62400
moodle<5.0.3 improper-authorization https://nvd.nist.gov/vuln/detail/CVE-2025-62401
+# Only alpha and beta releases affected, never packaged in pkgsrc
#openvpn>=2.7_alpha1<2.7_beta1 command-injection https://nvd.nist.gov/vuln/detail/CVE-2025-10680
py{27,39,310,311,312,313,314}-authlib<1.6.5 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-62706
py{27,39,310,311,312,313,314}-pdf<6.1.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-62707
@@ -28773,6 +28817,7 @@ gstreamer1<1.24.10 out-of-bounds-read ht
gstreamer1<1.24.10 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2024-47778
gstreamer1<1.24.10 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2024-47834
gstreamer1<1.24.10 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2024-47835
+# Gstreamer Installer, not used by pkgsrc
#gstreamer1-[0-9]* privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2025-2759
gstreamer1<1.26.1 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-3887
gstreamer1<1.222.4 integer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-37327
@@ -28826,6 +28871,7 @@ chromium<140.0.7339.80 arbitrary-code-ex
chromium<140.0.7339.80 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-12909
chromium<140.0.7339.80 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-12910
chromium<140.0.7339.80 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2025-12911
+# wolfssh not supported in pkgsrc
#curl<8.17.0 man-in-the-middle-attack https://nvd.nist.gov/vuln/detail/CVE-2025-10966
ffmpeg5<5.1.7 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-7700
ffmpeg6<6.1.3 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-7700
@@ -28956,6 +29002,7 @@ tinyproxy<1.11.3 integer-overflow https:
wireshark<4.6.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-13674
webkit-gtk<2.50.2 multiple-vulnerabilities https://webkitgtk.org/security/WSA-2025-0008.html
kissfft-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-34297
+# Only alpha, beta and rc1 affected
#openvpn>=2.7_alpha1<2.7rc2 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2025-12106
python310-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-13836
python311-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-13836
@@ -29286,6 +29333,7 @@ chromium<143.0.7499.192 code-injection
libtasn1<4.21.0 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-13151
lmdb-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-22185
py{27,310,311,312,313,314}-urllib3<2.6.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-21441
+# curl not built with ngtcp2
#curl>=8.8.0<8.18.0 improper-certificate-validation https://nvd.nist.gov/vuln/detail/CVE-2025-13034
curl<8.18.0 improper-certificate-validation https://nvd.nist.gov/vuln/detail/CVE-2025-14017
curl<8.18.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-14524
@@ -29777,137 +29825,3 @@ ImageMagick<7.1.2.15 heap-overflow http
ImageMagick6<6.9.13.40 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-26284
ImageMagick<7.1.2.15 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2026-26983
ImageMagick6<6.9.13.40 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2026-26983
-KeePass<2.44 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-37178
-SOGo-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-3054
-admesh-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2653
-apache-tomcat<9.0.113 input-validation https://nvd.nist.gov/vuln/detail/CVE-2025-66614
-apache-tomcat>=10<10.1.50 input-validation https://nvd.nist.gov/vuln/detail/CVE-2025-66614
-apache-tomcat>=11<11.0.15 input-validation https://nvd.nist.gov/vuln/detail/CVE-2025-66614
-apache-tomcat<9.0.113 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24733
-apache-tomcat>=10<10.1.50 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24733
-apache-tomcat>=11<11.0.15 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24733
-apache-tomcat<9.0.115 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24734
-apache-tomcat>=10<10.1.52 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24734
-apache-tomcat>=11<11.0.18 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24734
-caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27585
-caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27586
-caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27587
-caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27588
-caddy<2.11.1 cross-site-request-forgery https://nvd.nist.gov/vuln/detail/CVE-2026-27589
-caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27590
-calibre<9.3.0 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-26064
-calibre<9.3.0 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-26065
-chromium<145.0.7632.45 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2313
-chromium<145.0.7632.45 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2314
-chromium<145.0.7632.45 out-of-bounds-access https://nvd.nist.gov/vuln/detail/CVE-2026-2315
-chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2316
-chromium<145.0.7632.45 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2026-2317
-chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2318
-chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2319
-chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2320
-chromium<145.0.7632.45 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2321
-chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2322
-chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2323
-chromium<145.0.7632.75 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2026-2441
-chromium<145.0.7632.109 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-2648
-chromium<145.0.7632.109 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2649
-chromium<145.0.7632.109 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2650
-chromium<145.0.7632.116 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-3061
-chromium<145.0.7632.116 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-3062
-chromium<145.0.7632.116 code-injection https://nvd.nist.gov/vuln/detail/CVE-2026-3063
-clamav-[0-9]* code-injection https://nvd.nist.gov/vuln/detail/CVE-2020-37167
-coturn<4.9.0 improper-access-control https://nvd.nist.gov/vuln/detail/CVE-2026-27624
-curl<8.18.0 arbitrary-file-overwrite https://nvd.nist.gov/vuln/detail/CVE-2025-11563
-dropbear>=2024.84<2025.88 privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2025-14282
-erlang<27.3.4.8 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-21620
-ffmpeg7<7.1.2 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-10256
-ffmpeg8<8.0 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-10256
-ffmpeg7<7.1.2 double-free https://nvd.nist.gov/vuln/detail/CVE-2025-12343
