Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1977
published 14 hours ago
Grav - XML External Entity Injection via SVG Upload
Permalink CVE-2026-56701
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    21 packages
    • gravit
    • antigravity
    • antigravity-cli
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grav - XML External Entity Injection via SVG Upload


Grav
  • ==2.0.0-beta.2
  • <2.0.0-beta.2
NIXPKGS-2026-1976
published 14 hours ago
CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through …
Permalink CVE-2026-57062
2.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    15 packages
    • pam_gnupg
    • gnupg-pkcs11-scd
    • phpExtensions.gnupg
    • php82Extensions.gnupg
    • php83Extensions.gnupg
    • php84Extensions.gnupg
    • php85Extensions.gnupg
    • sequoia-chameleon-gnupg
    • perlPackages.GnuPGInterface
    • perl5Packages.GnuPGInterface
    • perl538Packages.GnuPGInterface
    • perl540Packages.GnuPGInterface
    • python312Packages.python-gnupg
    • python313Packages.python-gnupg
    • python314Packages.python-gnupg
  • @LeSuisse ignored reference https://w…
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through …


GnuPG
  • =<2.5.20
NIXPKGS-2026-1975
published 14 hours ago
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Permalink CVE-2026-54761
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package traefik-certs-dumper
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services


traefik
  • ==< 3.6.21
  • ==>= 3.7.0-ea.1, < 3.7.5
NIXPKGS-2026-1974
published 14 hours ago
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Permalink CVE-2026-54316
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    6 packages
    • claude-code-acp
    • gnomeExtensions.claude-code-usage
    • claude-code-router
    • gnomeExtensions.claude-code-switcher
    • vscode-extensions.anthropic.claude-code
    • gnomeExtensions.claude-code-usage-indicator
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch


claude-code
  • ==>= 0.2.54, < 2.1.163
Needs a backport to 26.05
NIXPKGS-2026-1973
published 14 hours ago
GNU libidn before 1.44 is prone to out-of-bounds reads of …
Permalink CVE-2026-57053
4.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • libidn2
    • perlPackages.NetLibIDN2
    • perl5Packages.NetLibIDN2
    • perl538Packages.NetLibIDN2
    • perl540Packages.NetLibIDN2
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GNU libidn before 1.44 is prone to out-of-bounds reads of …


libidn
  • <1.44
NIXPKGS-2026-1972
published 15 hours ago
yt-dlp: security issues <2026.06.09
Permalink CVE-2026-50019
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    8 packages
    • python312Packages.yt-dlp
    • python312Packages.yt-dlp-ejs
    • python313Packages.yt-dlp-ejs
    • python314Packages.yt-dlp-ejs
    • python312Packages.yt-dlp-light
    • python312Packages.yt-dlp-dearrow
    • python314Packages.yt-dlp-dearrow
    • python313Packages.yt-dlp-dearrow
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

yt-dlp: File Downloader cookie leak with curl


yt-dlp
  • ==>= 2023.09.24, < 2026.06.09
Permalink CVE-2026-50574
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    10 packages
    • python312Packages.yt-dlp
    • python312Packages.yt-dlp-ejs
    • python313Packages.yt-dlp-ejs
    • python314Packages.yt-dlp-ejs
    • python312Packages.yt-dlp-light
    • python313Packages.yt-dlp-light
    • python314Packages.yt-dlp-light
    • python312Packages.yt-dlp-dearrow
    • python313Packages.yt-dlp-dearrow
    • python314Packages.yt-dlp-dearrow
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

yt-dlp: Arbitrary code execution via manifest downloads with aria2c


yt-dlp
  • ==< 2026.06.09
Permalink CVE-2026-50023
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    7 packages
    • python312Packages.yt-dlp
    • python314Packages.yt-dlp-ejs
    • python313Packages.yt-dlp-ejs
    • python312Packages.yt-dlp-ejs
    • python312Packages.yt-dlp-dearrow
    • python313Packages.yt-dlp-dearrow
    • python314Packages.yt-dlp-dearrow
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)


yt-dlp
  • ==< 2026.06.09
NIXPKGS-2026-1971
published 15 hours ago
dhcpcd: security issues =<10.3.2
Permalink CVE-2026-56117
5.7 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

dhcpcd Heap Use-After-Free via Control Socket Handling


dhcpcd
  • ==78ea09ed1633a583dbcde6e7bab9df4639ec8a34
  • =<10.3.2
Permalink CVE-2026-56113
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

dhcpcd Heap Use-After-Free in dhcp6_deprecateaddrs via DHCPv6 RENEW


dhcpcd
  • =<10.3.2
  • ==5733d3c59a5651f64357ac11c98b4f39895c8d25
Permalink CVE-2026-56116
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

dhcpcd Memory Leak DoS via IPv6 Router Advertisement Handling


dhcpcd
  • ==708b4a56bae080a5b18c2e0c4c6fbe103131a2b0
  • =<10.3.2
Permalink CVE-2026-56114
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()


