Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-27793
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 2 days ago
  • @LeSuisse removed
    7 packages
    • overseerr
    • jellyseerr
    • python312Packages.python-overseerr
    • python313Packages.python-overseerr
    • python314Packages.python-overseerr
    • home-assistant-component-tests.overseerr
    • tests.home-assistant-component-tests.overseerr
    3 weeks ago
  • @LeSuisse dismissed 3 weeks ago
Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.

References

Affected products

seerr
  • ==< 3.1.0
Ignored packages (7) 
Not present in nixpkgs