Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-29784
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks ago
  • @mweinelt removed
    23 packages
    • ghost
    • ghostie
    • ghostty
    • ghost-cli
    • ghostfolio
    • ghostunnel
    • ghostscript
    • ghosttohugo
    • ghostty-bin
    • ghostscriptX
    • ghostscript_headless
    • libsForQt5.ghostwriter
    • kdePackages.ghostwriter
    • plasma5Packages.ghostwriter
    • haskellPackages.ghost-buster
    • python312Packages.ghostscript
    • python313Packages.ghostscript
    • python314Packages.ghostscript
    • tests.texlive.dvipng.ghostscript
    • haskellPackages.ghostscript-parallel
    • tree-sitter-grammars.tree-sitter-ghostty
    • python313Packages.tree-sitter-grammars.tree-sitter-ghostty
    • python314Packages.tree-sitter-grammars.tree-sitter-ghostty
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
Ghost: Incomplete CSRF protections around OTC use

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.

References

Affected products

Ghost
  • ==>= 5.101.6, < 6.19.3
Ignored packages (23) 
Not in nixpkgs