Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-28782

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Craft has a Permission Bypass and IDOR in Duplicate Entry Action

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

References

https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6 x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d x_refsource_MISC

Affected products

cms

==>= 5.0.0-RC1, < 5.9.0-beta.1
==>= 4.0.0-RC1, < 4.17.0-beta.1

Matching in nixpkgs

pkgs.cmst

QT GUI for Connman with system tray icon

nixos-unstable 2023.03.14
- nixpkgs-unstable 2023.03.14
- nixos-unstable-small 2023.03.14
nixos-25.11 2023.03.14
- nixos-25.11-small 2023.03.14
- nixpkgs-25.11-darwin 2023.03.14

pkgs.lcms

Color management engine

nixos-unstable 2.18
- nixpkgs-unstable 2.18
- nixos-unstable-small 2.18
nixos-25.11 2.17
- nixos-25.11-small 2.17
- nixpkgs-25.11-darwin 2.17

pkgs.lcms1

Color management engine

nixos-unstable 1.19
- nixpkgs-unstable 1.19
- nixos-unstable-small 1.19
nixos-25.11 1.19
- nixos-25.11-small 1.19
- nixpkgs-25.11-darwin 1.19

pkgs.lcms2

Color management engine

nixos-unstable 2.18
- nixpkgs-unstable 2.18
- nixos-unstable-small 2.18
nixos-25.11 2.17
- nixos-25.11-small 2.17
- nixpkgs-25.11-darwin 2.17

pkgs.cppcms

High Performance C++ Web Framework

nixos-unstable 2.0.0.beta2
- nixpkgs-unstable 2.0.0.beta2
- nixos-unstable-small 2.0.0.beta2
nixos-25.11 2.0.0.beta2
- nixos-25.11-small 2.0.0.beta2
- nixpkgs-25.11-darwin 2.0.0.beta2

pkgs.xcmsdb

Device Color Characterization utility for X Color Management System

nixos-unstable 1.0.7
- nixpkgs-unstable 1.0.7
- nixos-unstable-small 1.0.7
nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.argyllcms

Color management system (compatible with ICC)

nixos-unstable 3.4.1
- nixpkgs-unstable 3.4.1
- nixos-unstable-small 3.4.1
nixos-25.11 3.4.1
- nixos-25.11-small 3.4.1
- nixpkgs-25.11-darwin 3.4.1

pkgs.pcmsolver

API for the Polarizable Continuum Model

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.xorg.xcmsdb

None

nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.luaPackages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua51Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua52Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua53Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua54Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua55Packages.lua-cmsgpack

None

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0

pkgs.python312Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.python312Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-25.11 0.9-unstable-2024-12-05
- nixos-25.11-small 0.9-unstable-2024-12-05
- nixpkgs-25.11-darwin 0.9-unstable-2024-12-05

pkgs.python313Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0
nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.python313Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05
nixos-25.11 0.9-unstable-2024-12-05
- nixos-25.11-small 0.9-unstable-2024-12-05
- nixpkgs-25.11-darwin 0.9-unstable-2024-12-05

pkgs.python314Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0

pkgs.python314Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05

pkgs.luajitPackages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.python312Packages.cmsis-svd

CMSIS SVD parser

nixos-25.11 0.6
- nixos-25.11-small 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.python312Packages.pyemoncms

Python library for emoncms API

nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.python313Packages.cmsis-svd

CMSIS SVD parser

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6
nixos-25.11 0.6
- nixos-25.11-small 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.python313Packages.pyemoncms

Python library for emoncms API

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3
nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.python314Packages.cmsis-svd

CMSIS SVD parser

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6

pkgs.python314Packages.pyemoncms

Python library for emoncms API

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3

pkgs.python312Packages.django-cms

Lean enterprise content management powered by Django

nixos-25.11 5.0.4
- nixos-25.11-small 5.0.4
- nixpkgs-25.11-darwin 5.0.4

pkgs.python313Packages.django-cms

Lean enterprise content management powered by Django

nixos-unstable 5.0.6
- nixpkgs-unstable 5.0.6
- nixos-unstable-small 5.0.6
nixos-25.11 5.0.4
- nixos-25.11-small 5.0.4
- nixpkgs-25.11-darwin 5.0.4

pkgs.python314Packages.django-cms

Lean enterprise content management powered by Django

nixos-unstable 5.0.6
- nixpkgs-unstable 5.0.6
- nixos-unstable-small 5.0.6

pkgs.python312Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-25.11 3.0.2
- nixos-25.11-small 3.0.2
- nixpkgs-25.11-darwin 3.0.2

pkgs.python313Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-unstable 3.0.3
- nixpkgs-unstable 3.0.3
- nixos-unstable-small 3.0.3
nixos-25.11 3.0.2
- nixos-25.11-small 3.0.2
- nixpkgs-25.11-darwin 3.0.2

pkgs.python314Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-unstable 3.0.3
- nixpkgs-unstable 3.0.3
- nixos-unstable-small 3.0.3

pkgs.vscode-extensions.cmschuetz12.wal

None

nixos-unstable cmschuetz12-wal-0.1.0
- nixpkgs-unstable cmschuetz12-wal-0.1.0
- nixos-unstable-small cmschuetz12-wal-0.1.0
nixos-25.11 cmschuetz12-wal-0.1.0
- nixos-25.11-small cmschuetz12-wal-0.1.0
- nixpkgs-25.11-darwin cmschuetz12-wal-0.1.0

pkgs.python312Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-25.11 0.5.2
- nixos-25.11-small 0.5.2
- nixpkgs-25.11-darwin 0.5.2

pkgs.python313Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.5.2
- nixos-25.11-small 0.5.2
- nixpkgs-25.11-darwin 0.5.2

pkgs.python314Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.home-assistant-component-tests.emoncms

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.python312Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-25.11 5.1.7
- nixos-25.11-small 5.1.7
- nixpkgs-25.11-darwin 5.1.7

pkgs.python313Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-unstable 5.1.7
- nixpkgs-unstable 5.1.7
- nixos-unstable-small 5.1.7
nixos-25.11 5.1.7
- nixos-25.11-small 5.1.7
- nixpkgs-25.11-darwin 5.1.7

pkgs.python314Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-unstable 5.1.7
- nixpkgs-unstable 5.1.7
- nixos-unstable-small 5.1.7

pkgs.tests.home-assistant-component-tests.emoncms

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

pkgs.home-assistant-component-tests.emoncms_history

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.emoncms_history

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@matejc Matej Cotman <cotman.matej@gmail.com>
@romildo José Romildo Malaquias <malaquias@gmail.com>
@juliendehos Julien Dehos <dehos@lisic.univ-littoral.fr>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
@ShamrockLee Yueh-Shun Li <shamrocklee@posteo.net>
@sbruder Simon Bruder <nixos@sbruder.de>
@frogamic Dominic Shelton <frogamic@protonmail.com>
@jollheef Mikhail Klementev <root@dumpstack.io>
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
@onny Jonas Heinrich <onny@project-insanity.org>