olivetin: add known vulnerabilities (NixOS#498593)

Defelo · web-flow · commit 63d4fcb1022f · 2026-03-10T17:46:56.000Z
diff --git a/pkgs/by-name/ol/olivetin/package.nix b/pkgs/by-name/ol/olivetin/package.nix
@@ -142,6 +142,16 @@ buildGoModule (
       license = lib.licenses.agpl3Only;
       maintainers = with lib.maintainers; [ defelo ];
       mainProgram = "OliveTin";
+      knownVulnerabilities = [
+        "CVE-2026-27626: OS Command Injection via password argument type and webhook JSON extraction bypasses shell safety checks"
+        "CVE-2026-28342: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint"
+        "CVE-2026-30223: JWT Audience Validation Bypass in Local Key and HMAC Modes"
+        "CVE-2026-28789: Unauthenticated DoS via concurrent map writes in OAuth2 state handling"
+        "CVE-2026-30224: Session Fixation - Logout Fails to Invalidate Server-Side Session"
+        "CVE-2026-28790: Unauthenticated Action Termination via KillAction When Guests Must Login"
+        "CVE-2026-30233: View permission not being checked when returning dashboards"
+        "CVE-2026-30225: RestartAction always runs actions as guest"
+      ];
     };
   }
 )
