Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-2094
published 13 hours ago
wget: security issues <= 1.25.0 (patches available)
Permalink CVE-2026-58472
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GNU Wget 1.25.0 Heap Buffer Overflow via HTML Attribute Encoding


wget
  • =<1.25.0
  • ==dd692d9cea5335b181d877ae917fe6e75587a812
Permalink CVE-2026-58469
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GNU Wget 1.25.0 Heap Buffer Underread via Metalink URL Parsing


wget
  • =<1.25.0
  • ==37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
Permalink CVE-2026-58470
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GNU Wget 1.25.0 Integer Overflow via Content-Range Header Parsing


wget
  • ==43d3ba9336bc94937e6fae2365c6ffd30c34ffcf
  • =<1.25.0
Permalink CVE-2026-58471
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GNU Wget 1.25.0 Heap Buffer Overflow via convert_fname() in url.c


wget
  • ==c2640fe5171c59f87c58dc9fcb195b2d18b010ee
  • =<1.25.0
NIXPKGS-2026-2093
published 13 hours ago
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored reference https://g…
  • @LeSuisse ignored
    3 packages
    • chickenPackages_5.chickenEggs.string-utils
    • python314Packages.python-string-utils
    • python313Packages.python-string-utils
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service


String-Util
  • <1.36
NIXPKGS-2026-2092
published 13 hours ago
Gimp: gimp: integer overflow in read_rle_channel()
Permalink CVE-2026-58384
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    20 packages
    • gimp2
    • gimp3
    • gimp3-with-plugins
    • gimp2Plugins.fourier
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimp2Plugins.waveletSharpen
    • zigimports
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gmic
    • gimp2-with-plugins
    • gimp2Plugins.gimp
  • @LeSuisse restored package gimp3
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Gimp: gimp: integer overflow in read_rle_channel()


gimp
gimp:2.8/gimp
NIXPKGS-2026-2091
published 13 hours ago
Dashy: XSS in workspace url parameter
Permalink CVE-2026-55592
3.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    8 packages
    • typstPackages.dashy-todo_0_0_2
    • typstPackages.dashy-todo_0_0_1
    • typstPackages.dashy-todo_0_0_3
    • typstPackages.dashy-todo_0_1_0
    • typstPackages.dashy-todo_0_1_1
    • typstPackages.dashy-todo_0_1_2
    • typstPackages.dashy-todo_0_1_3
    • typstPackages.dashy-todo
  • @LeSuisse ignored reference https://g…
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Dashy: XSS in workspace url parameter


dashy
  • ==< 4.3.7
NIXPKGS-2026-2090
published 13 hours ago
calibre: Arbitrary Code Execution in Template Formatter via Book Metadata
Permalink CVE-2026-53511
8.5 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • calibre-web
    • calibre-no-speech
    • pkgsRocm.calibre-no-speech
  • @LeSuisse ignored reference https://g…
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

calibre: Arbitrary Code Execution in Template Formatter via Book Metadata


calibre
  • ==< 9.10.0
NIXPKGS-2026-2089
published 13 hours ago
Actual: Shared users can perform owner-only file management actions
Permalink CVE-2026-50007
7.2 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package gnomeExtensions.maximized-by-default-actually-reborn
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Actual: Shared users can perform owner-only file management actions


actual
  • ==< 26.7.0
NIXPKGS-2026-2088
published 13 hours ago
apache-airflow: security issues < 3.3.0
Permalink CVE-2026-49296
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}


apache-airflow
  • <3.3.0
Permalink CVE-2026-48892
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options


apache-airflow
  • <3.3.0
Permalink CVE-2026-33264
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()


apache-airflow
  • <3.3.0
Permalink CVE-2026-48828
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key


apache-airflow
  • <3.3.0
Permalink CVE-2026-48891
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target


apache-airflow
  • <3.3.0
Permalink CVE-2026-49487
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 13 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs


apache-airflow
  • <3.3.0
NIXPKGS-2026-2087
published 1 day, 15 hours ago
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder
Permalink CVE-2026-14803
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    22 packages
    • perlPackages.MojoliciousPluginI18N
    • perlPackages.MojoliciousPluginMail
    • perl5Packages.MojoliciousPluginI18N
    • perl5Packages.MojoliciousPluginMail
    • perlPackages.MojoliciousPluginStatus
    • perlPackages.MojoliciousPluginSyslog
    • perl5Packages.MojoliciousPluginStatus
    • perl5Packages.MojoliciousPluginSyslog
    • perlPackages.MojoliciousPluginOpenAPI
    • perlPackages.MojoliciousPluginWebpack
    • perl5Packages.MojoliciousPluginOpenAPI
    • perl5Packages.MojoliciousPluginWebpack
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perlPackages.MojoliciousPluginAssetPack
    • perl5Packages.MojoliciousPluginAssetPack
    • perlPackages.MojoliciousPluginRenderFile
    • perl5Packages.MojoliciousPluginRenderFile
    • perlPackages.MojoliciousPluginTextExceptions
    • perl5Packages.MojoliciousPluginTextExceptions
    • perlPackages.MojoliciousPluginTemplateToolkit
    • perl5Packages.MojoliciousPluginTemplateToolkit
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder


Mojolicious
  • <9.47
NIXPKGS-2026-2086
published 1 day, 15 hours ago
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle
Permalink CVE-2026-13705
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    10 packages
    • gimagereader-qt
    • imager
    • usbimager
    • vcdimager
    • rpi-imager
    • gImageReader
    • gimagereader
    • gImageReader-qt
    • perlPackages.ImagerQRCode
    • perl5Packages.ImagerQRCode
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle


Imager
  • <1.032
NIXPKGS-2026-2085
published 1 day, 15 hours ago
Gimp: gimp: stack buffer overflow in pnmscanner_gettoken()
Permalink CVE-2026-58380
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day, 15 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    18 packages
    • zigimports
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gimp
    • gimp2Plugins.gmic
    • gimp2-with-plugins
    • gimp3-with-plugins
    • gimp2Plugins.fourier
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimp2Plugins.waveletSharpen
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Gimp: gimp: stack buffer overflow in pnmscanner_gettoken()


gimp
gimp:2.8/gimp
Fixed in 3.2.4, needs some backports/patching on stable.