Nixpkgs security tracker

Untriaged

Permalink CVE-2026-8759

5.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 1 week, 6 days ago Activity log

Created suggestion 1 week, 6 days ago

xiandafu beetl SpELFunction SpELFunction.java expression language injection

A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-364386 | xiandafu beetl SpELFunction SpELFunction.java expression language injection vdb-entry
VDB-364386 | CTI Indicators (IOB, IOC, IOA) permissions-requiredsignature
Submit #811316 | Beetl <= 3.20.2.RELEASE Code Injection third-party-advisory
https://gitee.com/xiandafu/beetl/issues/IIYAWC exploitbroken-linkissue-tracking
https://gitee.com/xiandafu/beetl/ productbroken-link

Affected products

beetl

==3.20.1
==3.20.0
==3.20.2

Matching in nixpkgs

pkgs.tigerbeetle

Financial accounting database designed to be distributed and fast

nixos-unstable 0.17.2
- nixpkgs-unstable 0.17.3
- nixos-unstable-small 0.17.3
nixos-25.11 0.16.64
- nixos-25.11-small 0.16.64
- nixpkgs-25.11-darwin 0.16.64

Package maintainers

@DanielSidhion Daniel Sidhion <nixpkgs@sidhion.com>
@nwjsmith Nate Smith <nate@theinternate.com>

Dismissed

Permalink CVE-2025-31407

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

updated 1 year, 1 month ago by @LeSuisse Activity log

Created suggestion 1 year, 1 month ago
@LeSuisse dismissed 1 year, 1 month ago

WordPress Tiger theme <= 2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hutsixdigital Tiger allows Stored XSS.This issue affects Tiger: from n/a through 2.0.