NIXPKGS-2026-1922

GitHub issue published 7 hours ago

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in …

Permalink CVE-2026-54411

6.9 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Exploit Maturity (E): POC (P)
• Automatable (AU): No (N)
• Value Density (V): Diffuse (D)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Recovery (R): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 7 hours ago by @LeSuisse Activity log

• Created suggestion 12 hours ago
• @LeSuisse ignored
  2 references

  • CWE-208: Observable Timing Discrepancy
  • Linux-PAM - upstream repository
  7 hours ago
• @LeSuisse accepted 7 hours ago
• @LeSuisse published on GitHub 7 hours ago

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in …

• Vulnerable plaintext-password comparison in pam_userdb.c (master) product
• pam_consttime_streq helper available for the remediation product

Ignored references (2)

• CWE-208: Observable Timing Discrepancy technical-description
• Linux-PAM - upstream repository product

---

Linux-PAM

• =<1.7.2

NIXPKGS-2026-1921

GitHub issue published 7 hours ago

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle

Permalink CVE-2026-11527

updated 7 hours ago by @LeSuisse Activity log

• Created suggestion 12 hours ago
• @LeSuisse accepted 7 hours ago
• @LeSuisse published on GitHub 7 hours ago

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle

• https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be… patch
• https://metacpan.org/release/SHLOMIF/Config-IniFiles-3.001000/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/06/14/5

---

Config-IniFiles

• <3.001000

NIXPKGS-2026-1920

GitHub issue published 2 days, 6 hours ago

Nezha: security issues < 2.2.0

Permalink CVE-2026-53523

6.8 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): None (N)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  4 packages

  • nezha-agent
  • nezha-theme-user
  • nezha-theme-admin
  • nezha-theme-nazhua
  2 days, 7 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection

• https://github.com/nezhahq/nezha/security/advisories/GHSA-9rc6-8cjv-rcvx x_refsource_CONFIRM

---

nezha

• ==>= 1.0.0, < 2.2.0

Permalink CVE-2026-53520

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): None (N)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): High (H)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  4 packages

  • nezha-agent
  • nezha-theme-user
  • nezha-theme-admin
  • nezha-theme-nazhua
  2 days, 7 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing

• https://github.com/nezhahq/nezha/security/advisories/GHSA-x6fg-52vr-hj4w x_refsource_CONFIRM

---

nezha

• ==>= 2.0.14, < 2.1.0

Permalink CVE-2026-53522

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): None (N)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): High (H)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  4 packages

  • nezha-agent
  • nezha-theme-user
  • nezha-theme-admin
  • nezha-theme-nazhua
  2 days, 6 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

• https://github.com/nezhahq/nezha/security/advisories/GHSA-jg62-j5h6-8mpq x_refsource_CONFIRM

---

nezha

• ==>= 1.0.0, < 2.2.0

NIXPKGS-2026-1919

GitHub issue published 2 days, 6 hours ago

ChromaDB: security issues

Permalink CVE-2026-45831

8.8 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): High (H)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): High (H)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of …

• https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-3

---

chromadb

• =<*

Permalink CVE-2026-45830

8.8 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): High (H)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): High (H)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

A lack of authorization validation in version 0.4.17 or later …

• https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb

---

chromadb

• =<*

Permalink CVE-2026-45833

9.4 CRITICAL

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): High (H)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): High (H)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): High (H)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

A code injection vulnerability in version 0.4.17 or later of …

• https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-5 exploit

---

chromadb

• =<*

Permalink CVE-2026-45832

8.8 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): High (H)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): High (H)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

All V1 collection-level endpoints in ChromaDB's Python project pass None …

• https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4

---

chromadb

• =<*

Permalink CVE-2026-8828

8.8 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): High (H)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): High (H)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

A lack of authorization validation in version 1.0.0 or later …

• https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-2

---

chromadb

• =<*

NIXPKGS-2026-1918

GitHub issue published 2 days, 6 hours ago

Perl Crypt::PBKDF2: cryptography weaknesses

Permalink CVE-2026-9641

5.3 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): None (N)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): None (N)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations

• https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.htm… technical-description
• https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/06/12/5

---

Crypt-PBKDF2

• <0.261630

Permalink CVE-2026-9638

7.5 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): None (N)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): None (N)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts

• https://metacpan.org/dist/Crypt-PBKDF2/source/lib/Crypt/PBKDF2.pm#L86-93
• https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/06/12/4

---

Crypt-PBKDF2

• <0.261630

Permalink CVE-2017-20240

5.9 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): None (N)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): None (N)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks

• https://github.com/arodland/Crypt-PBKDF2/pull/6 issue-tracking
• https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.161520/source/lib/Crypt/PB…
• https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/06/12/3

---

Crypt-PBKDF2

• <0.261630

NIXPKGS-2026-1917

GitHub issue published 2 days, 6 hours ago

Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling

Permalink CVE-2026-48914

6.7 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): High (H)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): None (N)
• Integrity (I): Low (L)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): High (H)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): High (H)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  16 packages

  • qemu
  • qemu_xen
  • qemu-user
  • qemu_full
  • qemu_test
  • qemu-utils
  • ubootQemuX86
  • ubootQemuX86_64
  • canokey-qemu
  • qemu-python-utils
  • armTrustedFirmwareQemu
  • python313Packages.qemu
  • python314Packages.qemu
  • python313Packages.qemu-qmp
  • python314Packages.qemu-qmp
  • ubootQemuAarch64
  2 days, 7 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling

• https://access.redhat.com/security/cve/CVE-2026-48914 x_refsource_REDHATvdb-entry
• RHBZ#2488283 x_refsource_REDHATissue-tracking
• https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com/

