Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42092

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created suggestion 3 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks, 6 days ago

Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.

References

https://github.com/titraio/titra/security/advisories/GHSA-4h9p-49hg-vppw x_refsource_CONFIRM

Affected products

titra

=== 0.99.52

Matching in nixpkgs

pkgs.multitran.multitrandata

Multitran data english-russian

nixos-unstable 0.3
- nixpkgs-unstable 0.3
- nixos-unstable-small 0.3
nixos-25.11 0.3
- nixos-25.11-small 0.3
- nixpkgs-25.11-darwin 0.3

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.multitran.multitrandata