Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42603

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 weeks ago by @LeSuisse Activity log

Created suggestion 2 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks ago

OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

References

https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh x_refsource_CONFIRMexploit

Affected products

BLT

==< 2.1.2

Matching in nixpkgs

pkgs.libltc

POSIX-C Library for handling Linear/Logitudinal Time Code (LTC)

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.3.2
- nixos-25.11-small 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.ocamlPackages.labltk

OCaml interface to Tcl/Tk, including OCaml library explorer OCamlBrowser

nixos-unstable 8.06.16
- nixpkgs-unstable 8.06.16
- nixos-unstable-small 8.06.16
nixos-25.11 8.06.15
- nixos-25.11-small 8.06.15
- nixpkgs-25.11-darwin 8.06.15

pkgs.ocamlPackages_latest.labltk