Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1255
published on
Permalink CVE-2026-40517
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored reference https://w… 12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.

Affected products

radare2
  • <6.1.4

Matching in nixpkgs

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

Package maintainers

NIXPKGS-2026-1254
published on
Permalink CVE-2026-33609
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
LDAP DN injection

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.

Affected products

pdns
  • <5.0.4
  • <4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Ignored packages (5)

pkgs.pdnsgrep

Search tool for PowerDNS logs

Package maintainers

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1252
published on
Permalink CVE-2026-33611
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
Insufficient validation of HTTPS and SVCB records

An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.

Affected products

pdns
  • <5.0.4
  • <4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Ignored packages (5)

pkgs.pdnsgrep

Search tool for PowerDNS logs

Package maintainers

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1251
published on
Permalink CVE-2026-33260
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored
    7 packages
    • rotp
    • pdnsd
    • dnsdist
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse restored
    2 packages
    • dnsdist
    • pdns-recursor
    12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

Affected products

pdns
  • <5.0.4
  • <4.9.14
dnsdist
  • <1.9.13
  • <2.0.4
pdns-recursor
  • <5.3.6
  • <5.4.1
  • <5.2.9

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Ignored packages (5)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-25.11 1.04
    • nixos-25.11-small 1.04
    • nixpkgs-25.11-darwin 1.04

pkgs.pdnsgrep

Search tool for PowerDNS logs

Package maintainers

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1253
published on
Permalink CVE-2026-33608
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse ignored reference https://d… 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
Incomplete domain name sanitization during

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

Affected products

pdns
  • <5.0.4
  • <4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Ignored packages (5)

pkgs.pdnsgrep

Search tool for PowerDNS logs

Package maintainers

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1250
published on
Permalink CVE-2026-33257
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored package rotp 12 hours ago
  • @LeSuisse ignored reference https://d… 12 hours ago
  • @LeSuisse ignored
    4 packages
    • pdnsgrep
    • pdnsd
    • tests.home-assistant-components.namecheapdns
    • home-assistant-component-tests.namecheapdns
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

Affected products

pdns
  • <5.0.4
  • <4.9.14
dnsdist
  • <1.9.13
  • <2.0.4
pdns-recursor
  • <5.3.6
  • <5.4.1
  • <5.2.9

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Ignored packages (5)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-25.11 1.04
    • nixos-25.11-small 1.04
    • nixpkgs-25.11-darwin 1.04

pkgs.pdnsgrep

Search tool for PowerDNS logs

Package maintainers

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1249
published on
Permalink CVE-2026-33610
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 17 hours ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    12 hours ago
  • @LeSuisse ignored reference https://d… 12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
Possible file descriptor exhaustion in forward-dnsupdate

A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.

Affected products

pdns
  • <5.0.4
  • <4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Ignored packages (5)

pkgs.pdnsgrep

Search tool for PowerDNS logs

Package maintainers

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1248
published on
Permalink CVE-2026-41313
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored package capypdf 12 hours ago
  • @LeSuisse ignored reference https://g… 12 hours ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.pypdf2
    • python312Packages.pypdf3
    • python313Packages.pypdf2
    • python313Packages.pypdf3
    • python314Packages.pypdf2
    • python314Packages.pypdf3
    • python312Packages.pypdfium2
    • python314Packages.pypdfium2
    • python313Packages.pypdfium2
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
pypdf: Possible long runtimes for wrong size values in incremental mode

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

Affected products

pypdf
  • ==< 6.10.2

Matching in nixpkgs

pkgs.python312Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

pkgs.python314Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

Ignored packages (10)

Package maintainers

NIXPKGS-2026-1247
published on
Permalink CVE-2026-33595
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
DoQ/DoH3 excessive memory allocation

A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

Affected products

dnsdist
  • <1.9.13
  • <2.0.4

Matching in nixpkgs

Package maintainers

NIXPKGS-2026-1246
published on
Permalink CVE-2026-33261
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse ignored package rotp 12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 10 hours ago
Null pointer accces in aggressive NSEC(3) cache

A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.

Affected products

pdns-recursor
  • <5.3.6
  • <5.4.1
  • <5.2.9

Matching in nixpkgs

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-25.11 1.04
    • nixos-25.11-small 1.04
    • nixpkgs-25.11-darwin 1.04

Package maintainers