Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30913

4.6 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

flarum/nickname: Display name injection in notification emails (autolink & markdown)

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.

References

https://github.com/flarum/framework/security/advisories/GHSA-3c4m-j3g4-hh25 x_refsource_CONFIRM
https://github.com/flarum/nicknames/commit/4dde99729abdce8f6e2a7437c86e38735fdcca28 x_refsource_MISC
https://github.com/flarum/nicknames/releases/tag/v1.8. x_refsource_MISC

Affected products

nicknames

==< 1.8.3

Matching in nixpkgs

pkgs.sbclPackages.trivial-package-local-nicknames

None

nixos-unstable 20220220-git
- nixpkgs-unstable 20220220-git
- nixos-unstable-small 20220220-git
nixos-25.11 20220220-git
- nixos-25.11-small 20220220-git
- nixpkgs-25.11-darwin 20220220-git

Package maintainers

@Uthar Kasper Gałkowski <galkowskikasper@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@nagy Daniel Nagy <danielnagy@posteo.de>
@lukego Luke Gorrie <luke@snabb.co>
@hraban Hraban Luyat <hraban@0brg.net>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.sbclPackages.trivial-package-local-nicknames

Package maintainers