Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-28695

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

References

https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0 x_refsource_MISC

Affected products

cms

==>= 4.0.0-RC1, < 4.17.0-beta.1
==>= 5.8.7, < 5.9.0-beta.1

Matching in nixpkgs

pkgs.cmst

QT GUI for Connman with system tray icon

nixos-unstable 2023.03.14
- nixpkgs-unstable 2023.03.14
- nixos-unstable-small 2023.03.14
nixos-25.11 2023.03.14
- nixos-25.11-small 2023.03.14
- nixpkgs-25.11-darwin 2023.03.14

pkgs.lcms

Color management engine

nixos-unstable 2.18
- nixpkgs-unstable 2.18
- nixos-unstable-small 2.18
nixos-25.11 2.17
- nixos-25.11-small 2.17
- nixpkgs-25.11-darwin 2.17

pkgs.lcms1

Color management engine

nixos-unstable 1.19
- nixpkgs-unstable 1.19
- nixos-unstable-small 1.19
nixos-25.11 1.19
- nixos-25.11-small 1.19
- nixpkgs-25.11-darwin 1.19

pkgs.lcms2

Color management engine

nixos-unstable 2.18
- nixpkgs-unstable 2.18
- nixos-unstable-small 2.18
nixos-25.11 2.17
- nixos-25.11-small 2.17
- nixpkgs-25.11-darwin 2.17

pkgs.cppcms

High Performance C++ Web Framework

nixos-unstable 2.0.0.beta2
- nixpkgs-unstable 2.0.0.beta2
- nixos-unstable-small 2.0.0.beta2
nixos-25.11 2.0.0.beta2
- nixos-25.11-small 2.0.0.beta2
- nixpkgs-25.11-darwin 2.0.0.beta2

pkgs.xcmsdb

Device Color Characterization utility for X Color Management System

nixos-unstable 1.0.7
- nixpkgs-unstable 1.0.7
- nixos-unstable-small 1.0.7
nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.argyllcms

Color management system (compatible with ICC)

nixos-unstable 3.4.1
- nixpkgs-unstable 3.4.1
- nixos-unstable-small 3.4.1
nixos-25.11 3.4.1
- nixos-25.11-small 3.4.1
- nixpkgs-25.11-darwin 3.4.1

pkgs.pcmsolver

API for the Polarizable Continuum Model

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.xorg.xcmsdb

None

nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.luaPackages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua51Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua52Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua53Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua54Packages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0
nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.lua55Packages.lua-cmsgpack

None

nixos-unstable 0.4.0-0
- nixpkgs-unstable 0.4.0-0
- nixos-unstable-small 0.4.0-0

pkgs.python312Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.python312Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-25.11 0.9-unstable-2024-12-05
- nixos-25.11-small 0.9-unstable-2024-12-05
- nixpkgs-25.11-darwin 0.9-unstable-2024-12-05

pkgs.python313Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0
nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

pkgs.python313Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05
nixos-25.11 0.9-unstable-2024-12-05
- nixos-25.11-small 0.9-unstable-2024-12-05
- nixpkgs-25.11-darwin 0.9-unstable-2024-12-05

pkgs.python314Packages.cmsdials

Python API client interface to CMS DIALS service

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0

pkgs.python314Packages.dcmstack

DICOM to Nifti conversion preserving metadata

nixos-unstable 0.9-unstable-2024-12-05
- nixpkgs-unstable 0.9-unstable-2024-12-05
- nixos-unstable-small 0.9-unstable-2024-12-05

pkgs.luajitPackages.lua-cmsgpack

MessagePack C implementation and bindings for Lua 5.1/5.2/5.3

nixos-25.11 0.4.0-0
- nixos-25.11-small 0.4.0-0
- nixpkgs-25.11-darwin 0.4.0-0

pkgs.python312Packages.cmsis-svd

CMSIS SVD parser

nixos-25.11 0.6
- nixos-25.11-small 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.python312Packages.pyemoncms

Python library for emoncms API

nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.python313Packages.cmsis-svd

