Nixpkgs security tracker

Untriaged

Permalink CVE-2026-2947

3.5 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months ago Activity log

Created suggestion 2 months ago

rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

VDB-347317 | rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting vdb-entrytechnical-description
VDB-347317 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #755039 | forest forest <= 0.0.5 Improper Neutralization of Alternate XSS Syntax third-party-advisory
https://fx4tqqfvdw4.feishu.cn/docx/MBymdGpuFoGQYuxEiH2cdC5BnSe?from=from_copyli… exploit

Affected products

forest

==0.0.5
==0.0.1
==0.0.2
==0.0.3
==0.0.4

Matching in nixpkgs

pkgs.everforest-cursors

Everforest cursor theme, based on phinger-cursors

nixos-unstable 3212590527
- nixpkgs-unstable 3212590527
- nixos-unstable-small 3212590527
nixos-25.11 3212590527
- nixos-25.11-small 3212590527
- nixpkgs-25.11-darwin 3212590527

pkgs.everforest-gtk-theme

Everforest colour palette for GTK

nixos-unstable 0-unstable-2025-10-15
- nixpkgs-unstable 0-unstable-2025-10-15
- nixos-unstable-small 0-unstable-2025-10-15
nixos-25.11 0-unstable-2023-03-20
- nixos-25.11-small 0-unstable-2023-03-20
- nixpkgs-25.11-darwin 0-unstable-2023-03-20

pkgs.haskellPackages.dirforest

Typed directory forest

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.haskellPackages.data-forest

A simple multi-way tree data structure

pkgs.python312Packages.pyecoforest

Module for interacting with Ecoforest devices

nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.pyecoforest

Module for interacting with Ecoforest devices

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python314Packages.pyecoforest

Module for interacting with Ecoforest devices

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.haskellPackages.ForestStructures

Tree- and forest structures

nixos-unstable 0.0.1.1
- nixpkgs-unstable 0.0.1.1
- nixos-unstable-small 0.0.1.1
nixos-25.11 0.0.1.1
- nixos-25.11-small 0.0.1.1
- nixpkgs-25.11-darwin 0.0.1.1

pkgs.python312Packages.quantile-forest

Quantile Regression Forests compatible with scikit-learn

nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.python313Packages.quantile-forest

Quantile Regression Forests compatible with scikit-learn

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.1
nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.python314Packages.quantile-forest

Quantile Regression Forests compatible with scikit-learn

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.1