Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-0549
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    31 packages
    • fedigroups
    • sway-assign-cgroups
    • haskellPackages.groups
    • haskellPackages.semigroups
    • haskellPackages.groups-generic
    • haskellPackages.finite-semigroups
    • haskellPackages.quickcheck-groups
    • haskellPackages.numbered-semigroups
    • python312Packages.dependency-groups
    • python313Packages.dependency-groups
    • python314Packages.dependency-groups
    • gnomeExtensions.kolour-groups-windows
    • haskellPackages.gogol-groups-settings
    • haskellPackages.commutative-semigroups
    • haskellPackages.gogol-groups-migration
    • haskellPackages.amazonka-resourcegroups
    • chickenPackages_5.chickenEggs.posix-groups
    • python312Packages.mypy-boto3-resource-groups
    • python313Packages.mypy-boto3-resource-groups
    • python314Packages.mypy-boto3-resource-groups
    • python312Packages.azure-mgmt-managementgroups
    • python313Packages.azure-mgmt-managementgroups
    • python314Packages.azure-mgmt-managementgroups
    • haskellPackages.amazonka-resourcegroupstagging
    • python312Packages.types-aiobotocore-resource-groups
    • python313Packages.types-aiobotocore-resource-groups
    • python312Packages.mypy-boto3-resourcegroupstaggingapi
    • python313Packages.mypy-boto3-resourcegroupstaggingapi
    • python314Packages.mypy-boto3-resourcegroupstaggingapi
    • python312Packages.types-aiobotocore-resourcegroupstaggingapi
    • python313Packages.types-aiobotocore-resourcegroupstaggingapi
    1 month ago
  • @LeSuisse dismissed 1 month ago
Groups <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode

The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

Affected products

Groups
  • =<3.10.0
Ignored packages (31) 
WP plugin not present in nixpkgs.