Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1930
published 8 hours ago
OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration
Permalink CVE-2026-48709
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration

OliveTin
  • ==< 3000.13.0
NIXPKGS-2026-1929
published 8 hours ago
OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination
Permalink CVE-2026-48708
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination

OliveTin
  • ==< 3000.13.0
NIXPKGS-2026-1928
published 8 hours ago
Valhalla has reflected XSS via unsanitized JSONP callback parameter
Permalink CVE-2026-49294
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

Valhalla has reflected XSS via unsanitized JSONP callback parameter

valhalla
  • ==<= 3.6.3
NIXPKGS-2026-1927
published 8 hours ago
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Permalink CVE-2026-48017
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

DbGate: Remote Code Execution via functionName injection in loadReader endpoint

dbgate
  • ==< 7.1.9
NIXPKGS-2026-1926
published 8 hours ago
WordPress ManageWP Worker plugin <= 4.9.31 - Cross Site Scripting (XSS) vulnerability
Permalink CVE-2026-39463
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse ignored
    8 packages
    • python314Packages.uvicorn-worker
    • python313Packages.uvicorn-worker
    • buildbotPackages.buildbot-worker
    • haskellPackages.orderly-workers
    • haskellPackages.Spock-worker
    • buildbot-worker
    • worker
    • worker-build
    11 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

WordPress ManageWP Worker plugin <= 4.9.31 - Cross Site Scripting (XSS) vulnerability

worker
  • =<4.9.31
NIXPKGS-2026-1925
published 8 hours ago
Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery
Permalink CVE-2026-12205
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery

Crypt-DSA
  • <1.21
NIXPKGS-2026-1924
published 8 hours ago
Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
Permalink CVE-2026-47261
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 8 hours ago by @LeSuisse Activity log

Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

wasmtime
  • ==< 24.0.9
  • ==>= 37.0.0, < 44.0.2
  • ==>= 25.0.0, < 36.0.10
NIXPKGS-2026-1923
published 8 hours ago
WordPress Contact Form by WPForms plugin <= 1.10.0.4 - Broken Access Control vulnerability
Permalink CVE-2026-48835
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 8 hours ago by @LeSuisse Activity log
  • Created suggestion 14 hours ago
  • @LeSuisse accepted 11 hours ago
  • @LeSuisse published on GitHub 8 hours ago

WordPress Contact Form by WPForms plugin <= 1.10.0.4 - Broken Access Control vulnerability

wpforms-lite
  • =<1.10.0.4
NIXPKGS-2026-1922
published 1 day, 9 hours ago
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in …
Permalink CVE-2026-54411
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Automatable (AU): No (N)
  • Value Density (V): Diffuse (D)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 1 day, 9 hours ago by @LeSuisse Activity log

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in …

Linux-PAM
  • =<1.7.2
NIXPKGS-2026-1921
published 1 day, 9 hours ago
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle
Permalink CVE-2026-11527
updated 1 day, 9 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 14 hours ago
  • @LeSuisse accepted 1 day, 9 hours ago
  • @LeSuisse published on GitHub 1 day, 9 hours ago

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle

Config-IniFiles
  • <3.001000