Nixpkgs Security Tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0897
published on 1 Apr 2026
Permalink CVE-2026-32618
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse removed maintainer @talyz 5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3
NIXPKGS-2026-0900
published on 1 Apr 2026
Permalink CVE-2026-33415
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse removed maintainer @talyz 5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg
NIXPKGS-2026-0894
published on 1 Apr 2026
Permalink CVE-2026-32951
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Authorization bypass in oneboxer via user-controlled category id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a category_id parameter matching the shared drafts category. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-v93g-8f4f-4rgm
NIXPKGS-2026-0896
published on 1 Apr 2026
Permalink CVE-2026-32619
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse removed maintainer @talyz 5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with polls in that topic, including voting and toggling poll status. No content was exposed, but users could modify poll state in topics they should no longer have access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-wq58-pvf6-w4p8
NIXPKGS-2026-0898
published on 1 Apr 2026
Permalink CVE-2026-33073
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse removed maintainer @talyz 5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
discourse-subscriptions plugin leaking stripe API key in multisite environment

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-f866-8fcp-fgvv
NIXPKGS-2026-0899
published on 1 Apr 2026
Permalink CVE-2026-32607
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Stored XSS via unescaped assignee name

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritize_full_name_in_ux site setting is enabled (defaults to false, requires console access to change), user and group display names are rendered without HTML escaping in several assignment-related UI paths. This allows users with assign permission to inject arbitrary HTML/JavaScript that executes in the browser of any user viewing an affected topic. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-xg68-q7ff-6gqm
NIXPKGS-2026-0892
published on 1 Apr 2026
Permalink CVE-2026-32113
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Open redirect via `sso_destination_url` cookie in `enter`

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-378j-ccw4-4fwh
NIXPKGS-2026-0893
published on 1 Apr 2026
Permalink CVE-2026-32615
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Category group moderators can perform actions on topics in restricted categories without read access

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-pr9m-5hpq-wc57
NIXPKGS-2026-0895
published on 1 Apr 2026
Permalink CVE-2026-32143
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Admin-only report can be exported by moderators

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

https://github.com/discourse/discourse/security/advisories/GHSA-rhjf-mgqw-37wq
NIXPKGS-2026-0901
published on 1 Apr 2026
Permalink CVE-2026-33074
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 9 hours ago
  • @LeSuisse removed
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    5 hours ago
  • @LeSuisse removed maintainer @talyz 5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.2.0-latest, < 2026.2.2

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghh