Nixpkgs security tracker

Permalink CVE-2026-3534

6.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

Affected products

Astra

=<4.12.3

Matching in nixpkgs

pkgs.astral

Tool for estimating an unrooted species tree given a set of unrooted gene trees

nixos-unstable 5.7.1
- nixpkgs-unstable 5.7.1
- nixos-unstable-small 5.7.1
nixos-25.11 5.7.1
- nixos-25.11-small 5.7.1
- nixpkgs-25.11-darwin 5.7.1

pkgs.agneyastra

Firebase Misconfiguration Detection Toolkit

nixos-unstable 0-unstable-2025-11-06
- nixpkgs-unstable 0-unstable-2025-11-06
- nixos-unstable-small 0-unstable-2025-11-06

pkgs.varunastra

Tool to enhance the security of Docker environments

nixos-unstable 1.1
- nixpkgs-unstable 1.1
- nixos-unstable-small 1.1

pkgs.akkuPackages.riastradh

Libraries by Taylor Campbell ported to Chez Scheme

nixos-unstable 0.0.0-akku.16.9714b5c
- nixpkgs-unstable 0.0.0-akku.16.9714b5c
- nixos-unstable-small 0.0.0-akku.16.9714b5c
nixos-25.11 0.0.0-akku.16.9714b5c
- nixos-25.11-small 0.0.0-akku.16.9714b5c
- nixpkgs-25.11-darwin 0.0.0-akku.16.9714b5c

pkgs.python312Packages.astral

Calculations for the position of the sun and the moon

nixos-25.11 3.2
- nixos-25.11-small 3.2
- nixpkgs-25.11-darwin 3.2

pkgs.python313Packages.astral

Calculations for the position of the sun and the moon

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2
nixos-25.11 3.2
- nixos-25.11-small 3.2
- nixpkgs-25.11-darwin 3.2

pkgs.python314Packages.astral

Calculations for the position of the sun and the moon

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2

pkgs.gnomeExtensions.astra-monitor

Astra Monitor is a cutting-edge, fully customizable, and performance-focused system monitoring extension for GNOME's top bar. It's an all-in-one solution for those seeking to keep a close eye on their system's performance metrics like CPU, GPU, RAM, disk usage, network statistics, and sensor readings.

nixos-unstable 55
- nixpkgs-unstable 55
- nixos-unstable-small 55
nixos-25.11 53
- nixos-25.11-small 53
- nixpkgs-25.11-darwin 53

Package maintainers

@TomaSajt TomaSajt
@bzizou Bruno Bzeznik <Bruno@bzizou.net>
@honnip Jung seungwoo <me@honnip.page>
@flokli Florian Klink <flokli@flokli.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Nixpkgs security tracker

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.astral

pkgs.agneyastra

pkgs.varunastra

pkgs.akkuPackages.riastradh

pkgs.python312Packages.astral

pkgs.python313Packages.astral

pkgs.python314Packages.astral

pkgs.gnomeExtensions.astra-monitor

pkgs.gnomeExtensions.astrapios-panel-menu

Package maintainers