Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-14193
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
DVP80ES300T - Improper Validation of Array Index Vulnerability

DVP80ES300T with Improper Validation of Array Index Vulnerability

Affected products

DVP80ES300T
  • =<1.08
Dismissed
(no matching packages found)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
None

None

Affected products

Dismissed
(no matching packages found)
Permalink CVE-2026-55886
6.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Jodit Editor: Prototype Pollution in Jodit via Jodit.modules.Helpers.set()

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.set(chain, value, obj), which walks the dot-separated chain, creating and following each path segment without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype. Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable, causing unexpected property injection, logic bypass, denial of service, or secondary security issues. This issue has been fixed in version 4.12.26.

Affected products

jodit
  • ==< 4.12.26
Dismissed
(no matching packages found)
Permalink CVE-2026-14440
7.6 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records

Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain. Exploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring. Mitigation:  Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone. Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both.  Certificate Transparency monitoring is recommended for all customers as a general detection control. Credits: David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher

Affected products

Universal SSL
  • =<current
Dismissed
(no matching packages found)
Permalink CVE-2026-20215
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
ClamAV 7Zip File Format Processing Out-of-Bounds Memory Corruption Vulnerability

A vulnerability in the 7z file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in 7z files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains 7z&nbsp;content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Affected products

Cisco Secure Endpoint
  • ==1.15.1
  • ==1.24.1
  • ==1.21.3
  • ==1.20.2
  • ==8.1.7.21512
  • ==1.19.0
  • ==8.4.2.30317
  • ==7.5.21.21732
  • ==6.2.1
  • ==1.27.1
  • ==1.12.4
  • ==1.15.6
  • ==7.5.5
  • ==8.2.1.21612
  • ==1.7.0
  • ==7.4.3.20679
  • ==8.4.5.30483
  • ==1.16.1
  • ==7.5.7
  • ==1.12.7
  • ==7.4.1
  • ==1.12.5
  • ==8.0.1.21164
  • ==1.15.5
  • ==1.24.0
  • ==6.2.5
  • ==7.1.5
  • ==7.5.3
  • ==8.4.0
  • ==6.2.9
  • ==1.12.3
  • ==1.23.1
  • ==7.5.1.20813
  • ==1.16.3
  • ==1.21.2
  • ==8.4.1.30307
  • ==1.15.0
  • ==1.9.0
  • ==8.2.1.21650
  • ==1.18.0
  • ==1.12.2
  • ==1.23.0
  • ==6.3.3
  • ==1.20.8
  • ==7.5.11
  • ==8.2.3.30119
  • ==1.17.0
  • ==8.4.1.30298
  • ==1.15.3
  • ==7.3.13
  • ==1.20.0
  • ==6.3.7
  • ==8.4.4.30419
  • ==6.2.19
  • ==1.25.1
  • ==1.16.0
  • ==1.22.3
  • ==8.1.3.21242
  • ==1.26.0
  • ==1.27.0
  • ==7.3.15
  • ==1.16.2
  • ==8.2.4.30130
  • ==1.11.1
  • ==1.17.1
  • ==7.3.5
  • ==8.1.3
  • ==7.5.9
  • ==8.4.4.30467
  • ==1.24.3
  • ==1.10.1
  • ==7.2.5
  • ==1.14.1
  • ==1.12.0
  • ==1.9.1
  • ==1.18.1
  • ==7.2.13
  • ==1.20.5
  • ==7.5.13.21598
  • ==1.13.0
  • ==6.3.5
  • ==7.4.5
  • ==1.10.2
  • ==1.22.0
  • ==1.27.2
  • ==8.1.7
  • ==7.4.1.20425
  • ==1.11.0
  • ==1.20.6
  • ==6.1.9
  • ==1.14.0
  • ==7.5.17.21680
  • ==1.6.0
  • ==1.24.4
  • ==1.20.3
  • ==1.25.0
  • ==7.5.20
  • ==6.3.1
  • ==7.2.3
  • ==1.13.1
  • ==8.1.5.21322
  • ==1.25.2
  • ==7.5.13.21586
  • ==7.1.1
  • ==7.2.11
  • ==1.21.1
  • ==1.22.1
  • ==1.22.4
  • ==7.0.5
  • ==7.4.1.20439
  • ==1.17.2
  • ==7.2.7
  • ==1.12.1
  • ==7.4.3
  • ==6.1.7
  • ==1.15.2
  • ==1.20.4
  • ==1.8.4
  • ==7.3.3
  • ==1.12.6
  • ==7.3.9
  • ==7.3.1
  • ==6.2.3
  • ==8.0.1.21160
  • ==6.0.7
  • ==1.21.0
  • ==1.20.7
  • ==6.0.9
  • ==1.15.4
  • ==1.13.2
  • ==1.20.1
  • ==8.1.7.21417
  • ==1.26.1
  • ==8.1.7.21585
  • ==6.1.5
  • ==1.22.2
  • ==1.10.0
  • ==1.8.0
  • ==1.8.1
  • ==7.5.19
  • ==7.5.1.20833
  • ==7.5.15.21611
  • ==8.1.5
  • ==1.24.5
  • ==8.4.3
  • ==1.24.2
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI

