Nixpkgs security tracker

Permalink CVE-2026-2686

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months ago Activity log

Created suggestion 2 months ago

SECCN Dingcheng G10 session_login.cgi qq os command injection

A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

References

VDB-346488 | SECCN Dingcheng G10 session_login.cgi qq os command injection vdb-entrytechnical-description
VDB-346488 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #754200 | SECCN SECCN G10 VPN V3.1.0.181203 Unauthorized RCE third-party-advisory
https://github.com/cha0yang1/SECCN/blob/main/UnauthorizedRCE.md related
https://github.com/cha0yang1/SECCN/blob/main/UnauthorizedRCE.md#2-vulnerability… exploit

Affected products

G10

==3.1.0.181203

Matching in nixpkgs

pkgs.tests.fetchFirefoxAddon.simple

None

nixos-unstable yvakg10w6mqw
- nixpkgs-unstable yvakg10w6mqw
- nixos-unstable-small yvakg10w6mqw

pkgs.tests.fetchFirefoxAddon.overridden-source