Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1430
published on
updated 30 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • incus-ui-canonical
    • terraform-providers.incus
    • terraform-providers.lxc_incus
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Incus nil-pointer dereference in storage bucket import allows denial of service

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.

Affected products

incus
  • ==< 7.0.0

Matching in nixpkgs

pkgs.incus

Powerful system container and virtual machine manager

Ignored packages (3)

Package maintainers

NIXPKGS-2026-1429
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Rucio SQL Injection in FilterEngine Oracle JSON Path via DID Search API

A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). On Oracle deployments attacker-controlled filter keys and values are interpolated directly into `sqlalchemy.text()` via Python `.format()`, completely bypassing parameterization. This enables full database compromise including extraction of authentication tokens, password hashes, and all managed data identifiers. This affects versions 1.27.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The vulnerability exists in `lib/rucio/core/did_meta_plugins/filter_engine.py` within the `create_sqla_query()` method. When the database dialect is Oracle, filter expressions for JSON metadata columns are constructed using `text()` with Python string formatting. Both `key` and `value` are attacker-controlled strings derived from HTTP query parameters. The `text()` function creates a raw SQL fragment — it does **not** escape or parameterize its contents. Any authenticated Rucio user can exploit this through the DID search API to execute arbitrary SQL against the backend database. This can expose all managed data identifiers and sensitive tables such as identities, tokens, accounts, rse_settings, and rules, and may allow modification of database contents. The issue affects Oracle deployments using the default json_meta plugin and does not affect PostgreSQL or MySQL deployments using that plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.

Affected products

rucio
  • ==>= 38.6.0, < 39.4.2
  • ==>= 35.9.0, < 38.5.5
  • ==>= 1.27.0, < 35.8.5
  • ==>= 40.0.0, < 40.1.1

Matching in nixpkgs

Package maintainers

NIXPKGS-2026-1428
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package incus-ui-canonical
  • @LeSuisse ignored reference https://g…
  • @LeSuisse ignored
    2 packages
    • terraform-providers.incus
    • terraform-providers.lxc_incus
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Incus out-of-bounds panic in snapshot metadata handling allows denial of service

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.

Affected products

incus
  • ==< 7.0.0

Matching in nixpkgs

pkgs.incus

Powerful system container and virtual machine manager

Ignored packages (3)

Package maintainers

NIXPKGS-2026-1427
published on
Permalink CVE-2026-5081
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 31 minutes ago by @LeSuisse Activity log
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.

Affected products

Apache-Session
  • =<1.94

Matching in nixpkgs

NIXPKGS-2026-1426
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    55 packages
    • zabbixctl
    • zabbix-cli
    • zabbix60.web
    • zabbix.agent
    • zabbix.web
    • zabbix.agent2
    • zabbix.server
    • zabbix60.agent
    • zabbix70.agent
    • zabbix72.agent
    • zabbix74.agent
    • zabbix60.agent2
    • zabbix60.server
    • zabbix70.agent2
    • zabbix70.server
    • zabbix72.agent2
    • zabbix72.proxy-pgsql
    • zabbix70.proxy-sqlite
    • zabbix70.server-mysql
    • zabbix70.server-pgsql
    • zabbix72.proxy-sqlite
    • zabbix72.server-mysql
    • zabbix72.server-pgsql
    • zabbix74.proxy-sqlite
    • zabbix74.server-mysql
    • zabbix74.server-pgsql
    • python312Packages.pyzabbix
    • python313Packages.pyzabbix
    • python314Packages.pyzabbix
    • python312Packages.py-zabbix
    • python313Packages.py-zabbix
    • python314Packages.py-zabbix
    • python312Packages.zabbix-utils
    • python313Packages.zabbix-utils
    • python314Packages.zabbix-utils
    • zabbix-agent2-plugin-postgresql
    • zabbix60.proxy-sqlite
    • zabbix60.server-mysql
    • zabbix60.server-pgsql
    • zabbix.proxy-sqlite
    • zabbix.server-mysql
    • zabbix.server-pgsql
    • zabbix60.proxy-mysql
    • zabbix60.proxy-pgsql
    • zabbix70.proxy-mysql
    • zabbix70.proxy-pgsql
    • zabbix72.proxy-mysql
    • zabbix74.proxy-mysql
    • zabbix74.proxy-pgsql
    • zabbix.proxy-mysql
    • zabbix74.server
    • zabbix72.server
    • zabbix74.agent2
    • zabbix.proxy-pgsql
    • zabbix74.web
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Stored XSS vulnerability in Host navigator widget maintenance tooltip

