Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42205
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @mweinelt ignored
    17 packages
    • havoc
    • avocode
    • flavours
    • avogadro2
    • endeavour
    • pavolctld
    • avogadrolibs
    • python312Packages.bitvavo-aio
    • python313Packages.bitvavo-aio
    • python314Packages.bitvavo-aio
    • gnomeExtensions.favorites-menu
    • gnomeExtensions.panel-favorites
    • gnomeExtensions.fullscreen-avoider
    • gnomeExtensions.show-favorite-apps
    • python312Packages.django-localflavor
    • python313Packages.django-localflavor
    • python314Packages.django-localflavor
    2 weeks, 1 day ago
  • @mweinelt dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Affected products

avo
  • ==< 3.31.2
Ignored packages (17)

pkgs.havoc

Minimal terminal emulator for Wayland

pkgs.flavours

Easy to use base16 scheme manager/builder that integrates with any workflow

pkgs.endeavour

Personal task manager for GNOME

  • nixos-unstable 43.0
    • nixpkgs-unstable 43.0
    • nixos-unstable-small 43.0
  • nixos-25.11 43.0
    • nixos-25.11-small 43.0
    • nixpkgs-25.11-darwin 43.0

pkgs.pavolctld

Minimal volume control/monitoring daemon for PulseAudio and PipeWire

pkgs.gnomeExtensions.favorites-menu

Minimalist favorites menu button in top panel.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-25.11 2
    • nixos-25.11-small 2
    • nixpkgs-25.11-darwin 2

pkgs.gnomeExtensions.fullscreen-avoider

Moves the top panel to the secondary monitor if the primary is in fullscreen

  • nixos-unstable 15
    • nixpkgs-unstable 15
    • nixos-unstable-small 15
  • nixos-25.11 15
    • nixos-25.11-small 15
    • nixpkgs-25.11-darwin 15