NIXPKGS-2026-1620

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-45395

7.2 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): High (H)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): High (H)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

• https://github.com/open-webui/open-webui/security/advisories/GHSA-p4fx-23fq-jfg6 x_refsource_CONFIRM

---

open-webui

• ==< 0.9.5

NIXPKGS-2026-1619

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-45399

7.1 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): None (N)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): High (H)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption

• https://github.com/open-webui/open-webui/security/advisories/GHSA-8jjp-r2w2-4v22 x_refsource_CONFIRMexploit

---

open-webui

• ==< 0.9.0

NIXPKGS-2026-1617

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-45331

8.5 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): High (H)
• Integrity (I): Low (L)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): None (N)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature

• https://github.com/open-webui/open-webui/security/advisories/GHSA-4v7r-f4w8-8972 x_refsource_CONFIRMexploit

---

open-webui

• ==< 0.9.0

NIXPKGS-2026-1618

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-44562

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): High (H)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): None (N)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Open WebUI: Model Import Overwrites Any Model Without Ownership Check

• https://github.com/open-webui/open-webui/security/advisories/GHSA-mqq6-cqcx-38vg x_refsource_CONFIRM

---

open-webui

• ==< 0.9.0

NIXPKGS-2026-1616

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-44550

5.0 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): None (N)
• Integrity (I): Low (L)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): None (N)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Open WebUI: Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts

• https://github.com/open-webui/open-webui/security/advisories/GHSA-hr43-rjmr-7wmm x_refsource_CONFIRM

---

open-webui

• ==< 0.9.0

NIXPKGS-2026-1615

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-8704

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified

• https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes release-notes
• https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.…

---

Crypt-DSA

• =<1.19

NIXPKGS-2026-1614

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-45773

5.1 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): Passive (P)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): Low (L)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): Low (L)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Passive (P)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): Low (L)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): Low (L)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse added
  2 maintainers

  • @Hythera
  • @getchoo
  4 weeks, 1 day ago maintainer.add
• @LeSuisse ignored maintainer @humemm 4 weeks, 1 day ago maintainer.ignore
• @LeSuisse ignored package turborepo-remote-cache 4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

Turborepo: Login callback CSRF/session fixation

• https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r x_refsource_CONFIRM

---

turborepo

• ==< 2.9.14

NIXPKGS-2026-1613

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-44309

5.3 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): High (H)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): None (N)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse ignored
  8 packages

  • vimPlugins.gitsigns-nvim
  • luaPackages.gitsigns-nvim
  • lua51Packages.gitsigns-nvim
  • lua52Packages.gitsigns-nvim
  • lua53Packages.gitsigns-nvim
  • lua54Packages.gitsigns-nvim
  • lua55Packages.gitsigns-nvim
  • luajitPackages.gitsigns-nvim
  4 weeks, 1 day ago
• @LeSuisse ignored
  2 maintainers

  • @LeSuisse
  • @developer-guy
  4 weeks, 1 day ago maintainer.ignore
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits

• https://github.com/sigstore/gitsign/security/advisories/GHSA-7rmh-48mx-2vwc x_refsource_CONFIRMexploit

---

gitsign

• ==< 0.16.0

NIXPKGS-2026-1612

GitHub issue published 4 weeks, 1 day ago

Permalink CVE-2026-44310

5.4 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): Low (L)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): Low (L)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

• Created suggestion 4 weeks, 1 day ago
• @LeSuisse ignored
  2 maintainers

  • @LeSuisse
  • @developer-guy
  4 weeks, 1 day ago maintainer.ignore
• @LeSuisse ignored
  8 packages

  • vimPlugins.gitsigns-nvim
  • luaPackages.gitsigns-nvim
  • lua51Packages.gitsigns-nvim
  • lua52Packages.gitsigns-nvim
  • lua53Packages.gitsigns-nvim
  • lua54Packages.gitsigns-nvim
  • lua55Packages.gitsigns-nvim
  • luajitPackages.gitsigns-nvim
  4 weeks, 1 day ago
• @LeSuisse accepted 4 weeks, 1 day ago
• @LeSuisse published on GitHub 4 weeks, 1 day ago

gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers

• https://github.com/sigstore/gitsign/security/advisories/GHSA-7c37-gx6w-8vc5 x_refsource_CONFIRMexploit

---

gitsign

• ==>= 0.4.0, < 0.15.0

NIXPKGS-2026-1611

GitHub issue published 4 weeks, 2 days ago

Permalink CVE-2026-33079

updated 4 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 1 month, 1 week ago
• @LeSuisse ignored reference https://g… 1 month, 1 week ago
• @LeSuisse accepted 1 month, 1 week ago
• @LeSuisse published on GitHub 4 weeks, 2 days ago

Mistune ReDoS in LINK_TITLE_RE allows denial of service with crafted Markdown titles

• https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp x_refsource_CONFIRMexploit

Ignored references (1)

• https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25 x_refsource_MISC

---

mistune

• ==>=3.0.0a1, <= 3.2.0