Nixpkgs Security Tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0739
published on 24 Mar 2026
Permalink CVE-2026-33202
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Storage has possible glob injection in its DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activestorage
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
NIXPKGS-2026-0746
published on 24 Mar 2026
Permalink CVE-2026-33176
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse removed
    4 packages
    • rubyPackages.yard-activesupport-concern
    • rubyPackages_3_3.yard-activesupport-concern
    • rubyPackages_3_4.yard-activesupport-concern
    • rubyPackages_4_0.yard-activesupport-concern
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Support has a possible DoS vulnerability in its number helpers

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activesupport
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Ignored packages (4) 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
NIXPKGS-2026-0743
published on 24 Mar 2026
Permalink CVE-2026-33168
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails has a possible XSS vulnerability in its Action View tag helpers

Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

actionview
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
NIXPKGS-2026-0738
published on 24 Mar 2026
Permalink CVE-2026-33169
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse removed
    4 packages
    • rubyPackages.yard-activesupport-concern
    • rubyPackages_3_3.yard-activesupport-concern
    • rubyPackages_3_4.yard-activesupport-concern
    • rubyPackages_4_0.yard-activesupport-concern
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and `gsub!` can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activesupport
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Ignored packages (4) 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
NIXPKGS-2026-0742
published on 24 Mar 2026
Permalink CVE-2026-33173
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Storage has possible content type bypass via metadata in direct uploads

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activestorage
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
NIXPKGS-2026-0744
published on 24 Mar 2026
Permalink CVE-2026-33170
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse removed
    4 packages
    • rubyPackages.yard-activesupport-concern
    • rubyPackages_3_3.yard-activesupport-concern
    • rubyPackages_3_4.yard-activesupport-concern
    • rubyPackages_4_0.yard-activesupport-concern
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activesupport
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Ignored packages (4) 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
NIXPKGS-2026-0740
published on 24 Mar 2026
Permalink CVE-2026-1940
5.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse removed
    8 packages
    • gst_all_1.gstreamermm
    • gst_all_1.gst-vaapi
    • ocamlPackages_latest.gstreamer
    • ocamlPackages.gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • obs-studio-plugins.obs-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Gstreamer: incomplete fix of cve-2026-1940

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.

References

Affected products

gstreamer
gstreamer1
mingw-gstreamer1

Matching in nixpkgs

Ignored packages (8)

Package maintainers

Advisory: https://gstreamer.freedesktop.org/security/sa-2026-0001.html
NIXPKGS-2026-0741
published on 24 Mar 2026
Permalink CVE-2026-33195
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Storage has possible Path Traversal in DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activestorage
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
NIXPKGS-2026-0745
published on 24 Mar 2026
Permalink CVE-2026-33174
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 22 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 13 hours ago
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

Affected products

activestorage
  • ==< 7.2.3.1
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1

Matching in nixpkgs

Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
NIXPKGS-2026-0692
published on 23 Mar 2026
Permalink CVE-2026-33550
2.0 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 day, 14 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 day, 22 hours ago
  • @LeSuisse accepted 1 day, 14 hours ago
  • @LeSuisse published on GitHub 1 day, 14 hours ago
SOGo before 5.12.5 does not renew the OTP if a …

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

References

Affected products

SOGo
  • <5.12.5

Matching in nixpkgs

Package maintainers

Upstream patch: https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2