Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2025-40900
5.1 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 6 days, 8 hours ago Activity log
  • Created suggestion 6 days, 8 hours ago
Angular template injection in Reports in Guardian/CMC before 26.1.0

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Affected products

CMC
  • <26.1.0
Guardian
  • <26.1.0

Matching in nixpkgs

pkgs.cmc

Manages SSH ControlMaster sessions

pkgs.cmctl

Command line utility to interact with a cert-manager instalation on Kubernetes

pkgs.scmccid

PCSC drivers for linux, for the SCM SCR3310 v2.0 card and others

pkgs.adguardian

Terminal-based, real-time traffic monitoring and statistics for your AdGuard Home instance

pkgs.pcmciaUtils

None

  • nixos-unstable 018
    • nixpkgs-unstable 018
    • nixos-unstable-small 018
  • nixos-25.11 018
    • nixos-25.11-small 018
    • nixpkgs-25.11-darwin 018

pkgs.pcmciautils

None

  • nixos-unstable 018
    • nixpkgs-unstable 018
    • nixos-unstable-small 018
  • nixos-25.11 018
    • nixos-25.11-small 018
    • nixpkgs-25.11-darwin 018

Package maintainers