Nixpkgs security tracker
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @mweinelt Activity log
- Created suggestion
-
@mweinelt
ignored
23 packages
- ghost
- ghostie
- ghostty
- ghost-cli
- ghostfolio
- ghostunnel
- ghostscript
- ghosttohugo
- ghostty-bin
- ghostscriptX
- ghostscript_headless
- libsForQt5.ghostwriter
- kdePackages.ghostwriter
- plasma5Packages.ghostwriter
- haskellPackages.ghost-buster
- python312Packages.ghostscript
- python313Packages.ghostscript
- python314Packages.ghostscript
- tests.texlive.dvipng.ghostscript
- haskellPackages.ghostscript-parallel
- tree-sitter-grammars.tree-sitter-ghostty
- python313Packages.tree-sitter-grammars.tree-sitter-ghostty
- python314Packages.tree-sitter-grammars.tree-sitter-ghostty
- @mweinelt dismissed
Ghost: Incomplete CSRF protections around OTC use
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
References
Affected products
- ==>= 5.101.6, < 6.19.3
Ignored packages (23)
pkgs.ghost
Android post-exploitation framework
-
nixos-unstable 8.0.0-unstable-2025-11-01
- nixpkgs-unstable 8.0.0-unstable-2025-11-01
- nixos-unstable-small 8.0.0-unstable-2025-11-01
pkgs.ghostie
Github notifications in your terminal
pkgs.ghostty
Fast, native, feature-rich terminal emulator pushing modern features
pkgs.ghost-cli
CLI Tool for installing & updating Ghost
pkgs.ghostfolio
Open Source Wealth Management Software
pkgs.ghostunnel
TLS proxy with mutual authentication support for securing non-TLS backend applications
pkgs.ghostscript
PostScript interpreter (mainline version)
pkgs.ghosttohugo
Convert Ghost export to Hugo posts
pkgs.ghostty-bin
Fast, native, feature-rich terminal emulator pushing modern features
pkgs.ghostscriptX
PostScript interpreter (mainline version)
pkgs.ghostscript_headless
PostScript interpreter (mainline version)
pkgs.libsForQt5.ghostwriter
Cross-platform, aesthetic, distraction-free Markdown editor
pkgs.kdePackages.ghostwriter
Text editor for Markdown
pkgs.plasma5Packages.ghostwriter
Cross-platform, aesthetic, distraction-free Markdown editor
pkgs.haskellPackages.ghost-buster
Existential type utilites
pkgs.python312Packages.ghostscript
Interface to the Ghostscript C-API using ctypes.
pkgs.python313Packages.ghostscript
Interface to the Ghostscript C-API using ctypes.
pkgs.python314Packages.ghostscript
Interface to the Ghostscript C-API using ctypes
pkgs.tests.texlive.dvipng.ghostscript
None
pkgs.haskellPackages.ghostscript-parallel
Let Ghostscript render pages in parallel
pkgs.tree-sitter-grammars.tree-sitter-ghostty
Tree-sitter grammar for ghostty
-
nixos-unstable 1.2-unstable-2026-01-02
- nixpkgs-unstable 1.2-unstable-2026-01-02
- nixos-unstable-small 1.2-unstable-2026-01-02
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-ghostty
Python bindings for tree-sitter-ghostty
-
nixos-unstable 1.2+unstable20260102
- nixpkgs-unstable 1.2+unstable20260102
- nixos-unstable-small 1.2+unstable20260102
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-ghostty
Python bindings for tree-sitter-ghostty
-
nixos-unstable 1.2+unstable20260102
- nixpkgs-unstable 1.2+unstable20260102
- nixos-unstable-small 1.2+unstable20260102