Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: gobusybox

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-2709
3.5 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months ago Activity log
  • Created suggestion 2 months ago
busy Callback app.js redirect

A flaw has been found in busy up to 2.5.5. The affected element is an unknown function of the file source-code/busy-master/src/server/app.js of the component Callback Handler. Executing a manipulation of the argument state can lead to open redirect. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

busy
  • ==2.5.3
  • ==2.5.4
  • ==2.5.1
  • ==2.5.5
  • ==2.5.0
  • ==2.5.2

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable

Permalink CVE-2026-26157
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Busybox: busybox: arbitrary file overwrite and potential code execution via incomplete path sanitization

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

Affected products

busybox

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable

Permalink CVE-2026-26158
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

Affected products

busybox

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable