NIXPKGS-2026-1510

GitHub issue published on

Permalink CVE-2026-42611

8.9 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): Low (L)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): High (H)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
4 hours ago
@LeSuisse accepted 4 hours ago
@LeSuisse published on GitHub 3 hours ago

Grav: Stored XSS via Tag Injection

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.

References

https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2 x_refsource_CONFIRMexploit
https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663 x_refsource_MISC

Affected products

grav

==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

nixos-unstable 1.7.50.3
- nixpkgs-unstable 1.7.50.3
- nixos-unstable-small 1.7.50.3
nixos-25.11 1.7.50.3
- nixos-25.11-small 1.7.50.3
- nixpkgs-25.11-darwin 1.7.50.3

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.stardust-xr-gravity

Utility to launch apps and stardust clients at an offet

nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
nixos-25.11 0-unstable-2024-12-29
- nixos-25.11-small 0-unstable-2024-12-29
- nixpkgs-25.11-darwin 0-unstable-2024-12-29

pkgs.kdePackages.libgravatar

Library that provides Gravatar support

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3