Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1862
published 1 day ago
Permalink CVE-2026-10717
1.8 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): Low (L)
  • Safety (S): Negligible (N)
  • Automatable (AU): Yes (Y)
  • Recovery (R): Automatic (A)
  • Value Density (V): Diffuse (D)
  • Vulnerability Response Effort (RE): Low (L)
  • Provider Urgency (U): Clear (Clear)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Low (L)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

Open-Seachest/Seachest show SCSI Defect List Vulnerability

openSeaChest
  • =<25.05.3
  • ==26.03.0
NIXPKGS-2026-1861
published 1 day ago
Permalink CVE-2026-10718
4.6 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Safety (S): Negligible (N)
  • Automatable (AU): Yes (Y)
  • Recovery (R): User (U)
  • Value Density (V): Diffuse (D)
  • Vulnerability Response Effort (RE): Low (L)
  • Provider Urgency (U): Green (Green)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

Open Seachest/Seachest NVMe Trim (Deallocate) Vulnerability

openSeaChest
  • =<26.03.0
NIXPKGS-2026-1860
published 1 day ago
Permalink CVE-2026-10719
1.8 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): Low (L)
  • Safety (S): Negligible (N)
  • Automatable (AU): Yes (Y)
  • Recovery (R): Automatic (A)
  • Value Density (V): Diffuse (D)
  • Vulnerability Response Effort (RE): Low (L)
  • Provider Urgency (U): Clear (Clear)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Low (L)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

Open Seachest/Seachest NVMe show Format Descriptors Vulnerability

openSeaChest
  • =<25.05.3
NIXPKGS-2026-1859
published 1 day ago
Permalink CVE-2026-47201
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored
    3 packages
    • authentik-outposts.ldap
    • authentik-outposts.proxy
    • authentik-outposts.radius
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

authentik
  • ==< 2025.12.5
  • ==< 2026.2.3
  • ==< 2026.5.1
NIXPKGS-2026-1858
published 1 day ago
Permalink CVE-2026-45553
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.nicegui-highcharts
    • python314Packages.nicegui-highcharts
    • python313Packages.nicegui-highcharts
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

nicegui
  • ==< 3.12.0
NIXPKGS-2026-1857
published 1 day ago
Permalink CVE-2026-49448
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored
    3 packages
    • authentik-outposts.ldap
    • authentik-outposts.proxy
    • authentik-outposts.radius
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

authentik: SourceStage bypass via empty POST

authentik
  • ==< 2026.2.4
  • ==< 2025.12.6
  • ==< 2026.5.1
NIXPKGS-2026-1856
published 1 day ago
Permalink CVE-2026-41577
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored
    3 packages
    • authentik-outposts.ldap
    • authentik-outposts.proxy
    • authentik-outposts.radius
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

authentik: SAML source does not validate Conditions, timing, or audience on assertions

authentik
  • ==< 2025.12.5
  • ==< 2026.2.3
NIXPKGS-2026-1855
published 1 day ago
Permalink CVE-2026-42849
9.3 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored
    3 packages
    • authentik-outposts.ldap
    • authentik-outposts.proxy
    • authentik-outposts.radius
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

authentik
  • ==< 2025.12.5
  • ==< 2026.2.3
NIXPKGS-2026-1854
published 1 day ago
Permalink CVE-2026-32685
4.6 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored package vscode-extensions.gleam.gleam 1 day ago
  • @LeSuisse ignored reference https://o… 1 day ago
  • @LeSuisse ignored
    5 packages
    • python314Packages.tree-sitter-grammars.tree-sitter-gleam
    • python313Packages.tree-sitter-grammars.tree-sitter-gleam
    • python312Packages.tree-sitter-grammars.tree-sitter-gleam
    • vimPlugins.nvim-treesitter-parsers.gleam
    • tree-sitter-grammars.tree-sitter-gleam
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write

gleam
  • <1.17.0
gleam-lang/gleam
  • <v1.17.0-node
  • <v1.17.0-erlang-slim
  • <1.17.0
  • <v1.17.0-node-alpine
  • <v1.17.0-elixir
  • <81570611906b6b0039c948037094d09a68700f3a
  • <v1.17.0-scratch
  • <v1.17.0-erlang
  • <v1.17.0-node-slim
  • <v1.17.0-elixir-alpine
  • <v1.17.0-elixir-slim
  • <v1.17.0-erlang-alpine
NIXPKGS-2026-1853
published 1 day ago
Permalink CVE-2026-42795
5.1 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 day ago by @LeSuisse Activity log
  • Created suggestion 1 day, 3 hours ago
  • @LeSuisse ignored
    6 packages
    • vscode-extensions.gleam.gleam
    • tree-sitter-grammars.tree-sitter-gleam
    • vimPlugins.nvim-treesitter-parsers.gleam
    • python312Packages.tree-sitter-grammars.tree-sitter-gleam
    • python313Packages.tree-sitter-grammars.tree-sitter-gleam
    • python314Packages.tree-sitter-grammars.tree-sitter-gleam
    1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago

Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root

gleam
  • <1.17.0
gleam-lang/gleam
  • <v1.17.0-node
  • <v1.17.0-erlang-slim
  • <6435a5528b9ae0449e2f32be579641ec485f6866
  • <1.17.0
  • <v1.17.0-node-alpine
  • <v1.17.0-elixir
  • <v1.17.0-scratch
  • <v1.17.0-erlang
  • <v1.17.0-node-slim
  • <v1.17.0-elixir-alpine
  • <v1.17.0-elixir-slim
  • <v1.17.0-erlang-alpine