NIXPKGS-2026-1506

GitHub issue published on

Permalink CVE-2026-42610

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
4 hours ago
@LeSuisse accepted 4 hours ago
@LeSuisse published on GitHub 3 hours ago

Grav: Sensitive Information Disclosure via Accounts Service Bypass

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.

References

https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4 x_refsource_CONFIRMexploit
https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47 x_refsource_MISC

Affected products

grav

==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

nixos-unstable 1.7.50.3
- nixpkgs-unstable 1.7.50.3
- nixos-unstable-small 1.7.50.3
nixos-25.11 1.7.50.3
- nixos-25.11-small 1.7.50.3
- nixpkgs-25.11-darwin 1.7.50.3

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.stardust-xr-gravity

Utility to launch apps and stardust clients at an offet

nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
nixos-25.11 0-unstable-2024-12-29
- nixos-25.11-small 0-unstable-2024-12-29
- nixpkgs-25.11-darwin 0-unstable-2024-12-29

pkgs.kdePackages.libgravatar

Library that provides Gravatar support

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3