Nixpkgs security tracker

Untriaged

Permalink CVE-2026-1520

2.4 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months, 3 weeks ago

rethinkdb Secondary Index cross site scripting

A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

VDB-343191 | rethinkdb Secondary Index cross site scripting vdb-entry
VDB-343191 | CTI Indicators (IOB, IOC, TTP) signaturepermissions-required
Submit #738312 | rethinkdb V2.4.3(latest) cross-site scripting(XSS) third-party-advisory
https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting… related
https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting… exploit

Affected products

rethinkdb

==2.4.1
==2.4.3
==2.4.2
==2.4.0

Matching in nixpkgs

pkgs.rethinkdb

Open-source distributed database built with love

nixos-unstable 2.4.4
- nixpkgs-unstable 2.4.4
- nixos-unstable-small 2.4.4
nixos-25.11 2.4.4
- nixpkgs-25.11-darwin 2.4.4

pkgs.python312Packages.rethinkdb

Python driver library for the RethinkDB database server

nixos-unstable 2.4.10.post1
- nixpkgs-unstable 2.4.10.post1
- nixos-unstable-small 2.4.10.post1
nixos-25.11 2.4.10.post1
- nixpkgs-25.11-darwin 2.4.10.post1

pkgs.python313Packages.rethinkdb