Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-32265

created 4 days, 1 hour ago

Amazon S3 for Craft CMS has an Information Disclosure vulnerability

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.

References

https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9 x_refsource_CONFIRM
https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f x_refsource_MISC

Affected products

aws-s3

==>= 2.0.2, < 2.2.5

Matching in nixpkgs

pkgs.prometheus-aws-s3-exporter

Exports Prometheus metrics about S3 buckets and objects

nixos-unstable s3-exporter-0.5.0
- nixpkgs-unstable s3-exporter-0.5.0
- nixos-unstable-small s3-exporter-0.5.0
nixos-25.11 s3-exporter-0.5.0
- nixos-25.11-small s3-exporter-0.5.0
- nixpkgs-25.11-darwin s3-exporter-0.5.0

Package maintainers

@mmahut Marek Mahut <marek.mahut@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.prometheus-aws-s3-exporter

Package maintainers