Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-40035

9.1 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 2 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 1 month, 2 weeks ago

Unfurl - Werkzeug Debugger Exposure via String Config Parsing

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

References

GHSA Advisory GHSA-vg9h-jx4v-cwx2 vendor-advisory
VulnCheck Advisory: dfir-unfurl - Werkzeug Debugger Exposure via String Config Parsing third-party-advisory

Affected products

dfir-unfurl

=<2025.08

Matching in nixpkgs

pkgs.unfurl

Pull out bits of URLs provided on stdin

nixos-unstable 0.4.3
- nixpkgs-unstable 0.4.3
- nixos-unstable-small 0.4.3
nixos-25.11 0.4.3
- nixos-25.11-small 0.4.3
- nixpkgs-25.11-darwin 0.4.3

Package maintainers

@figsoda figsoda <figsoda@pm.me>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.unfurl

Package maintainers