In the Linux kernel, the following vulnerability has been resolved: riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI Fixes a warning while dumping core: [54983.546369][ C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982

Affected products

Linux
  • =<*
  • ==7.0
  • <e3573f739e3dadab57ec80488d07e05c8f6e82d3
  • <7.0
  • <08200bef0983ffed039ab399df0cba8d900ce5fc
  • =<7.0.*
Dismissed
(no matching packages found)
Permalink CVE-2026-11988
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
LearnPress <= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via 'userId' Parameter

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.

Affected products

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
  • =<4.3.9.1
Dismissed
(no matching packages found)
Permalink CVE-2026-20244
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
ClamAV DMG File Processing Denial of Service Vulnerability

A vulnerability in the DMG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in DMG files during scanning, which may result in an integer overflow on 32-bit platforms only. An attacker could exploit this vulnerability by submitting a crafted file that contains DMG content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Affected products

Cisco Secure Endpoint
  • ==1.15.1
  • ==1.24.1
  • ==1.21.3
  • ==1.20.2
  • ==8.1.7.21512
  • ==1.19.0
  • ==8.4.2.30317
  • ==7.5.21.21732
  • ==6.2.1
  • ==1.27.1
  • ==1.12.4
  • ==1.15.6
  • ==7.5.5
  • ==8.2.1.21612
  • ==1.7.0
  • ==7.4.3.20679
  • ==8.4.5.30483
  • ==1.16.1
  • ==7.5.7
  • ==1.12.7
  • ==7.4.1
  • ==1.12.5
  • ==8.0.1.21164
  • ==1.15.5
  • ==1.24.0
  • ==6.2.5
  • ==7.1.5
  • ==7.5.3
  • ==8.4.0
  • ==6.2.9
  • ==1.12.3
  • ==1.23.1
  • ==7.5.1.20813
  • ==1.16.3
  • ==1.21.2
  • ==8.4.1.30307
  • ==1.15.0
  • ==1.9.0
  • ==8.2.1.21650
  • ==1.18.0
  • ==1.12.2
  • ==1.23.0
  • ==6.3.3
  • ==1.20.8
  • ==7.5.11
  • ==8.2.3.30119
  • ==1.17.0
  • ==8.4.1.30298
  • ==1.15.3
  • ==7.3.13
  • ==1.20.0
  • ==6.3.7
  • ==8.4.4.30419
  • ==6.2.19
  • ==1.25.1
  • ==1.16.0
  • ==1.22.3
  • ==8.1.3.21242
  • ==1.26.0
  • ==1.27.0
  • ==7.3.15
  • ==1.16.2
  • ==8.2.4.30130
  • ==1.11.1
  • ==1.17.1
  • ==7.3.5
  • ==8.1.3
  • ==7.5.9
  • ==8.4.4.30467
  • ==1.24.3
  • ==1.10.1
  • ==7.2.5
  • ==1.14.1
  • ==1.12.0
  • ==1.9.1
  • ==1.18.1
  • ==7.2.13
  • ==1.20.5
  • ==7.5.13.21598
