Nixpkgs security tracker
NIXPKGS-2026-0607
GitHub issue
published 3 months, 2 weeks ago
Permalink
CVE-2026-30913
4.6 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @mweinelt Activity log
- Created suggestion
-
@mweinelt
added
maintainer.add
2 maintainers
- @fsagbuya
- @jasonodoom
- @mweinelt ignored package sbclPackages.trivial-package-local-nicknames
- @mweinelt accepted
- @mweinelt published on GitHub
flarum/nickname: Display name injection in notification emails (autolink & markdown)
Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.
References
-
https://github.com/flarum/framework/security/advisories/GHSA-3c4m-j3g4-hh25 x_refsource_CONFIRM
-
https://github.com/flarum/nicknames/releases/tag/v1.8. x_refsource_MISC
Affected products
nicknames
- ==< 1.8.3
Ignored packages (1)
-
nixos-unstable 20220220-git
- nixpkgs-unstable 20220220-git
- nixos-unstable-small 20220220-git
Package maintainers
Additional maintainers
-
@jasonodoom Jason Odoom <jasonodoom@riseup.net>
-
@fsagbuya Florian Agbuya <fa@m-labs.ph>