Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-39911

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 weeks, 2 days ago Activity log

Created suggestion 2 weeks, 2 days ago

Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE

Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

References

https://github.com/hashgraph/guardian/pull/5929 issue-trackingmitigation
https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-… third-party-advisory

Affected products

guardian

=<3.5.0

Matching in nixpkgs

pkgs.adguardian

Terminal-based, real-time traffic monitoring and statistics for your AdGuard Home instance

nixos-unstable 1.6.0
- nixpkgs-unstable 1.6.0
- nixos-unstable-small 1.6.0
nixos-25.11 1.6.0
- nixos-25.11-small 1.6.0
- nixpkgs-25.11-darwin 1.6.0

pkgs.python312Packages.aioguardian

Python library to interact with Elexa Guardian devices

nixos-25.11 2025.02.0
- nixos-25.11-small 2025.02.0
- nixpkgs-25.11-darwin 2025.02.0

pkgs.python313Packages.aioguardian

Python library to interact with Elexa Guardian devices

nixos-unstable 2026.01.1
- nixpkgs-unstable 2026.01.1
- nixos-unstable-small 2026.01.1
nixos-25.11 2025.02.0
- nixos-25.11-small 2025.02.0
- nixpkgs-25.11-darwin 2025.02.0

pkgs.python314Packages.aioguardian

Python library to interact with Elexa Guardian devices

nixos-unstable 2026.01.1
- nixpkgs-unstable 2026.01.1
- nixos-unstable-small 2026.01.1

pkgs.python312Packages.pygitguardian

Library to access the GitGuardian API

nixos-25.11 1.27.0
- nixos-25.11-small 1.27.0
- nixpkgs-25.11-darwin 1.27.0

pkgs.python313Packages.pygitguardian

Library to access the GitGuardian API

nixos-unstable 1.28.0
- nixpkgs-unstable 1.28.0
- nixos-unstable-small 1.28.0
nixos-25.11 1.27.0
- nixos-25.11-small 1.27.0
- nixpkgs-25.11-darwin 1.27.0

pkgs.python314Packages.pygitguardian

Library to access the GitGuardian API

nixos-unstable 1.28.0
- nixpkgs-unstable 1.28.0
- nixos-unstable-small 1.28.0

pkgs.python312Packages.django-guardian

Per object permissions for Django

nixos-25.11 3.2.0
- nixos-25.11-small 3.2.0
- nixpkgs-25.11-darwin 3.2.0

pkgs.python313Packages.django-guardian

Per object permissions for Django

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0
nixos-25.11 3.2.0
- nixos-25.11-small 3.2.0
- nixpkgs-25.11-darwin 3.2.0

pkgs.python314Packages.django-guardian

Per object permissions for Django

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0

pkgs.home-assistant-component-tests.guardian

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.guardian

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.1
- nixpkgs-unstable 2026.4.1
- nixos-unstable-small 2026.4.1

pkgs.python312Packages.djangorestframework-guardian

Django-guardian support for Django REST Framework

nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.djangorestframework-guardian

Django-guardian support for Django REST Framework

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python314Packages.djangorestframework-guardian

Django-guardian support for Django REST Framework

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.python312Packages.djangorestframework-guardian2

Django-guardian support for Django REST Framework

pkgs.python313Packages.djangorestframework-guardian2

Django-guardian support for Django REST Framework

Package maintainers

@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@e1mo Nina Fromm <nixpkgs@e1mo.de>