---

qemu

• =<11.0.1

rhcos

qemu-kvm

qemu-kvm-ma

NIXPKGS-2026-1916

GitHub issue published 2 days, 6 hours ago

Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

Permalink CVE-2026-11933

8.7 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  22 packages

  • mongodb-cli
  • mongodb-compass
  • mongodb-atlas-cli
  • phpExtensions.mongodb
  • haskellPackages.mongoDB
  • php82Extensions.mongodb
  • php83Extensions.mongodb
  • php85Extensions.mongodb
  • akkuPackages.r6rs-mongodb
  • prometheus-mongodb-exporter
  • haskellPackages.pipes-mongodb
  • graylogPlugins.mongodb-profiler
  • terraform-providers.mongodbatlas
  • python313Packages.langchain-mongodb
  • python314Packages.langchain-mongodb
  • terraform-providers.mongodb_mongodbatlas
  • vscode-extensions.mongodb.mongodb-vscode
  • python313Packages.langgraph-store-mongodb
  • python314Packages.langgraph-store-mongodb
  • python313Packages.langgraph-checkpoint-mongodb
  • python314Packages.langgraph-checkpoint-mongodb
  • php84Extensions.mongodb
  2 days, 7 hours ago
• @LeSuisse accepted 2 days, 7 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

• https://jira.mongodb.org/browse/SERVER-128125

---

MongoDB

• =<8.0.25
• =<8.2.10
• =<7.0.36
• =<6.0.28
• =<5.0.33
• =<4.4.30
• =<8.3.3

NIXPKGS-2026-1915

GitHub issue published 2 days, 6 hours ago

Heap double-free in AWS Common Runtime aws-c-http

Permalink CVE-2026-12043

8.7 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): Passive (P)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Passive (P)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Heap double-free in AWS Common Runtime aws-c-http

• https://github.com/awslabs/aws-c-http/releases/tag/v0.11.0 patch
• https://aws.amazon.com/security/security-bulletins/2026-043-aws/ vendor-advisory
• https://github.com/awslabs/aws-c-http/security/advisories/GHSA-rmjr-3qpm-vh98 third-party-advisory

---

aws-c-http

• =<0.10.15

NIXPKGS-2026-1914

GitHub issue published 2 days, 6 hours ago

Typesense: security issues < 29.1

Permalink CVE-2026-47225

6.0 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  2 packages

  • python313Packages.typesense
  • python314Packages.typesense
  2 days, 6 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Improper Search Cache Isolation for Scoped Search API Keys in Typesense

• https://github.com/typesense/typesense/security/advisories/GHSA-97x4-gm45-jpcw x_refsource_CONFIRM

---

typesense

• ==< 29.1
• ==>= 30.0, < 30.2

Permalink CVE-2026-47216

8.7 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  2 packages

  • python313Packages.typesense
  • python314Packages.typesense
  2 days, 6 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Typesense: Unauthenticated Denial of Service in the Typesense /multi_search Endpoint

• https://github.com/typesense/typesense/security/advisories/GHSA-fpx5-8c99-247j x_refsource_CONFIRM

---

typesense

• ==< 29.1
• ==>= 30.0, < 30.2

NIXPKGS-2026-1913

GitHub issue published 2 days, 6 hours ago

Kitty: arbitrary file write and command injection < 0.47.3

Permalink CVE-2026-54056

7.6 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): Required (R)
• Scope (S): Changed (C)
• Confidentiality (C): None (N)
• Integrity (I): High (H)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): Low (L)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  9 packages

  • kittysay
  • kitty-img
  • kitty-themes
  • kittycad-kcl-lsp
  • mailman-hyperkitty
  • haskellPackages.discokitty
  • mailmanPackages.hyperkitty
  • mailmanPackages.mailman-hyperkitty
  • vimPlugins.nvim-treesitter-parsers.kitty
  2 days, 6 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Kitty has an arbitrary file overwrite via symlink following in `kitten dnd` remote drop staging

• https://github.com/kovidgoyal/kitty/security/advisories/GHSA-r892-cv7q-fw8x x_refsource_CONFIRM

---

kitty

• ==>= 0.47.0, < 0.47.2

Permalink CVE-2026-54055

5.0 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): Low (L)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): High (H)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): Low (L)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  9 packages

  • kittysay
  • kitty-themes
  • kitty-img
  • kittycad-kcl-lsp
  • mailman-hyperkitty
  • haskellPackages.discokitty
  • mailmanPackages.hyperkitty
  • mailmanPackages.mailman-hyperkitty
  • vimPlugins.nvim-treesitter-parsers.kitty
  2 days, 6 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol

• https://github.com/kovidgoyal/kitty/security/advisories/GHSA-q446-x7q6-vcxh x_refsource_CONFIRM

---

kitty

• ==< 0.47.2

Permalink CVE-2026-54057

7.3 HIGH

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): Passive (P)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Passive (P)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 days, 6 hours ago by @LeSuisse Activity log

• Created suggestion 2 days, 12 hours ago
• @LeSuisse ignored
  9 packages

  • kittysay
  • kitty-img
  • kitty-themes
  • kittycad-kcl-lsp
  • mailman-hyperkitty
  • haskellPackages.discokitty
  • mailmanPackages.hyperkitty
  • vimPlugins.nvim-treesitter-parsers.kitty
  • mailmanPackages.mailman-hyperkitty
  2 days, 6 hours ago
• @LeSuisse accepted 2 days, 6 hours ago
• @LeSuisse published on GitHub 2 days, 6 hours ago

Kitty vulnerable to command injection via unsanitized OSC 21 query reply

• https://github.com/kovidgoyal/kitty/security/advisories/GHSA-5gmr-9gwg-hhq6 x_refsource_CONFIRM

---

kitty

• ==< 0.47.3