Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-8759

5.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 1 week, 1 day ago by @LeSuisse Activity log

Created suggestion 1 week, 1 day ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 1 day ago

xiandafu beetl SpELFunction SpELFunction.java expression language injection

A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-364386 | xiandafu beetl SpELFunction SpELFunction.java expression language injection vdb-entry
VDB-364386 | CTI Indicators (IOB, IOC, IOA) permissions-requiredsignature
Submit #811316 | Beetl <= 3.20.2.RELEASE Code Injection third-party-advisory
https://gitee.com/xiandafu/beetl/issues/IIYAWC broken-linkissue-trackingexploit
https://gitee.com/xiandafu/beetl/ broken-linkproduct

Affected products

beetl

==3.20.2
==3.20.0
==3.20.1

Matching in nixpkgs

pkgs.tigerbeetle

Financial accounting database designed to be distributed and fast

nixos-unstable 0.17.2
- nixpkgs-unstable 0.17.3
- nixos-unstable-small 0.17.3
nixos-25.11 0.16.64
- nixos-25.11-small 0.16.64
- nixpkgs-25.11-darwin 0.16.64

Package maintainers

@nwjsmith Nate Smith <nate@theinternate.com>
@DanielSidhion Daniel Sidhion <nixpkgs@sidhion.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.tigerbeetle

Package maintainers