Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses

Filter by:

With package: python313Packages.libcomps

Found 1 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-1961

8.0 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 weeks, 5 days ago

Forman: foreman: remote code execution via command injection in websocket proxy

A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.

References

RHSA-2026:5968 vendor-advisoryx_refsource_REDHAT
RHSA-2026:5970 vendor-advisoryx_refsource_REDHAT
RHSA-2026:5971 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-1961 vdb-entryx_refsource_REDHAT
RHBZ#2437036 x_refsource_REDHATissue-tracking

Affected products

foreman

*

libcomps

*

satellite

*

python-brotli

*

python-django

*

python-pulp-rpm

*

rubygem-katello

*

rubygem-rubyipmi

*

rubygem-fog-kubevirt

*

python-pulp-container

*

rubygem-foreman_kubevirt

*

yggdrasil-worker-forwarder

*

satellite-utils:el8/foreman

Matching in nixpkgs

pkgs.foreman

Process manager for applications with multiple components

nixos-unstable 0.87.2
- nixpkgs-unstable 0.87.2
- nixos-unstable-small 0.87.2
nixos-25.11 0.87.2
- nixos-25.11-small 0.87.2
- nixpkgs-25.11-darwin 0.87.2

pkgs.libcomps

Comps XML file manipulation library

nixos-unstable 0.1.24
- nixpkgs-unstable 0.1.24
- nixos-unstable-small 0.1.24
nixos-25.11 0.1.23
- nixos-25.11-small 0.1.23
- nixpkgs-25.11-darwin 0.1.23

pkgs.satellite

Program for showing navigation satellite data

nixos-unstable 0.9.1
- nixpkgs-unstable 0.9.1
- nixos-unstable-small 0.9.1
nixos-25.11 0.9.1
- nixos-25.11-small 0.9.1
- nixpkgs-25.11-darwin 0.9.1

pkgs.wyoming-satellite

Remote voice satellite using Wyoming protocol

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.1
nixos-25.11 1.4.1
- nixos-25.11-small 1.4.1
- nixpkgs-25.11-darwin 1.4.1

pkgs.xwayland-satellite

Xwayland outside your Wayland compositor

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1
nixos-25.11 0.8
- nixos-25.11-small 0.8
- nixpkgs-25.11-darwin 0.8

pkgs.python312Packages.libcomps

Comps XML file manipulation library

nixos-25.11 0.1.23
- nixos-25.11-small 0.1.23
- nixpkgs-25.11-darwin 0.1.23

pkgs.python313Packages.libcomps

Comps XML file manipulation library

nixos-unstable 0.1.24
- nixpkgs-unstable 0.1.24
- nixos-unstable-small 0.1.24
nixos-25.11 0.1.23
- nixos-25.11-small 0.1.23
- nixpkgs-25.11-darwin 0.1.23

pkgs.python314Packages.libcomps

Comps XML file manipulation library

nixos-unstable 0.1.24
- nixpkgs-unstable 0.1.24
- nixos-unstable-small 0.1.24

pkgs.home-assistant-component-tests.assist_satellite

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.assist_satellite

Open source home automation that puts local control and privacy first

nixos-unstable 2026.3.3
- nixpkgs-unstable 2026.3.3
- nixos-unstable-small 2026.3.4

Package maintainers

@zimbatm zimbatm <zimbatm@zimbatm.com>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@katexochen Paul Meyer <katexochen0@gmail.com>
@Luflosi Luflosi <luflosi@luflosi.de>
@if-loop69420 Jeremy Sztavinovszki <j.sztavi@pm.me>
@sodiboo sodiboo
@getchoo Seth Flynn <getchoo@tuta.io>

1