How many CVEs affect Debian 13?

Debian 13 (Trixie) is filtered out of the broader Debian ecosystem feed by ecosystem tag (Debian:13). Live counts appear at the top of this page; the underlying feed is rebuilt daily.

How do I check Debian 13 CVEs on a running host?

For a quick check: `apt list --upgradable 2>/dev/null | grep -ci security`. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.

Where does the Debian 13 data come from?

Upstream is the Debian Security Tracker, which OSV.dev ingests and republishes in a normalised ecosystem feed. Noxen consumes the OSV feed, dedupes against NVD, and publishes signed daily snapshots.

CVE coverage

Debian 13 CVE tracker

Noxen pulls Debian 13 (Trixie) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Records are deduped against NVD and shipped in a signed snapshot, rebuilt daily.

Live

Headline numbers

Total CVE records (all distros)Loading…
Last buildLoading…
OSV records (Debian + others)Loading…
NVD records (cross-platform)Loading…

How matching works

What Noxen does for a Debian 13 host

Reads /etc/os-release over SSH to confirm the host is on Debian 13.
Reads the dpkg package list — every binary package, plus its corresponding source package via dpkg-query --showformat='${Source}'.
Filters the local feed cache to OSV records tagged with ecosystem Debian:13.
For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.

Live listings

Top recent critical CVEs (Debian 13 / Debian ecosystem)

Most-recently-published critical CVEs in the Debian 13 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at 2026-05-12; live re-fetch on page load.

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-41070	critical	10.0	openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental p	openvpn-auth-oauth2	1.27.3-1	2026-05-08
DEBIAN-CVE-2013-10075	critical	9.1	Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being rev	libapache-session-perl	—	2026-05-08
DEBIAN-CVE-2026-42284	critical	9.8	GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config	python-git	—	2026-05-07
DEBIAN-CVE-2026-8094	critical	9.8	Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.	firefox-esr	140.10.2esr-1~deb11u1	2026-05-07
DEBIAN-CVE-2026-8091	critical	9.8	Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.	firefox-esr	140.10.1esr-1~deb11u1	2026-05-07
DEBIAN-CVE-2026-44603	critical	9.1	Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.	tor	—	2026-05-07
DEBIAN-CVE-2026-42217	critical	9.8	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVa	openexr	—	2026-05-07
DEBIAN-CVE-2026-42216	critical	9.1	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDMani	openexr	—	2026-05-07

Top recent high-severity CVEs (Debian 13 / Debian ecosystem)

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
DEBIAN-CVE-2026-6665	high	8.1	The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can	pgbouncer	—	2026-05-09
DEBIAN-CVE-2026-6664	high	7.5	An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.	pgbouncer	—	2026-05-09
DEBIAN-CVE-2026-6659	high	7.5	Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.	libcrypt-passwdmd5-perl	—	2026-05-08
DEBIAN-CVE-2026-41570	high	7.8	PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharac	phpunit	—	2026-05-08
DEBIAN-CVE-2026-43284	high	7.8	In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after s	linux	5.10.251-4	2026-05-08
DEBIAN-CVE-2026-42264	high	7.4	Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via dire	node-axios	—	2026-05-08
DEBIAN-CVE-2026-40213	high	7.4	OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope.	cyborg	—	2026-05-07
DEBIAN-CVE-2026-8087	high	7.8	A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow.	gdal	—	2026-05-07

New to severity terminology? CVE, CVSS, CWE, CPE explained.

Notable

Recent CVEs Debian 13 operators should know.

CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
CVE-2026-31431 (kernel algif_aead) — Local privilege escalation in the kernel's userspace AEAD interface.. Debian advisory · Noxen deep-dive.

Scan a Debian 13 fleet with Noxen

Add your Debian 13 hosts via your existing ~/.ssh/config; Noxen reads dpkg state and matches against the live signed feed. No agent, no SaaS round-trip. $79 one-time.

← back to the CVE dashboard Ubuntu 22.04 → Debian 12 →