Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: tests.fetchpatch.relative

Found 2 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-7036
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 weeks, 6 days ago by @LeSuisse Activity log
  • Created suggestion 4 weeks ago
  • @LeSuisse dismissed (not in Nixpkgs) 3 weeks, 6 days ago
Tenda i9 HTTP R7WebsSecurityHandlerfunction path traversal

A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Affected products

i9
  • ==1.0.0.5(2204)

Matching in nixpkgs

Untriaged
Permalink CVE-2026-33490
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 1 month, 4 weeks ago Activity log
  • Created suggestion 1 month, 4 weeks ago
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.

Affected products

h3
  • ==>= 2.0.1-alpha.0, < 2.0.1-rc.17

Matching in nixpkgs

pkgs.h3

Hexagonal hierarchical geospatial indexing system

pkgs.h3_3

Hexagonal hierarchical geospatial indexing system

pkgs.h3_4

Hexagonal hierarchical geospatial indexing system

Package maintainers