Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-54298
4.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed (not in Nixpkgs)
Astro: XSS via Unescaped Attribute Names in Spread Props

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.

Affected products

astro
  • ==< 6.4.6

Matching in nixpkgs

pkgs.astroid

GTK frontend to the notmuch mail system

  • nixos-unstable 0.17
    • nixpkgs-unstable 0.17
    • nixos-unstable-small 0.17
  • nixos-26.05 0.17
    • nixos-26.05-small 0.17
    • nixpkgs-26.05-darwin 0.17

pkgs.astrolog

Freeware astrology program

  • nixos-unstable 7.70
    • nixpkgs-unstable 7.70
    • nixos-unstable-small 7.70
  • nixos-26.05 7.70
    • nixos-26.05-small 7.70
    • nixpkgs-26.05-darwin 7.70

pkgs.gnuastro

GNU astronomy utilities and library

  • nixos-unstable 0.24
    • nixpkgs-unstable 0.24
    • nixos-unstable-small 0.24
  • nixos-26.05 0.24
    • nixos-26.05-small 0.24
    • nixpkgs-26.05-darwin 0.24

pkgs.astromenace

Hardcore 3D space shooter with spaceship upgrade possibilities

pkgs.astrolabe-generator

Java-based tool for generating EPS files for constructing astrolabes and related tools

  • nixos-unstable 3.3
    • nixpkgs-unstable 3.3
    • nixos-unstable-small 3.3
  • nixos-26.05 3.3
    • nixos-26.05-small 3.3
    • nixpkgs-26.05-darwin 3.3

Package maintainers