Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-28781

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Craft Affected by Entries Authorship Spoofing via Mass Assignment

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

References

https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8 x_refsource_MISC
https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542 x_refsource_MISC

Affected products

cms

==>= 4.0.0-RC1, < 4.17.0-beta.1
==>= 5.0.0-RC1, < 5.9.0-beta.1

Matching in nixpkgs

pkgs.cmst

QT GUI for Connman with system tray icon

nixos-unstable 2023.03.14
- nixpkgs-unstable 2023.03.14
- nixos-unstable-small 2023.03.14
nixos-25.11 2023.03.14
- nixos-25.11-small 2023.03.14
- nixpkgs-25.11-darwin 2023.03.14

pkgs.lcms

Color management engine

nixos-unstable 2.18
- nixpkgs-unstable 2.18
- nixos-unstable-small 2.18
nixos-25.11 2.17
- nixos-25.11-small 2.17
- nixpkgs-25.11-darwin 2.17

pkgs.lcms1

Color management engine

nixos-unstable 1.19
- nixpkgs-unstable 1.19
- nixos-unstable-small 1.19
nixos-25.11 1.19
- nixos-25.11-small 1.19
- nixpkgs-25.11-darwin 1.19

pkgs.lcms2

Color management engine

nixos-unstable 2.18
- nixpkgs-unstable 2.18
- nixos-unstable-small 2.18
nixos-25.11 2.17
- nixos-25.11-small 2.17
- nixpkgs-25.11-darwin 2.17

pkgs.cppcms

High Performance C++ Web Framework

nixos-unstable 2.0.0.beta2
- nixpkgs-unstable 2.0.0.beta2
- nixos-unstable-small 2.0.0.beta2
nixos-25.11 2.0.0.beta2
- nixos-25.11-small 2.0.0.beta2
- nixpkgs-25.11-darwin 2.0.0.beta2

pkgs.xcmsdb

Device Color Characterization utility for X Color Management System

nixos-unstable 1.0.7
- nixpkgs-unstable 1.0.7
- nixos-unstable-small 1.0.7
nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.argyllcms

Color management system (compatible with ICC)

nixos-unstable 3.4.1
- nixpkgs-unstable 3.4.1
- nixos-unstable-small 3.4.1
nixos-25.11 3.4.1
- nixos-25.11-small 3.4.1
- nixpkgs-25.11-darwin 3.4.1

pkgs.pcmsolver

API for the Polarizable Continuum Model

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.xorg.xcmsdb

None

nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.luaPackages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua51Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua52Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua53Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua54Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua55Packages.lua-cmsgpack

None

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0

pkgs.python312Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.python312Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-25.11 0.9-unstable-2024-12-05
- nixos-25.11-small 0.9-unstable-2024-12-05
- nixpkgs-25.11-darwin 0.9-unstable-2024-12-05

pkgs.python313Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0
nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.python313Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05
nixos-25.11 0.9-unstable-2024-12-05
- nixos-25.11-small 0.9-unstable-2024-12-05
- nixpkgs-25.11-darwin 0.9-unstable-2024-12-05

pkgs.python314Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0

pkgs.python314Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05

pkgs.luajitPackages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.python312Packages.cmsis-svd

CMSIS SVD parser

nixos-25.11 0.6
- nixos-25.11-small 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.python312Packages.pyemoncms

Python library for emoncms API

nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.python313Packages.cmsis-svd

CMSIS SVD parser

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6
nixos-25.11 0.6
- nixos-25.11-small 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.python313Packages.pyemoncms

Python library for emoncms API

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3
nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.python314Packages.cmsis-svd

CMSIS SVD parser

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6

pkgs.python314Packages.pyemoncms

Python library for emoncms API

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3

pkgs.python312Packages.django-cms

Lean enterprise content management powered by Django

nixos-25.11 5.0.4
- nixos-25.11-small 5.0.4
- nixpkgs-25.11-darwin 5.0.4

pkgs.python313Packages.django-cms

Lean enterprise content management powered by Django

nixos-unstable 5.0.6
- nixpkgs-unstable 5.0.6
- nixos-unstable-small 5.0.6
nixos-25.11 5.0.4
- nixos-25.11-small 5.0.4
- nixpkgs-25.11-darwin 5.0.4

pkgs.python314Packages.django-cms

Lean enterprise content management powered by Django

nixos-unstable 5.0.6
- nixpkgs-unstable 5.0.6
- nixos-unstable-small 5.0.6

pkgs.python312Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-25.11 3.0.2
- nixos-25.11-small 3.0.2
- nixpkgs-25.11-darwin 3.0.2

pkgs.python313Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-unstable 3.0.3
- nixpkgs-unstable 3.0.3
- nixos-unstable-small 3.0.3
nixos-25.11 3.0.2
- nixos-25.11-small 3.0.2
- nixpkgs-25.11-darwin 3.0.2

pkgs.python314Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-unstable 3.0.3
- nixpkgs-unstable 3.0.3
- nixos-unstable-small 3.0.3

pkgs.vscode-extensions.cmschuetz12.wal

None

nixos-unstable cmschuetz12-wal-0.1.0
- nixpkgs-unstable cmschuetz12-wal-0.1.0
- nixos-unstable-small cmschuetz12-wal-0.1.0
nixos-25.11 cmschuetz12-wal-0.1.0
- nixos-25.11-small cmschuetz12-wal-0.1.0
- nixpkgs-25.11-darwin cmschuetz12-wal-0.1.0

pkgs.python312Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-25.11 0.5.2
- nixos-25.11-small 0.5.2
- nixpkgs-25.11-darwin 0.5.2

pkgs.python313Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.5.2
- nixos-25.11-small 0.5.2
- nixpkgs-25.11-darwin 0.5.2

pkgs.python314Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.home-assistant-component-tests.emoncms

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.python312Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-25.11 5.1.7
- nixos-25.11-small 5.1.7
- nixpkgs-25.11-darwin 5.1.7

pkgs.python313Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-unstable 5.1.7
- nixpkgs-unstable 5.1.7
- nixos-unstable-small 5.1.7
nixos-25.11 5.1.7
- nixos-25.11-small 5.1.7
- nixpkgs-25.11-darwin 5.1.7

pkgs.python314Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-unstable 5.1.7
- nixpkgs-unstable 5.1.7
- nixos-unstable-small 5.1.7

pkgs.tests.home-assistant-component-tests.emoncms

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

pkgs.home-assistant-component-tests.emoncms_history

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.emoncms_history

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@matejc Matej Cotman <cotman.matej@gmail.com>
@romildo José Romildo Malaquias <malaquias@gmail.com>
@juliendehos Julien Dehos <dehos@lisic.univ-littoral.fr>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
@ShamrockLee Yueh-Shun Li <shamrocklee@posteo.net>
@sbruder Simon Bruder <nixos@sbruder.de>
@frogamic Dominic Shelton <frogamic@protonmail.com>
@jollheef Mikhail Klementev <root@dumpstack.io>
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
@onny Jonas Heinrich <onny@project-insanity.org>