Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: perl540Packages.CpanelJSONXS

Found 10 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-32991
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 5 hours ago
Improper authorization checks of team members privileges allow a team …

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

Affected products

cPanel
  • <11.126.0.59
  • <11.136.0.10
  • <11.130.0.23
  • <11.118.0.67
  • <11.110.0.119
  • <11.134.0.26
  • <11.124.0.38
  • <11.132.0.32
WP Squared
  • <11.136.1.12
cPanel (CloudLinux 6, CentOS 6)
  • <11.110.0.118

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-32993
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 5 hours ago
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` …

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

Affected products

cPanel
  • <11.134.0.26
  • <11.136.0.10
  • <11.132.0.32
WP Squared
  • <11.136.1.12

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-29205
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 5 hours ago
Incorrect privileges management and insufficient path filtering allow to read …

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

Affected products

cPanel
  • <11.126.0.59
  • <11.136.0.10
  • <11.130.0.23
  • <11.124.0.38
  • <11.134.0.26
  • <11.132.0.32
WP Squared
  • <11.136.1.12

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-29206
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 5 hours ago
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script …

Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.

Affected products

cPanel
  • <11.126.0.59
  • <11.94.0.31
  • <11.136.0.10
  • <11.130.0.23
  • <11.102.0.42
  • <11.118.0.67
  • <11.110.0.119
  • <11.86.0.44
  • <11.134.0.26
  • <11.124.0.38
  • <11.132.0.32
WP Squared
  • <11.136.1.12
cPanel (CloudLinux 6, CentOS 6)
  • <11.110.0.118

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-32992
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 5 hours ago
SSL verification is disabled in the DNS Cluster system. This …

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.

Affected products

cPanel
  • <11.126.0.59
  • <11.136.0.10
  • <11.130.0.23
  • <11.134.0.26
  • <11.132.0.32
WP Squared
  • <11.136.1.12

Matching in nixpkgs

Untriaged
Permalink CVE-2026-29203
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 5 days, 17 hours ago Activity log
  • Created suggestion 5 days, 17 hours ago
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows …

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

Affected products

cPanel
  • <11.110.0.117
  • <11.118.0.66
  • <11.126.0.58
  • <11.130.0.22
  • <11.134.0.25
  • <11.94.0.30
  • <11.110.0.116
  • <11.124.0.37
  • <11.86.0.43
  • <11.132.0.31
  • <11.136.0.9
  • <11.102.0.41
WP Squared
  • <11.136.1.10
cPanel (CentOS 6, CloudLinux 6)
  • <11.110.114

Matching in nixpkgs

Untriaged
Permalink CVE-2026-29202
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 5 days, 17 hours ago Activity log
  • Created suggestion 5 days, 17 hours ago
Insufficient input validation of the `plugin` parameter of the `create_user` …

Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

Affected products

cPanel
  • <11.110.0.117
  • <11.118.0.66
  • <11.126.0.58
  • <11.130.0.22
  • <11.134.0.25
  • <11.94.0.30
  • <11.110.0.116
  • <11.124.0.37
  • <11.86.0.43
  • <11.132.0.31
  • <11.136.0.9
  • <11.102.0.41
WP Sqaured
  • <11.136.1.10
cPanel (CentOS 6, CloudLinux 6)
  • <11.110.0.114

Matching in nixpkgs

Untriaged
Permalink CVE-2026-29201
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 5 days, 17 hours ago Activity log
  • Created suggestion 5 days, 17 hours ago
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` …

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

Affected products

cPanel
  • <11.110.0.117
  • <11.118.0.66
  • <11.130.0.22
  • <11.126.0.58
  • <11.134.0.25
  • <11.86.0.43
  • <11.94.0.30
  • <11.124.0.37
  • <11.110.0.116
  • <11.132.0.31
  • <11.136.0.9
  • <11.102.0.41
WP Squared
  • <11.136.1.10
cPanel (CentOS 6, CloudLinux 6)
  • <11.110.0.114

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-41940
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 1 day ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 weeks, 1 day ago
cPanel and WHM Authentication Bypass via Login Flow

cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Affected products

WHM
  • <11.134.0.20
  • <11.118.0.63
  • <11.132.0.29
  • <11.126.0.54
  • <11.136.0.5
  • <11.110.0.97
cPanel
  • <11.134.0.20
  • <11.118.0.63
  • <11.132.0.29
  • <11.126.0.54
  • <11.136.0.5
  • <11.110.0.97
WP Squared
  • <11.136.1.7

Matching in nixpkgs

Published
Permalink CVE-2025-40929
5.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 3 weeks ago
  • @LeSuisse accepted 6 months, 2 weeks ago
  • @LeSuisse published on GitHub 6 months, 2 weeks ago
Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Affected products

Cpanel-JSON-XS
  • <4.40

Matching in nixpkgs