Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0085

NIXPKGS-2026-0085
published on
Permalink CVE-2026-22808
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    15 packages
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    3 months, 1 week ago
  • @LeSuisse deleted maintainer @asauzeau 3 months, 1 week ago maintainer.delete
  • @LeSuisse added
    6 maintainers
    • @commiterate
    • @dotlambda
    • @fabaff
    • @mweinelt
    • @mbalatsko
    • @katexochen
    3 months, 1 week ago maintainer.add
  • @LeSuisse ignored package fleetctl 3 months, 1 week ago
  • @LeSuisse added maintainer @ulrikstrid 3 months, 1 week ago maintainer.add
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Affected products

fleet
  • ==>= 4.77.0, < 4.77.1
  • ==>= 4.78.0, < 4.78.2
  • ==>= 4.76.0, < 4.76.2
  • ==< 4.53.3

Matching in nixpkgs

pkgs.fleet

CLI tool to launch Fleet server

Ignored packages (16)

Package maintainers

Ignored maintainers (1)

Additional maintainers

Upstream advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j