Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-0696
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • python313Packages.markupsafe
    • python313Packages.psautohint
    • terraform-providers.vpsadmin
    • nodePackages_latest.purescript-psa
    • python312Packages.types-markupsafe
    • python313Packages.types-markupsafe
    • terraform-providers.vpsfreecz_vpsadmin
    2 months ago
  • @LeSuisse dismissed 2 months ago
Session Cookies Missing HttpOnly Attribute

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

References

Affected products

PSA
  • ==All versions prior to 2026.1 
Impacted software not present in nixpkgs