Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: newsflash

Found 1 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-44515
2.3 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 5 days ago Activity log
  • Created suggestion 1 week, 5 days ago
Nextcloud News: Authenticated blind SSRF via feed URL

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.

Affected products

news
  • ==< 28.3.0-beta.1

Matching in nixpkgs

pkgs.newsboat

Fork of Newsbeuter, an RSS/Atom feed reader for the text console

  • nixos-unstable 2.43
    • nixpkgs-unstable 2.43
    • nixos-unstable-small 2.43
  • nixos-25.11 2.41
    • nixos-25.11-small 2.41
    • nixpkgs-25.11-darwin 2.41

pkgs.newsraft

Feed reader for terminal

  • nixos-unstable 0.35
    • nixpkgs-unstable 0.35
    • nixos-unstable-small 0.35
  • nixos-25.11 0.34
    • nixos-25.11-small 0.34
    • nixpkgs-25.11-darwin 0.34

pkgs.newsflash

Modern feed reader designed for the GNOME desktop

Package maintainers