Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1937
published 13 hours ago
Pacemaker: pacemaker: denial of service via integer overflow in remote message decompression
Permalink CVE-2026-10649
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago

Pacemaker: pacemaker: denial of service via integer overflow in remote message decompression

rhcos
pacemaker
Patch: https://github.com/ClusterLabs/pacemaker/commit/3e2c5e204284acc0b3b65f0b964fe6a7f1c43667
NIXPKGS-2026-1936
published 13 hours ago
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
Permalink CVE-2026-48788
8.2 HIGH
  • CVSS version (CVSS): 3.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago

Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing

remark42
  • ==>= 1.6.0, < 1.16.0
NIXPKGS-2026-1935
published 13 hours ago
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
Permalink CVE-2026-48775
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    19 packages
    • langgraph-cli
    • python313Packages.langgraph
    • python314Packages.langgraph
    • python313Packages.langgraph-cli
    • python313Packages.langgraph-sdk
    • python314Packages.langgraph-cli
    • python314Packages.langgraph-sdk
    • python313Packages.langgraph-prebuilt
    • python314Packages.langgraph-prebuilt
    • python313Packages.langgraph-runtime-inmem
    • python313Packages.langgraph-store-mongodb
    • python314Packages.langgraph-runtime-inmem
    • python314Packages.langgraph-store-mongodb
    • python313Packages.langgraph-checkpoint-sqlite
    • python314Packages.langgraph-checkpoint-sqlite
    • python313Packages.langgraph-checkpoint-mongodb
    • python314Packages.langgraph-checkpoint-mongodb
    • python313Packages.langgraph-checkpoint-postgres
    • python314Packages.langgraph-checkpoint-postgres
    13 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago

LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading

langgraph
  • ==< 1.2.2
langraph-checkpoint
  • ==< 4.1.1
NIXPKGS-2026-1934
published 13 hours ago
WordPress ProfilePress plugin <= 4.16.13 - Cross Site Scripting (XSS) vulnerability
Permalink CVE-2026-41556
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago

WordPress ProfilePress plugin <= 4.16.13 - Cross Site Scripting (XSS) vulnerability

wp-user-avatar
  • =<4.16.13
NIXPKGS-2026-1933
published 13 hours ago
svaarala duktape duk_api_bytecode.c memory corruption
Permalink CVE-2026-12216
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log

svaarala duktape duk_api_bytecode.c memory corruption

duktape
  • ==2.99.7
  • ==2.99.71
  • ==2.99.27
  • ==2.99.44
  • ==2.99.60
  • ==2.99.31
  • ==2.99.52
  • ==2.99.12
  • ==2.99.67
  • ==2.99.72
  • ==2.99.36
  • ==2.99.3
  • ==2.99.95
  • ==2.99.61
  • ==2.99.57
  • ==2.99.1
  • ==2.99.85
  • ==2.99.83
  • ==2.99.32
  • ==2.99.16
  • ==2.99.18
  • ==2.99.73
  • ==2.99.5
  • ==2.99.78
  • ==2.99.80
  • ==2.99.68
  • ==2.99.56
  • ==2.99.97
  • ==2.99.26
  • ==2.99.66
  • ==2.99.87
  • ==2.99.62
  • ==2.99.92
  • ==2.99.81
  • ==2.99.75
  • ==2.99.65
  • ==2.99.15
  • ==2.99.10
  • ==2.99.43
  • ==2.99.4
  • ==2.99.30
  • ==2.99.37
  • ==2.99.35
  • ==2.99.21
  • ==2.99.74
  • ==2.99.24
  • ==2.99.88
  • ==2.99.84
  • ==2.99.93
  • ==2.99.82
  • ==2.99.59
  • ==2.99.17
  • ==2.99.8
  • ==2.99.34
  • ==2.99.89
  • ==2.99.6
  • ==2.99.40
  • ==2.99.9
  • ==2.99.45
  • ==2.99.50
  • ==2.99.13
  • ==2.99.70
  • ==2.99.41
  • ==2.99.91
  • ==2.99.98
  • ==2.99.39
  • ==2.99.51
  • ==2.99.64
  • ==2.99.47
  • ==2.99.53
  • ==2.99.58
  • ==2.99.90
  • ==2.99.25
  • ==2.99.48
  • ==2.99.14
  • ==2.99.42
  • ==2.99.22
  • ==2.99.54
  • ==2.99.11
  • ==2.99.33
  • ==2.99.96
  • ==2.99.29
  • ==2.99.94
  • ==2.99.76
  • ==2.99.23
  • ==2.99.69
  • ==2.99.77
  • ==2.99.2
  • ==2.99.79
  • ==2.99.28
  • ==2.99.55
  • ==2.99.0
  • ==2.99.38
  • ==2.99.49
  • ==2.99.20
  • ==2.99.19
  • ==2.99.86
  • ==2.99.63
  • ==2.99.46
  • ==2.99.99
NIXPKGS-2026-1932
published 13 hours ago
Gnutls: fix use-after-free in gnutls_pkcs11_token_set_pin
Permalink CVE-2026-42014
6.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    3 packages
    • guile-gnutls
    • python313Packages.python3-gnutls
    • python314Packages.python3-gnutls
    13 hours ago
  • @LeSuisse ignored maintainer @vcunat 13 hours ago maintainer.ignore
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago

Gnutls: fix use-after-free in gnutls_pkcs11_token_set_pin

rhcos
gnutls
  • *
rhui5/cds-rhel9
  • *
rhui5/rhua-rhel9
  • *
rhui5/haproxy-rhel9
  • *
rhui5/installer-rhel9
  • *
NIXPKGS-2026-1931
published 13 hours ago
FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory
Permalink CVE-2026-48777
9.3 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion 17 hours ago
  • @LeSuisse ignored
    3 packages
    • filebrowser
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    13 hours ago
  • @LeSuisse ignored
    2 maintainers
    • @JocimSus
    • @Denperidge
    13 hours ago maintainer.ignore
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago

FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory

filebrowser
  • ==>= 1.4.0-beta, < 1.4.2-beta
  • ==< 1.3.3-stable
NIXPKGS-2026-1930
published 1 day, 10 hours ago
OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration
Permalink CVE-2026-48709
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse accepted 1 day, 14 hours ago
  • @LeSuisse published on GitHub 1 day, 10 hours ago

OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration

OliveTin
  • ==< 3000.13.0
NIXPKGS-2026-1929
published 1 day, 10 hours ago
OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination
Permalink CVE-2026-48708
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse accepted 1 day, 14 hours ago
  • @LeSuisse published on GitHub 1 day, 10 hours ago

OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination

OliveTin
  • ==< 3000.13.0
NIXPKGS-2026-1928
published 1 day, 10 hours ago
Valhalla has reflected XSS via unsanitized JSONP callback parameter
Permalink CVE-2026-49294
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 day, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 17 hours ago
  • @LeSuisse accepted 1 day, 14 hours ago
  • @LeSuisse published on GitHub 1 day, 10 hours ago

Valhalla has reflected XSS via unsanitized JSONP callback parameter

valhalla
  • ==<= 3.6.3