Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33209

created 4 weeks, 2 days ago

Avo has a XSS vulnerability on `return_to` param

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.

References

https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j x_refsource_CONFIRM
https://github.com/avo-hq/avo/pull/4330 x_refsource_MISC
https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d x_refsource_MISC
https://github.com/avo-hq/avo/releases/tag/v3.30.3 x_refsource_MISC

Affected products

avo

==< 3.30.3

Matching in nixpkgs

pkgs.havoc

Minimal terminal emulator for Wayland

nixos-unstable 0.7.0
- nixpkgs-unstable 0.7.0
- nixos-unstable-small 0.7.0
nixos-25.11 0.7.0
- nixos-25.11-small 0.7.0
- nixpkgs-25.11-darwin 0.7.0

pkgs.avocode

Bridge between designers and developers

nixos-unstable 4.15.6
- nixpkgs-unstable 4.15.6
- nixos-unstable-small 4.15.6
nixos-25.11 4.15.6
- nixos-25.11-small 4.15.6
- nixpkgs-25.11-darwin 4.15.6

pkgs.flavours

Easy to use base16 scheme manager/builder that integrates with any workflow

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1
nixos-25.11 0.7.1
- nixos-25.11-small 0.7.1
- nixpkgs-25.11-darwin 0.7.1

pkgs.avogadro2

Molecule editor and visualizer

nixos-unstable 1.103.0
- nixpkgs-unstable 1.103.0
- nixos-unstable-small 1.103.0
nixos-25.11 1.102.1
- nixos-25.11-small 1.102.1
- nixpkgs-25.11-darwin 1.102.1

pkgs.endeavour

Personal task manager for GNOME

nixos-unstable 43.0
- nixpkgs-unstable 43.0
- nixos-unstable-small 43.0
nixos-25.11 43.0
- nixos-25.11-small 43.0
- nixpkgs-25.11-darwin 43.0

pkgs.pavolctld

Minimal volume control/monitoring daemon for PulseAudio and PipeWire

nixos-unstable 1.0.2
- nixpkgs-unstable 1.0.2
- nixos-unstable-small 1.0.2
nixos-25.11 1.0.2
- nixos-25.11-small 1.0.2
- nixpkgs-25.11-darwin 1.0.2

pkgs.avogadrolibs

Molecule editor and visualizer

nixos-unstable 1.103.0
- nixpkgs-unstable 1.103.0
- nixos-unstable-small 1.103.0
nixos-25.11 1.102.1
- nixos-25.11-small 1.102.1
- nixpkgs-25.11-darwin 1.102.1

pkgs.python312Packages.bitvavo-aio

Python client for Bitvavo crypto exchange API

nixos-25.11 1.0.3
- nixos-25.11-small 1.0.3
- nixpkgs-25.11-darwin 1.0.3

pkgs.python313Packages.bitvavo-aio

Python client for Bitvavo crypto exchange API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3
nixos-25.11 1.0.3
- nixos-25.11-small 1.0.3
- nixpkgs-25.11-darwin 1.0.3

pkgs.python314Packages.bitvavo-aio

Python client for Bitvavo crypto exchange API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.gnomeExtensions.favorites-menu

Minimalist favorites menu button in top panel.

nixos-unstable 2
- nixpkgs-unstable 2
- nixos-unstable-small 2
nixos-25.11 2
- nixos-25.11-small 2
- nixpkgs-25.11-darwin 2

pkgs.gnomeExtensions.panel-favorites

Add launchers for Favorites to the panel

nixos-unstable 53
- nixpkgs-unstable 53
- nixos-unstable-small 53
nixos-25.11 53
- nixos-25.11-small 53
- nixpkgs-25.11-darwin 53

pkgs.gnomeExtensions.fullscreen-avoider

Moves the top panel to the secondary monitor if the primary is in fullscreen

nixos-unstable 15
- nixpkgs-unstable 15
- nixos-unstable-small 15
nixos-25.11 15
- nixos-25.11-small 15
- nixpkgs-25.11-darwin 15

pkgs.gnomeExtensions.show-favorite-apps

This extension adds a favorite applications menu to the top panel

nixos-unstable 17
- nixpkgs-unstable 17
- nixos-unstable-small 17
nixos-25.11 16
- nixos-25.11-small 16
- nixpkgs-25.11-darwin 16

pkgs.python312Packages.django-localflavor

Country-specific Django helpers

nixos-25.11 5.0
- nixos-25.11-small 5.0
- nixpkgs-25.11-darwin 5.0

pkgs.python313Packages.django-localflavor

Country-specific Django helpers

nixos-unstable 5.0
- nixpkgs-unstable 5.0
- nixos-unstable-small 5.0
nixos-25.11 5.0
- nixos-25.11-small 5.0
- nixpkgs-25.11-darwin 5.0

pkgs.python314Packages.django-localflavor

Country-specific Django helpers

nixos-unstable 5.0
- nixpkgs-unstable 5.0
- nixos-unstable-small 5.0

pkgs.tests.fetchgit.cached-prefetch-avoids-fetch

None

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.gnomeExtensions.favorites-to-applications-grid

Keep your favorite applications in your applications grid.

Package maintainers

@megheaiulian Meghea Iulian <iulian.meghea@gmail.com>
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@moni-dz moni <lythe1107@gmail.com>
@Misterio77 Gabriel Fontes <eu@misterio.me>
@honnip Jung seungwoo <me@honnip.page>
@tjkeller-xyz Tim Keller <tjk@tjkeller.xyz>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>

Untriaged

Permalink CVE-2025-60202

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 4 months, 2 weeks ago

WordPress Favorites plugin <= 2.3.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion.This issue affects Favorites: from n/a through <= 2.3.6.

References

Affected products

favorites

=<<= 2.3.6

Matching in nixpkgs

pkgs.gnomeExtensions.favorites-menu

Provide panel menu for favorites

nixos-unstable 22
- nixpkgs-unstable 22
- nixos-unstable-small 22

pkgs.gnomeExtensions.panel-favorites

Add launchers for Favorites to the panel

nixos-unstable 52
- nixpkgs-unstable 52
- nixos-unstable-small 52

pkgs.gnomeExtensions.favorites-to-applications-grid

Keep your favorite applications in your applications grid.

nixos-unstable 1
- nixpkgs-unstable 1
- nixos-unstable-small 1

Package maintainers

@honnip Jung seungwoo <me@honnip.page>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.havoc

pkgs.avocode

pkgs.flavours

pkgs.avogadro2

pkgs.endeavour

pkgs.pavolctld

pkgs.avogadrolibs

pkgs.python312Packages.bitvavo-aio

pkgs.python313Packages.bitvavo-aio

pkgs.python314Packages.bitvavo-aio

pkgs.gnomeExtensions.favorites-menu

pkgs.gnomeExtensions.panel-favorites

pkgs.gnomeExtensions.fullscreen-avoider

pkgs.gnomeExtensions.show-favorite-apps

pkgs.python312Packages.django-localflavor

pkgs.python313Packages.django-localflavor

pkgs.python314Packages.django-localflavor

pkgs.tests.fetchgit.cached-prefetch-avoids-fetch

pkgs.gnomeExtensions.favorites-to-applications-grid

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.gnomeExtensions.favorites-menu

pkgs.gnomeExtensions.panel-favorites

pkgs.gnomeExtensions.favorites-to-applications-grid

Package maintainers