Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

With package: yelp-xsl

Found 2 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-13601
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created suggestion
Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications

A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.

Affected products

yelp

Matching in nixpkgs

pkgs.yelp

Help viewer for GNOME

  • nixos-unstable 49.0
    • nixpkgs-unstable 49.0
    • nixos-unstable-small 49.0
  • nixos-26.05 49.0
    • nixos-26.05-small 49.0
    • nixpkgs-26.05-darwin 49.0

pkgs.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

  • nixos-unstable 49.0
    • nixpkgs-unstable 49.0
    • nixos-unstable-small 49.0
  • nixos-26.05 49.0
    • nixos-26.05-small 49.0
    • nixpkgs-26.05-darwin 49.0

pkgs.yelp-tools

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

  • nixos-unstable 42.1
    • nixpkgs-unstable 42.1
    • nixos-unstable-small 42.1
  • nixos-26.05 42.1
    • nixos-26.05-small 42.1
    • nixpkgs-26.05-darwin 42.1

Package maintainers

Dismissed
Permalink CVE-2025-3155
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 year, 3 months ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed
Yelp: arbitrary file read

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

References

Affected products

yelp
  • <42.2-8
  • *
yelp-xsl
  • *

Matching in nixpkgs

pkgs.yelp

Help viewer in Gnome

  • nixos-unstable 42.2
    • nixpkgs-unstable 42.2
    • nixos-unstable-small 42.2

pkgs.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

  • nixos-unstable 42.1
    • nixpkgs-unstable 42.1
    • nixos-unstable-small 42.1

pkgs.yelp-tools

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

  • nixos-unstable 42.1
    • nixpkgs-unstable 42.1
    • nixos-unstable-small 42.1

Package maintainers