Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-29086
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse removed
    22 packages
    • libsForQt5.phonon
    • kdePackages.phonon
    • kdePackages.phonon-vlc
    • plasma5Packages.phonon
    • typstPackages.phonokit
    • python312Packages.phonopy
    • python313Packages.phonopy
    • python314Packages.phonopy
    • typstPackages.phonokit_0_0_1
    • typstPackages.phonokit_0_2_0
    • typstPackages.phonokit_0_3_0
    • typstPackages.phonokit_0_3_5
    • typstPackages.phonokit_0_3_6
    • typstPackages.phonokit_0_3_7
    • typstPackages.phonokit_0_4_0
    • libsForQt5.phonon-backend-vlc
    • python312Packages.pythonocc-core
    • python313Packages.pythonocc-core
    • python314Packages.pythonocc-core
    • plasma5Packages.phonon-backend-vlc
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 4 days ago
Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.

References

Affected products

hono
  • ==< 4.12.4
Ignored packages (22) 
Not present in Nixpkgs