  • ==1.13.0
  • ==6.3.5
  • ==7.4.5
  • ==1.10.2
  • ==1.22.0
  • ==1.27.2
  • ==8.1.7
  • ==7.4.1.20425
  • ==1.11.0
  • ==1.20.6
  • ==6.1.9
  • ==1.14.0
  • ==7.5.17.21680
  • ==1.6.0
  • ==1.24.4
  • ==1.20.3
  • ==1.25.0
  • ==7.5.20
  • ==6.3.1
  • ==7.2.3
  • ==1.13.1
  • ==8.1.5.21322
  • ==1.25.2
  • ==7.5.13.21586
  • ==7.1.1
  • ==7.2.11
  • ==1.21.1
  • ==1.22.1
  • ==1.22.4
  • ==7.0.5
  • ==7.4.1.20439
  • ==1.17.2
  • ==7.2.7
  • ==1.12.1
  • ==7.4.3
  • ==6.1.7
  • ==1.15.2
  • ==1.20.4
  • ==1.8.4
  • ==7.3.3
  • ==1.12.6
  • ==7.3.9
  • ==7.3.1
  • ==6.2.3
  • ==8.0.1.21160
  • ==6.0.7
  • ==1.21.0
  • ==1.20.7
  • ==6.0.9
  • ==1.15.4
  • ==1.13.2
  • ==1.20.1
  • ==8.1.7.21417
  • ==1.26.1
  • ==8.1.7.21585
  • ==6.1.5
  • ==1.22.2
  • ==1.10.0
  • ==1.8.0
  • ==1.8.1
  • ==7.5.19
  • ==7.5.1.20833
  • ==7.5.15.21611
  • ==8.1.5
  • ==1.24.5
  • ==8.4.3
  • ==1.24.2
Dismissed
(no matching packages found)
Permalink CVE-2026-20460
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
In Modem, there is a possible information disclosure due to …

In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.

Affected products

MediaTek chipset
  • ==MT6988
  • ==MT6893
  • ==MT6990
  • ==MT8781
  • ==MT6983
  • ==MT6781
  • ==MT6986D
  • ==MT6853
  • ==MT6875
  • ==MT6878
  • ==MT6789
  • ==MT8676
  • ==MT8766R
  • ==MT8755
  • ==MT8766
  • ==MT6989
  • ==MT8786
  • ==MT6779
  • ==MT6985
  • ==MT6991
  • ==MT6895
  • ==MT6813
  • ==MT6873
  • ==MT6885
  • ==MT8873
  • ==MT8797
  • ==MT6896
  • ==MT6980
  • ==MT8792
  • ==MT6899
  • ==MT6833
  • ==MT6883
  • ==MT8791
  • ==MT6891
  • ==MT6890
  • ==MT6855
  • ==MT8673
  • ==MT8768
  • ==MT8771
  • ==MT8796
  • ==MT6889
  • ==MT6835
  • ==MT6880
  • ==MT8675
  • ==MT2735
  • ==MT8775
  • ==MT8678
  • ==MT6858
  • ==MT6877
  • ==MT8793
  • ==MT8798
  • ==MT6783
  • ==MT6879
  • ==MT8789
  • ==MT6785
  • ==MT2737
  • ==MT6886
  • ==MT8791T
  • ==MT6897
  • ==MT8788
  • ==MT8883
  • ==MT8893
  • ==MT8863
  • ==MT8765
  • ==MT6993
  • ==MT8795T
  • ==MT8788E
Dismissed
(no matching packages found)
Permalink CVE-2026-11387
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 2 days ago Activity log
  • Created & dismissed (no matching packages found) suggestion
SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

Affected products

SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
  • =<3.9.5