Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-25958
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    40 packages
    • cubeb
    • kmscube
    • pascube
    • musikcube
    • roundcube
    • classicube
    • metacubexd
    • assaultcube
    • stm32cubemx
    • gamecube-tools
    • hyperspeedcube
    • dockapps.wmcube
    • idrisPackages.cube
    • spacenav-cube-example
    • kdePackages.kjumpingcube
    • roundcubePlugins.carddav
    • gnomeExtensions.desktop-cube
    • phpExtensions.ioncube-loader
    • python312Packages.complycube
    • python313Packages.complycube
    • python314Packages.complycube
    • roundcubePlugins.contextmenu
    • roundcubePlugins.custom_from
    • haskellPackages.resistor-cube
    • python312Packages.maxcube-api
    • python313Packages.maxcube-api
    • python314Packages.maxcube-api
    • haskellPackages.marching-cubes
    • php81Extensions.ioncube-loader
    • php82Extensions.ioncube-loader
    • php83Extensions.ioncube-loader
    • php84Extensions.ioncube-loader
    • haskellPackages.marching-cubes2
    • python312Packages.spectral-cube
    • python313Packages.spectral-cube
    • python314Packages.spectral-cube
    • roundcubePlugins.persistent_login
    • roundcubePlugins.thunderbird_labels
    • home-assistant-component-tests.maxcube
    • tests.home-assistant-component-tests.maxcube
    1 month, 1 week ago
  • @LeSuisse dismissed 1 month, 1 week ago
Cube privilege escalation via a specially crafted request

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.

References

Affected products

cube
  • ==>= 0.27.19, < 1.0.14
  • ==>= 1.1.0, < 1.4.2
  • ==>= 1.5.0, < 1.5.13 
Not present in nixpkgs.