CMSIS SVD parser

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6
nixos-25.11 0.6
- nixos-25.11-small 0.6
- nixpkgs-25.11-darwin 0.6

pkgs.python313Packages.pyemoncms

Python library for emoncms API

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3
nixos-25.11 0.1.3
- nixos-25.11-small 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.python314Packages.cmsis-svd

CMSIS SVD parser

nixos-unstable 0.6
- nixpkgs-unstable 0.6
- nixos-unstable-small 0.6

pkgs.python314Packages.pyemoncms

Python library for emoncms API

nixos-unstable 0.1.3
- nixpkgs-unstable 0.1.3
- nixos-unstable-small 0.1.3

pkgs.python312Packages.django-cms

Lean enterprise content management powered by Django

nixos-25.11 5.0.4
- nixos-25.11-small 5.0.4
- nixpkgs-25.11-darwin 5.0.4

pkgs.python313Packages.django-cms

Lean enterprise content management powered by Django

nixos-unstable 5.0.6
- nixpkgs-unstable 5.0.6
- nixos-unstable-small 5.0.6
nixos-25.11 5.0.4
- nixos-25.11-small 5.0.4
- nixpkgs-25.11-darwin 5.0.4

pkgs.python314Packages.django-cms

Lean enterprise content management powered by Django

nixos-unstable 5.0.6
- nixpkgs-unstable 5.0.6
- nixos-unstable-small 5.0.6

pkgs.python312Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-25.11 3.0.2
- nixos-25.11-small 3.0.2
- nixpkgs-25.11-darwin 3.0.2

pkgs.python313Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-unstable 3.0.3
- nixpkgs-unstable 3.0.3
- nixos-unstable-small 3.0.3
nixos-25.11 3.0.2
- nixos-25.11-small 3.0.2
- nixpkgs-25.11-darwin 3.0.2

pkgs.python314Packages.djangocms-alias

Lean enterprise content management powered by Django

nixos-unstable 3.0.3
- nixpkgs-unstable 3.0.3
- nixos-unstable-small 3.0.3

pkgs.vscode-extensions.cmschuetz12.wal

None

nixos-unstable cmschuetz12-wal-0.1.0
- nixpkgs-unstable cmschuetz12-wal-0.1.0
- nixos-unstable-small cmschuetz12-wal-0.1.0
nixos-25.11 cmschuetz12-wal-0.1.0
- nixos-25.11-small cmschuetz12-wal-0.1.0
- nixpkgs-25.11-darwin cmschuetz12-wal-0.1.0

pkgs.python312Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-25.11 0.5.2
- nixos-25.11-small 0.5.2
- nixpkgs-25.11-darwin 0.5.2

pkgs.python313Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.5.2
- nixos-25.11-small 0.5.2
- nixpkgs-25.11-darwin 0.5.2

pkgs.python314Packages.cmsis-pack-manager

Rust and Python module for handling CMSIS Pack files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.home-assistant-component-tests.emoncms

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.python312Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.djangocms-admin-style

Django Theme tailored to the needs of django CMS

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-25.11 5.1.7
- nixos-25.11-small 5.1.7
- nixpkgs-25.11-darwin 5.1.7

pkgs.python313Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-unstable 5.1.7
- nixpkgs-unstable 5.1.7
- nixos-unstable-small 5.1.7
nixos-25.11 5.1.7
- nixos-25.11-small 5.1.7
- nixpkgs-25.11-darwin 5.1.7

pkgs.python314Packages.djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

nixos-unstable 5.1.7
- nixpkgs-unstable 5.1.7
- nixos-unstable-small 5.1.7

pkgs.tests.home-assistant-component-tests.emoncms

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

pkgs.home-assistant-component-tests.emoncms_history

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.emoncms_history

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@matejc Matej Cotman <cotman.matej@gmail.com>
@romildo José Romildo Malaquias <malaquias@gmail.com>
@juliendehos Julien Dehos <dehos@lisic.univ-littoral.fr>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
@ShamrockLee Yueh-Shun Li <shamrocklee@posteo.net>
@sbruder Simon Bruder <nixos@sbruder.de>
@frogamic Dominic Shelton <frogamic@protonmail.com>
@jollheef Mikhail Klementev <root@dumpstack.io>
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
@onny Jonas Heinrich <onny@project-insanity.org>