Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2026-27473
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months ago
SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites

SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.

Affected products

SPIP
  • <4.4.9

Matching in nixpkgs

pkgs.spiped

Utility for secure encrypted channels between sockets

pkgs.aespipe

AES encrypting or decrypting pipe

  • nixos-unstable 2.4j
    • nixpkgs-unstable 2.4j
    • nixos-unstable-small 2.4j
  • nixos-25.11 2.4j
    • nixos-25.11-small 2.4j
    • nixpkgs-25.11-darwin 2.4j

pkgs.lesspipe

Preprocessor for less

  • nixos-unstable 2.20
    • nixpkgs-unstable 2.20
    • nixos-unstable-small 2.20
  • nixos-25.11 2.20
    • nixos-25.11-small 2.20
    • nixpkgs-25.11-darwin 2.20

Package maintainers