forked from YunoHost/apps
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecurity.toml
More file actions
61 lines (52 loc) · 2.83 KB
/
security.toml
File metadata and controls
61 lines (52 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[apps]
[[apps.rallly]]
date = "2025-12-10"
title = "Rallly / CRITICAL vulnerability in the underlying framework, Next.JS."
more_infos = "https://forum.yunohost.org/t/rallly-important-security-fix-please-upgrade-to-v4-5-8-ynh1/41062"
fixed_in_version = "4.5.8~ynh1"
level = "danger"
[[apps.tuwunel]]
date = "2025-12-22"
title = "Tuwunel / Lack of sufficient validation of federation events allows an attecker to take over rooms."
more_infos = ["https://github.com/matrix-construct/tuwunel/releases/tag/v1.4.8"]
fixed_in_version = "1.4.8~ynh1"
level = "danger"
[[apps.umami]]
date = "2025-12-10"
title = "Umami / CRITICAL vulnerability in the underlying framework, Next.JS."
more_infos = ["https://forum.yunohost.org/t/umami-website-analytics/20133/15", "https://github.com/umami-software/umami/releases/tag/v3.0.2"]
fixed_in_version = "3.0.2~ynh1"
level = "danger"
[[apps.zipline]]
date = "2025-12-10"
title = "Zipline / Path traversal vulnerability on /raw routes"
more_infos = ["https://github.com/diced/zipline/releases/tag/v4.4.0"]
fixed_in_version = "4.4.0~ynh1"
level = "danger"
[[apps.n8n]]
date = "2026-01-07"
title = "N8N / CRITICAL Allows Unauthenticated Attackers to Take Full Control"
more_infos = ["https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html", "https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg", "https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858"]
fixed_in_version = "1.123.4~ynh1"
level = "danger"
[[apps.n8n]]
date = "2026-01-07"
title = "N8N / CRITICAL Authenticated Users Execute System Commands"
more_infos = ["https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html", "https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v"]
fixed_in_version = "2.0.2~ynh1"
level = "danger"
[[apps.grist]]
date = "2026-01-21"
title = "Grist / Remote Code Execution through a malicious document"
more_infos = ["https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g", "https://forum.yunohost.org/t/grist-remote-code-execution-vulnerability-before-version-1-7-9/41367"]
fixed_in_version = "1.7.10~ynh1"
level = "danger"
[system]
# This block with Sudo is mainly here to illustrate the syntax for system packages,
# probably not relevant to keep in the mid-term once we have more entries
[[system.sudo]]
date = "2025-06-30"
title = "sudo / CVE-2025-32462 / Privilege escalation when a sudoers conf lists a specific host rather than ALL"
more_infos = "https://lists.debian.org/debian-security-announce/2025/msg00118.html"
fixed_in_version = "1.9.13p3-1+deb12u2"
level = "warning" # This shouldn't be too much of a concern in the context of YunoHost anyway