Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-2019
published 6 hours ago
skypilot-org skypilot User ID server.py username.encode weak hash
Permalink CVE-2026-13482
2.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 6 hours ago by @LeSuisse Activity log

skypilot-org skypilot User ID server.py username.encode weak hash

skypilot
  • ==0.12.0
  • ==0.4
  • ==0.7
  • ==0.1
  • ==0.10
  • ==0.6
  • ==0.2
  • ==0.5
  • ==0.11
  • ==0.8
  • ==0.9
  • ==0.3
NIXPKGS-2026-2018
published 2 days, 7 hours ago
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
Permalink CVE-2026-11702
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes

Bytes-Random-Secure-Tiny
  • =<1.011
NIXPKGS-2026-2017
published 2 days, 7 hours ago
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Permalink CVE-2026-11625
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse ignored
    4 packages
    • perlPackages.BytesRandomSecureTiny
    • perl540Packages.BytesRandomSecureTiny
    • perl538Packages.BytesRandomSecureTiny
    • perl5Packages.BytesRandomSecureTiny
    2 days, 7 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes

Bytes-Random-Secure
  • =<0.29
NIXPKGS-2026-2016
published 2 days, 7 hours ago
Dragonfly: RESTORE operations may crash the server
Permalink CVE-2026-54341
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse ignored
    4 packages
    • dragonfly-reverb
    • python312Packages.dragonfly
    • python313Packages.dragonfly
    • python314Packages.dragonfly
    2 days, 7 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Dragonfly: RESTORE operations may crash the server

dragonfly
  • ==< 1.39.0
NIXPKGS-2026-2015
published 2 days, 7 hours ago
libnfs through 6.0.2 before 935b8db has an xid integer underflow …
Permalink CVE-2026-57918
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

libnfs through 6.0.2 before 935b8db has an xid integer underflow …

libnfs
  • <935b8db712b3c6649bc57ddc276526c4a31680de
NIXPKGS-2026-2014
published 2 days, 7 hours ago
GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion
Permalink CVE-2026-48529
6.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

github-mcp-server
  • ==>= 0.22.0, < 1.1.2 
Needs a backport
NIXPKGS-2026-2013
published 2 days, 7 hours ago
Podman: Malformed Image can trick podman run into leaking host environment variables into the container
Permalink CVE-2026-57231
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse ignored
    9 packages
    • podman-tui
    • podman-bootc
    • cockpit-podman
    • podman-compose
    • podman-desktop
    • nomad-driver-podman
    • python312Packages.podman
    • python313Packages.podman
    • python314Packages.podman
    2 days, 7 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Podman: Malformed Image can trick podman run into leaking host environment variables into the container

podman
  • ==>= 1.8.1, < 5.8.4
NIXPKGS-2026-2012
published 2 days, 7 hours ago
python3Packages.kestra: security issues < 1.3.24
Permalink CVE-2026-48129
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 1 week, 2 days ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra task inputFiles accepts traversal filenames for worker file writes

kestra
  • ==< 1.0.43
  • ==>= 1.3.0, < 1.3.19
  • ==>= 1.2.0, < 1.2.19
  • ==>= 1.1.0, < 1.1.19
Permalink CVE-2026-49984
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\..\` bypasses the `..` guard)

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.23
Permalink CVE-2026-49869
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.21
Permalink CVE-2026-45807
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints allows arbitrary file read

kestra
  • ==< 1.0.43
  • ==>= 1.1.0, < 1.3.19
Permalink CVE-2026-55069
8.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

kestra
  • ==< 1.3.24
Permalink CVE-2026-53576
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.21
Permalink CVE-2026-53577
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.21
NIXPKGS-2026-2011
published 2 days, 7 hours ago
mise: security issues < 2026.6.4
Permalink CVE-2026-55448
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse ignored
    10 packages
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    • python313Packages.promise
    • haskellPackages.promises
    • python312Packages.promise
    • python314Packages.promise
    2 days, 7 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

mise: Local credential_command executes untrusted config

mise
  • ==< 2026.6.4
Permalink CVE-2026-54557
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse ignored
    10 packages
    • haskellPackages.promises
    • python312Packages.promise
    • python313Packages.promise
    • python314Packages.promise
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    2 days, 7 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

mise HTTP backend uses raw version path for install symlink destination

mise
  • ==< 2026.6.1
Permalink CVE-2026-55441
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse ignored
    10 packages
    • haskellPackages.promises
    • python314Packages.promise
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    • python313Packages.promise
    • python312Packages.promise
    2 days, 7 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

mise: Arbitrary command execution via task-include files in an untrusted, config-less repository

mise
  • ==< 2026.6.4
NIXPKGS-2026-2010
published 2 days, 7 hours ago
You track: security issues < 2026.2.16593
Permalink CVE-2026-49370
3.4 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 4 weeks, 2 days ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on …

YouTrack
  • <2026.1.13162
Permalink CVE-2026-57926
2.6 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57925
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57924
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57922
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57923
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57921
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 7 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 13 hours ago
  • @LeSuisse accepted 2 days, 7 hours ago
  • @LeSuisse published on GitHub 2 days, 7 hours ago

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading …

YouTrack
  • <2026.2.16593