apps/security.toml at main · YunoHost/apps · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
[apps]

    [[apps.rallly]]
    date = "2025-12-10"
    title = "Rallly / CRITICAL vulnerability in the underlying framework, Next.JS."
    more_infos = "https://forum.yunohost.org/t/rallly-important-security-fix-please-upgrade-to-v4-5-8-ynh1/41062"
    fixed_in_version = "4.5.8~ynh1"
    level = "danger"

    [[apps.tuwunel]]
    date = "2025-12-22"
    title = "Tuwunel / Lack of sufficient validation of federation events allows an attecker to take over rooms."
    more_infos = ["https://github.com/matrix-construct/tuwunel/releases/tag/v1.4.8"]
    fixed_in_version = "1.4.8~ynh1"
    level = "danger"

    [[apps.umami]]
    date = "2025-12-10"
    title = "Umami / CRITICAL vulnerability in the underlying framework, Next.JS."
    more_infos = ["https://forum.yunohost.org/t/umami-website-analytics/20133/15", "https://github.com/umami-software/umami/releases/tag/v3.0.2"]
    fixed_in_version = "3.0.2~ynh1"
    level = "danger"

    [[apps.zipline]]
    date = "2025-12-10"
    title = "Zipline / Path traversal vulnerability on /raw routes"
    more_infos = ["https://github.com/diced/zipline/releases/tag/v4.4.0"]
    fixed_in_version = "4.4.0~ynh1"
    level = "danger"

    [[apps.n8n]]
    date = "2026-01-07"
    title = "N8N / CRITICAL Allows Unauthenticated Attackers to Take Full Control"
    more_infos = ["https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html", "https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg", "https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858"]
    fixed_in_version = "1.123.4~ynh1"
    level = "danger"

    [[apps.n8n]]
    date = "2026-01-07"
    title = "N8N / CRITICAL Authenticated Users Execute System Commands"
    more_infos = ["https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html", "https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v"]
    fixed_in_version = "2.0.2~ynh1"
    level = "danger"

	[[apps.grist]]
	date = "2026-01-21"
	title = "Grist / Remote Code Execution through a malicious document"
	more_infos = ["https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g", "https://forum.yunohost.org/t/grist-remote-code-execution-vulnerability-before-version-1-7-9/41367"]
	fixed_in_version = "1.7.10~ynh1"
	level = "danger"

	[[apps.peertube]]
	date = "2026-05-23"
	title = "PeerTube / SQL injection vulnerability, exploited in the wild"
	more_infos = ["https://github.com/Chocobozzz/PeerTube/releases/tag/v8.1.8"]
	fixed_in_version = "8.1.8~ynh1"
	level = "danger"

[system]

    # This block with Sudo is mainly here to illustrate the syntax for system packages,
    # probably not relevant to keep in the mid-term once we have more entries
	[[system.sudo]]
    date = "2025-06-30"
	title = "sudo / CVE-2025-32462 / Privilege escalation when a sudoers conf lists a specific host rather than ALL"
	more_infos = "https://lists.debian.org/debian-security-announce/2025/msg00118.html"
	fixed_in_version = "1.9.13p3-1+deb12u2"
	level = "warning" # This shouldn't be too much of a concern in the context of YunoHost anyway

	[[system.kernel]]
    date = "2026-04-22"
	title = "CVE-2026-31431, 31433, 43284 and 43500 a.k.a 'Copy Fail' and 'Dirty Frag' / CRITICAL Privilege escalations from any local user account"
	more_infos = ["https://copy.fail/", "https://github.com/V4bel/dirtyfrag", "https://security-tracker.debian.org/tracker/CVE-2026-31431", "https://security-tracker.debian.org/tracker/CVE-2026-31433", "https://security-tracker.debian.org/tracker/CVE-2026-43284", "https://security-tracker.debian.org/tracker/CVE-2026-43500"]
	fixed_in_version.bookworm = "6.1.170-3"
	fixed_in_version.trixie = "6.12.86-1"
	level = "danger"

	[[system.nginx]]
    date = "2026-05-17"
	title = "NGINX / CVE-2026-42945 / MEDIUM Buffer overflow in the ngx_http_rewrite_module"
	more_infos = ["https://security-tracker.debian.org/tracker/CVE-2026-42945", "https://depthfirst.com/nginx-rift", "https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability"]
	fixed_in_version.bookworm = "1.22.1-9+deb12u7"
	fixed_in_version.trixie = "1.26.3-3+deb13u5"
	level = "warning"