Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42554

5.3 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 2 weeks ago by @LeSuisse Activity log

Created suggestion 2 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 2 weeks ago

Fiber: XSS in AutoFormat Content Negotiation

Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.

References

https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv x_refsource_CONFIRM

Affected products

fiber

==>= 3.0.0-beta.2, < 3.1.0
==< 2.52.13

Matching in nixpkgs

pkgs.guile-fibers

Concurrent ML-like concurrency for Guile

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

pkgs.ocamlPackages.fiber

Structured concurrency library

nixos-unstable 3.7.0
- nixpkgs-unstable 3.7.0
- nixos-unstable-small 3.7.0
nixos-25.11 3.7.0
- nixos-25.11-small 3.7.0
- nixpkgs-25.11-darwin 3.7.0

pkgs.ocamlPackages_latest.fiber

Structured concurrency library

nixos-unstable 3.7.0
- nixpkgs-unstable 3.7.0
- nixos-unstable-small 3.7.0

Untriaged

Permalink CVE-2026-30246

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 2 weeks, 6 days ago Activity log

Created suggestion 2 weeks, 6 days ago

github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.

References

https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8 x_refsource_CONFIRMexploit
https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621 x_refsource_MISC
https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92 x_refsource_MISC

Affected products

fiber

==>= v3.0.0-beta.2, < 3.1.0

Matching in nixpkgs

pkgs.guile-fibers

Concurrent ML-like concurrency for Guile

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

pkgs.ocamlPackages.fiber

Structured concurrency library

nixos-unstable 3.7.0
- nixpkgs-unstable 3.7.0
- nixos-unstable-small 3.7.0
nixos-25.11 3.7.0
- nixos-25.11-small 3.7.0
- nixpkgs-25.11-darwin 3.7.0

pkgs.ocamlPackages_latest.fiber

Structured concurrency library

nixos-unstable 3.7.0
- nixpkgs-unstable 3.7.0
- nixos-unstable-small 3.7.0

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.guile-fibers

pkgs.ocamlPackages.fiber

pkgs.ocamlPackages_latest.fiber

References

Affected products

Matching in nixpkgs

pkgs.guile-fibers

pkgs.ocamlPackages.fiber

pkgs.ocamlPackages_latest.fiber