-ffmpeg8<8.1 double-free https://nvd.nist.gov/vuln/detail/CVE-2025-12343
-gimp<3.0.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-0797
-gimp<3.0.8 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2044
-gimp<3.0.8 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-2045
-gimp<3.0.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2047
-gimp<3.0.8 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-2048
-grafana<12.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2025-41117
-grafana<12.2.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2026-21722
-gsoap-[0-9]* path-traversal https://nvd.nist.gov/vuln/detail/CVE-2019-25355
-hdf5<1.14.4.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-26200
-janet<1.41.0 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2869
-jenkins<2.551 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-27099
-jenkins<2.551 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2026-27100
-libde265-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-61147
-libjxl<0.11.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-12474
-libjxl<0.11.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-1837
-libsixel<1.8.8 memory-leak https://nvd.nist.gov/vuln/detail/CVE-2025-61146
-libsoup<3.6.6 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2443
-libvips-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2913
-libvips-[0-9]* memory-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-3145
-libvips-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-3146
-libvips-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-3147
-metabase<0.58.7 code-injection https://nvd.nist.gov/vuln/detail/CVE-2026-27464
-minisat-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-2644
-moodle<5.0.5 code-injection https://nvd.nist.gov/vuln/detail/CVE-2026-26045
-moodle<5.0.5 command-injection https://nvd.nist.gov/vuln/detail/CVE-2026-26046
-moodle<5.0.5 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-26047
-nats-server<2.12.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27571
-openbabel-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2704
-openbabel-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2705
-openexr<3.4.5 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-26981
-p5-Crypt-URandom<0.55 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2474
-p5-Image-ExifTool<13.50 command-injection https://nvd.nist.gov/vuln/detail/CVE-2026-3102
-php{56,74,81,82,83,84}-owncloud-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2019-25337
-php{56,74,81,82,83,84}-piwigo<15.0.0 insufficiently-random-numbers https://nvd.nist.gov/vuln/detail/CVE-2024-48928
-php{56,74,81,82,83,84}-piwigo-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-62512
-postgresql-server<14.21 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
-postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
-postgresql-server>=16<16.12 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
-postgresql-server>=17<17.8 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
-postgresql-server>=18<18.2 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
-postgresql-server<14.21 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=16<16.12 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=17<17.8 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server>=18<18.2 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
-postgresql-server<14.21 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
-postgresql-server>=15<15.16 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
-postgresql-server>=16<16.12 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
-postgresql-server>=17<17.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
-postgresql-server>=17<17.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
-postgresql-server>=18<18.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
-postgresql-server<14.21 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
-postgresql-server>=15<15.16 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
-postgresql-server>=16<16.12 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
-postgresql-server>=17<17.8 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
-postgresql-server>=18<18.2 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
-postgresql-server>=18<18.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2007
-py{27,310,311,312,313,314}-Pillow<12.1.1 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-25990
-py{27,310,311,312,313,314}-flask<3.1.3 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2026-27205
-py{27,310,311,312,313,314}-nltk<3.9.3 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2025-14009
-py{27,310,311,312,313,314}-pdf<6.7.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27024
-py{27,310,311,312,313,314}-pdf<6.7.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27025
-py{27,310,311,312,313,314}-pdf<6.7.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27026
-py{27,310,311,312,313,314}-pdf<6.7.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27628
-py{27,310,311,312,313,314}-werkzeug<3.1.6 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27199
-qemu-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-14876
-qemu<10.1.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-8860
-qemu-[0-9]* out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-0665
-qemu-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2243
-re2c-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-2903
-ruby{32,33,34,40}-rack2<2.2.22 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-22860
-ruby{32,33,34,40}-rack<3.2.5 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-22860
-ruby{32,33,34,40}-rack2<2.2.22 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-25500
-ruby{32,33,34,40}-rack<3.2.5 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-25500
-tiff<4.7.1 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-61143
-tiff<4.7.1 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-61144
-tiff<4.7.1 double-free https://nvd.nist.gov/vuln/detail/CVE-2025-61145
-vaultwarden<1.35.3 improper-authorization https://nvd.nist.gov/vuln/detail/CVE-2026-26012
-vim<9.1.2148 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-26269
-yt-dlp<2026.02.21 command-injection https://nvd.nist.gov/vuln/detail/CVE-2026-26331
-zlib<1.3.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27171
-zoneminder-[0-9]* command-injection https://nvd.nist.gov/vuln/detail/CVE-2025-65791
-zoneminder<1.38.1 sql-injection https://nvd.nist.gov/vuln/detail/CVE-2026-27470
Home |
Main Index |
Thread Index |
Old Index