dhcpcd
  • ==2f00c7bfc408b6582d331932dfa47829c4819029
  • =<10.3.2
NIXPKGS-2026-1970
published 15 hours ago
dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()
Permalink CVE-2026-56115
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()


dhcpcd
  • ==2f00c7bfc408b6582d331932dfa47829c4819029
  • =<10.3.2
NIXPKGS-2026-1969
published 15 hours ago
n8n: security issues < 2.25.7
Permalink CVE-2026-49465
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Git Node Clone and Push Operations Bypass File Sandbox


n8n
  • ==< 1.123.48
  • ==>= 2.0.0-rc.0, < 2.21.8
  • ==>= 2.22.0, < 2.22.4
Permalink CVE-2026-54313
6.5 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): High (H)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: NoSQL Injection in MongoDB Node Find And Replace Operation


n8n
  • ==< 2.24.0
Permalink CVE-2026-54308
6.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node


n8n
  • ==>= 2.26.0, < 2.26.2
  • ==< 2.25.7
Permalink CVE-2026-54306
6.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Prototype Pollution enables confused-deputy execution via public webhooks


n8n
  • ==>= 2.26.0, < 2.26.2
  • ==< 2.25.7
Permalink CVE-2026-54302
7.0 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Stored XSS in Chat Trigger Node


n8n
  • ==>= 2.0.0-rc.0, < 2.25.7
  • ==>= 2.26.0, < 2.26.2
  • ==< 1.123.55
Permalink CVE-2026-54309
8.8 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: n8n MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions


n8n
  • ==>= 2.26.0, < 2.26.2
  • ==< 2.25.7
Permalink CVE-2026-54304
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host


n8n
  • ==>= 2.0.0-rc.0, < 2.25.7
  • ==>= 2.26.0, < 2.26.1
  • ==< 1.123.55
Permalink CVE-2026-54303
6.8 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints


n8n
  • ==< 2.24.0
Permalink CVE-2026-54307
8.5 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): Low (L)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Credential Exfiltration via Permission Bypass


n8n
  • ==>= 2.0.0-rc.0, < 2.25.7
  • ==>= 2.26.0, < 2.26.2
  • ==< 1.123.55
Permalink CVE-2026-54301
7.0 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Same-Origin XSS in Respond to Webhook Node


n8n
  • ==>= 2.0.0-rc.0, < 2.25.7
  • ==>= 2.26.0, < 2.26.2
  • ==< 1.123.55
Permalink CVE-2026-54314
6.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Denial of Service via ZIP decompression in webhook workflow


n8n
  • ==< 2.24.0
Permalink CVE-2026-54312
7.2 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Microsoft SQL Node Prototype Pollution


n8n
  • ==< 2.24.0
Permalink CVE-2026-54311
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: Merge Node SQL Mode Prototype Pollution


n8n
  • ==>= 2.26.0, < 2.26.2
  • ==< 2.25.7
Permalink CVE-2026-54310
6.5 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): High (H)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes


n8n
  • ==>= 2.26.0, < 2.26.2
  • ==< 2.25.7
NIXPKGS-2026-1968
published 15 hours ago
Deno: security issues < 2.8.1
Permalink CVE-2026-49440
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    17 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • python314Packages.denonavr
    • python313Packages.denon-rs232
    • python314Packages.denon-rs232
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • gnomeExtensions.marantz-and-denon-avr-controller
    • home-assistant-component-tests.denonavr
    • python314Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • python313Packages.bnunicodenormalizer
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Deno: Miller-Rabin Primality Test Allows Zero Rounds


deno
  • ==< 2.8.1
26.05 needs some backports or patching.
Permalink CVE-2026-49860
5.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    17 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • python314Packages.denonavr
    • python313Packages.denon-rs232
    • python314Packages.denon-rs232
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • python314Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    • gnomeExtensions.marantz-and-denon-avr-controller
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Deno: WebSocket API sandbox bypass via missing post-DNS check


deno
  • ==< 2.8.1
26.05 needs some backports/patching
Permalink CVE-2026-49411
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    17 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • python314Packages.denonavr
    • python313Packages.denon-rs232
    • python314Packages.denon-rs232
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • python314Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    • gnomeExtensions.marantz-and-denon-avr-controller
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks


deno
  • ==< 2.8.0
26.05 needs some backports/patching
Permalink CVE-2026-49859
5.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    17 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • python314Packages.denonavr
    • python313Packages.denon-rs232
    • python314Packages.denon-rs232
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • python314Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • gnomeExtensions.marantz-and-denon-avr-controller
    • home-assistant-component-tests.denonavr
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Deno: `fetch()` API sandbox bypass via missing DNS resolution check


deno
  • ==< 2.8.1
26.05 needs some backports/patching
Permalink CVE-2026-49983
5.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    17 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • python314Packages.denonavr
    • python313Packages.denon-rs232
    • python314Packages.denon-rs232
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • python314Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    • gnomeExtensions.marantz-and-denon-avr-controller
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access


deno
  • ==< 2.8.1
26.05 needs some backports/patching