CVE coverage
Debian 13 CVE tracker
Noxen pulls Debian 13 (Trixie) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Records are deduped against NVD and shipped in a signed snapshot, rebuilt daily.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (Debian + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Debian 13 host
- Reads
/etc/os-releaseover SSH to confirm the host is on Debian 13. - Reads the dpkg package list — every binary package, plus its corresponding source package via
dpkg-query --showformat='${Source}'. - Filters the local feed cache to OSV records tagged with ecosystem
Debian:13. - For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
- Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.
Live listings
Top recent critical CVEs (Debian 13 / Debian ecosystem)
Most-recently-published critical CVEs in the Debian 13 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-39955 | critical | 9.8 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31. | cacti | — | |
| DEBIAN-CVE-2026-39938 | critical | 9.8 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31. | cacti | — | |
| DEBIAN-CVE-2026-39893 | critical | 9.8 | Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (grap | cacti | — | |
| DEBIAN-CVE-2026-49980 | critical | 9.8 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path] | rclone | — | |
| DEBIAN-CVE-2026-13032 | critical | 9.6 | Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | chromium | — | |
| DEBIAN-CVE-2026-13028 | critical | 9.6 | Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | chromium | — | |
| DEBIAN-CVE-2026-9265 | critical | 9.1 | Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncp | libcrypt-openssl-pkcs12-perl | — | |
| DEBIAN-CVE-2026-49268 | critical | 9.1 | A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 s | shiro | — |
Top recent high-severity CVEs (Debian 13 / Debian ecosystem)
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| DEBIAN-CVE-2026-39951 | high | 7.6 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31. | cacti | — | |
| DEBIAN-CVE-2026-2050 | high | 7.8 | GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulne | gegl | 1:0.4.26-2+deb11u2 | |
| DEBIAN-CVE-2026-13038 | high | 8.8 | Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | chromium | — | |
| DEBIAN-CVE-2026-13037 | high | 7.8 | Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | chromium | — | |
| DEBIAN-CVE-2026-13036 | high | 8.8 | Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | chromium | — | |
| DEBIAN-CVE-2026-13035 | high | 8.8 | Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High) | chromium | — | |
| DEBIAN-CVE-2026-13033 | high | 8.8 | Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | chromium | — | |
| DEBIAN-CVE-2026-13031 | high | 8.8 | Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | chromium | — |
Notable
Recent CVEs Debian 13 operators should know.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Debian advisory · Noxen deep-dive.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Debian advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Debian advisory.
- CVE-2026-31431 (kernel algif_aead) — Local privilege escalation in the kernel's userspace AEAD interface.. Debian advisory · Noxen deep-dive.
FAQ
Frequently asked about Debian 13 CVEs
How many CVEs affect Debian 13?
Debian 13 (Trixie) is filtered out of the broader Debian ecosystem feed by ecosystem tag (Debian:13). Live counts appear at the top of this page; the underlying feed is rebuilt daily.
How do I check Debian 13 CVEs on a running host?
For a quick check: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:13 ecosystem feed.
Where does the Debian 13 data come from?
Upstream is the Debian Security Tracker, which OSV.dev ingests and republishes in a normalised ecosystem feed. Noxen consumes the OSV feed, dedupes against NVD, and publishes signed daily snapshots.
Scan a Debian 13 fleet with Noxen
Add your Debian 13 hosts via your existing
~/.ssh/config; Noxen reads dpkg state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.