Nixpkgs security tracker
Permalink
CVE-2026-25642
4.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): NONE
Activity log
- Created suggestion
HedgeDoc security headers for uploaded files were not working
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6.
References
-
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w x_refsource_CONFIRM
-
https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6 x_refsource_MISC
Affected products
hedgedoc
- ==< 1.10.6
Matching in nixpkgs
pkgs.hedgedoc
Realtime collaborative markdown notes on all platforms
pkgs.hedgedoc-cli
Hedgedoc CLI
-
nixos-unstable 1.0-unstable-2025-05-01
- nixpkgs-unstable 1.0-unstable-2025-05-01
- nixos-unstable-small 1.0-unstable-2025-05-01
-
nixos-25.11 1.0-unstable-2025-05-01
- nixpkgs-25.11-darwin 1.0-unstable-2025-05-01
Package maintainers
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@drupol Pol Dellaiera <pol.dellaiera@protonmail.com>