Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: typstPackages.astro_0_1_0

Found 4 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-54298
4.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed (not in Nixpkgs)
Astro: XSS via Unescaped Attribute Names in Spread Props

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.

Affected products

astro
  • ==< 6.4.6

Matching in nixpkgs

pkgs.astroid

GTK frontend to the notmuch mail system

  • nixos-unstable 0.17
    • nixpkgs-unstable 0.17
    • nixos-unstable-small 0.17
  • nixos-26.05 0.17
    • nixos-26.05-small 0.17
    • nixpkgs-26.05-darwin 0.17

pkgs.astrolog

Freeware astrology program

  • nixos-unstable 7.70
    • nixpkgs-unstable 7.70
    • nixos-unstable-small 7.70
  • nixos-26.05 7.70
    • nixos-26.05-small 7.70
    • nixpkgs-26.05-darwin 7.70

pkgs.gnuastro

GNU astronomy utilities and library

  • nixos-unstable 0.24
    • nixpkgs-unstable 0.24
    • nixos-unstable-small 0.24
  • nixos-26.05 0.24
    • nixos-26.05-small 0.24
    • nixpkgs-26.05-darwin 0.24

pkgs.astromenace

Hardcore 3D space shooter with spaceship upgrade possibilities

pkgs.astrolabe-generator

Java-based tool for generating EPS files for constructing astrolabes and related tools

  • nixos-unstable 3.3
    • nixpkgs-unstable 3.3
    • nixos-unstable-small 3.3
  • nixos-26.05 3.3
    • nixos-26.05-small 3.3
    • nixpkgs-26.05-darwin 3.3

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-50146
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed (not in Nixpkgs)
Astro: Reflected XSS via unescaped slot name

Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This vulnerability is fixed in 6.3.3.

Affected products

astro
  • ==< 6.3.3

Matching in nixpkgs

pkgs.astroid

GTK frontend to the notmuch mail system

  • nixos-unstable 0.17
    • nixpkgs-unstable 0.17
    • nixos-unstable-small 0.17
  • nixos-26.05 0.17
    • nixos-26.05-small 0.17
    • nixpkgs-26.05-darwin 0.17

pkgs.astrolog

Freeware astrology program

  • nixos-unstable 7.70
    • nixpkgs-unstable 7.70
    • nixos-unstable-small 7.70
  • nixos-26.05 7.70
    • nixos-26.05-small 7.70
    • nixpkgs-26.05-darwin 7.70

pkgs.gnuastro

GNU astronomy utilities and library

  • nixos-unstable 0.24
    • nixpkgs-unstable 0.24
    • nixos-unstable-small 0.24
  • nixos-26.05 0.24
    • nixos-26.05-small 0.24
    • nixpkgs-26.05-darwin 0.24

pkgs.astromenace

Hardcore 3D space shooter with spaceship upgrade possibilities

pkgs.astrolabe-generator

Java-based tool for generating EPS files for constructing astrolabes and related tools

  • nixos-unstable 3.3
    • nixpkgs-unstable 3.3
    • nixos-unstable-small 3.3
  • nixos-26.05 3.3
    • nixos-26.05-small 3.3
    • nixpkgs-26.05-darwin 3.3

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-54300
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed (not in Nixpkgs)
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as *.example.com is converted to an optional subdomain regex, so the apex host matches. A single wildcard pathname such as /ok/* is converted without end anchoring, so deeper paths match by prefix. This vulnerability is fixed in 7.0.13.

Affected products

astro
  • ==< 7.0.13

Matching in nixpkgs

pkgs.astroid

GTK frontend to the notmuch mail system

  • nixos-unstable 0.17
    • nixpkgs-unstable 0.17
    • nixos-unstable-small 0.17
  • nixos-26.05 0.17
    • nixos-26.05-small 0.17
    • nixpkgs-26.05-darwin 0.17

pkgs.astrolog

Freeware astrology program

  • nixos-unstable 7.70
    • nixpkgs-unstable 7.70
    • nixos-unstable-small 7.70
  • nixos-26.05 7.70
    • nixos-26.05-small 7.70
    • nixpkgs-26.05-darwin 7.70

pkgs.gnuastro

GNU astronomy utilities and library

  • nixos-unstable 0.24
    • nixpkgs-unstable 0.24
    • nixos-unstable-small 0.24
  • nixos-26.05 0.24
    • nixos-26.05-small 0.24
    • nixpkgs-26.05-darwin 0.24

pkgs.astromenace

Hardcore 3D space shooter with spaceship upgrade possibilities

pkgs.astrolabe-generator

Java-based tool for generating EPS files for constructing astrolabes and related tools

  • nixos-unstable 3.3
    • nixpkgs-unstable 3.3
    • nixos-unstable-small 3.3
  • nixos-26.05 3.3
    • nixos-26.05-small 3.3
    • nixpkgs-26.05-darwin 3.3

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-54299
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed (not in Nixpkgs)
Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorPageFetch default + unvalidated createRequestFromNodeRequest URL)

Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.

Affected products

astro
  • ==< 6.4.6

Matching in nixpkgs

pkgs.astroid

GTK frontend to the notmuch mail system

  • nixos-unstable 0.17
    • nixpkgs-unstable 0.17
    • nixos-unstable-small 0.17
  • nixos-26.05 0.17
    • nixos-26.05-small 0.17
    • nixpkgs-26.05-darwin 0.17

pkgs.astrolog

Freeware astrology program

  • nixos-unstable 7.70
    • nixpkgs-unstable 7.70
    • nixos-unstable-small 7.70
  • nixos-26.05 7.70
    • nixos-26.05-small 7.70
    • nixpkgs-26.05-darwin 7.70

pkgs.gnuastro

GNU astronomy utilities and library

  • nixos-unstable 0.24
    • nixpkgs-unstable 0.24
    • nixos-unstable-small 0.24
  • nixos-26.05 0.24
    • nixos-26.05-small 0.24
    • nixpkgs-26.05-darwin 0.24

pkgs.astromenace

Hardcore 3D space shooter with spaceship upgrade possibilities

pkgs.astrolabe-generator

Java-based tool for generating EPS files for constructing astrolabes and related tools

  • nixos-unstable 3.3
    • nixpkgs-unstable 3.3
    • nixos-unstable-small 3.3
  • nixos-26.05 3.3
    • nixos-26.05-small 3.3
    • nixpkgs-26.05-darwin 3.3

Package maintainers