Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-27949
2.0 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months, 1 week ago
Plane Exposes User Email (PII and part of credential) in GET Parameter

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0.

Affected products

plane
  • ==< 1.3.0

Matching in nixpkgs

pkgs.xplanet

Renders an image of the earth or other planets into the X root window

pkgs.crossplane

NGINX configuration file parser and builder

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

Package maintainers