Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: perl540Packages.MojoliciousPluginAssetPack

Found 4 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-2435
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 month, 4 weeks ago
ASSET-7706

Tanium addressed a SQL injection vulnerability in Asset.

References

Affected products

Asset
  • <1.33.269
  • <1.32.179
  • <1.36.108

Matching in nixpkgs

pkgs.assetfinder

Find domains and subdomains related to a given domain

pkgs.assetripper

Tool for extracting assets from Unity serialized files and asset bundles

pkgs.python313Packages.webassets

Media asset management for Python, with glue code for various web frameworks

  • nixos-unstable 2.0
    • nixpkgs-unstable 2.0
    • nixos-unstable-small 2.0
  • nixos-25.11 2.0
    • nixos-25.11-small 2.0
    • nixpkgs-25.11-darwin 2.0

Package maintainers

Untriaged
Permalink CVE-2025-15344
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 3 weeks ago
Tanium addressed a SQL injection vulnerability in Asset.

Tanium addressed a SQL injection vulnerability in Asset.

References

Affected products

Asset
  • <1.32.161
  • <1.28.254
  • <1.33.250

Matching in nixpkgs

pkgs.taro

Daemon for the Taproot Assets protocol specification

pkgs.cassette

GTK4/Adwaita application that allows you to use Yandex Music service on Linux operating systems

pkgs.assetfinder

Find domains and subdomains related to a given domain

pkgs.assetripper

Tool for extracting assets from Unity serialized files and asset bundles

pkgs.python312Packages.webassets

Media asset management for Python, with glue code for various web frameworks

  • nixos-unstable 2.0
    • nixpkgs-unstable 2.0
    • nixos-unstable-small 2.0
  • nixos-25.11 2.0
    • nixpkgs-25.11-darwin 2.0

pkgs.python313Packages.webassets

Media asset management for Python, with glue code for various web frameworks

  • nixos-unstable 2.0
    • nixpkgs-unstable 2.0
    • nixos-unstable-small 2.0
  • nixos-25.11 2.0
    • nixpkgs-25.11-darwin 2.0

Package maintainers

Untriaged
Permalink CVE-2024-58134
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 11 months, 2 weeks ago
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Affected products

Mojolicious
  • =<9.39
  • =<9.40
  • =<*

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2024-58135
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 11 months, 2 weeks ago
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Affected products

Mojolicious
  • =<9.39
  • =<9.40
  • =<*

Matching in nixpkgs

Package maintainers