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

Affected products

Zabbix
  • =<7.0.23
  • =<7.4.7

Matching in nixpkgs

pkgs.zabbix70.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix72.web

Enterprise-class open source distributed monitoring solution (web frontend)

Ignored packages (55)

pkgs.zabbix.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix60.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix74.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix72.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

Package maintainers

NIXPKGS-2026-1425
published on
Permalink CVE-2026-44405
3.4 LOW
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    2 packages
    • python313Packages.types-paramiko
    • python314Packages.types-paramiko
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 …

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Affected products

Paramiko
  • <a4489456b6f65281e172380cc4826cee5e851dbb

Matching in nixpkgs

Ignored packages (2)

Package maintainers

NIXPKGS-2026-1424
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • incus-ui-canonical
    • terraform-providers.incus
    • terraform-providers.lxc_incus
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Incus OVN TLS verification accepts peer-supplied roots and permits endpoint impersonation

Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision. In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0.

Affected products

incus
  • ==< 7.0.0

Matching in nixpkgs

pkgs.incus

Powerful system container and virtual machine manager

Ignored packages (3)

Package maintainers

NIXPKGS-2026-1423
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    29 packages
    • rednotebook
    • wolfram-notebook
    • python312Packages.notebook-shim
    • python313Packages.notebook-shim
    • python314Packages.notebook-shim
    • python312Packages.jupyterlab-vim
    • python312Packages.jupyterlab-lsp
    • python312Packages.jupyterlab-git
    • python313Packages.jupyterlab-git
    • python313Packages.jupyterlab-lsp
    • python313Packages.jupyterlab-vim
    • python314Packages.jupyterlab-git
    • python314Packages.jupyterlab-lsp
    • python314Packages.jupyterlab-vim
    • python312Packages.pytest-notebook
    • python313Packages.pytest-notebook
    • python314Packages.pytest-notebook
    • python312Packages.jupyterlab-server
    • python313Packages.jupyterlab-server
    • python314Packages.jupyterlab-server
    • python312Packages.jupyterlab-widgets
    • python313Packages.jupyterlab-widgets
    • python314Packages.jupyterlab-widgets
    • python312Packages.jupyterlab-pygments
    • python313Packages.jupyterlab-pygments
    • python314Packages.jupyterlab-pygments
    • python312Packages.jupyterlab-execute-time
    • python313Packages.jupyterlab-execute-time
    • python314Packages.jupyterlab-execute-time
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker

In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

Affected products

notebook
  • ==>=7.0.0, <= 7.5.5
jupyterlab
  • ==<= 4.5.6
help-extension
  • ==<=4.5.6
  • ==>=7.0.0,<= 7.5.5

Matching in nixpkgs

Ignored packages (29)

pkgs.rednotebook

Modern journal that includes a calendar navigation, customizable templates, export functionality and word clouds

  • nixos-unstable 2.42
    • nixpkgs-unstable 2.42
    • nixos-unstable-small 2.42
  • nixos-25.11 2.41
    • nixos-25.11-small 2.41
    • nixpkgs-25.11-darwin 2.41

pkgs.wolfram-notebook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

NIXPKGS-2026-1422
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    52 packages
    • zabbixctl
    • zabbix-cli
    • zabbix.agent
    • zabbix.agent2
    • zabbix.server
    • zabbix60.agent
    • zabbix70.agent
    • zabbix72.agent
    • zabbix74.agent
    • zabbix60.agent2
    • zabbix60.server
    • zabbix70.agent2
    • zabbix70.server
    • zabbix72.agent2
    • zabbix72.server
    • zabbix74.agent2
    • zabbix74.server
    • zabbix.proxy-mysql
    • zabbix.proxy-pgsql
    • zabbix.proxy-sqlite
    • zabbix.server-mysql
    • zabbix.server-pgsql
    • zabbix60.proxy-mysql
    • zabbix60.proxy-pgsql
    • zabbix70.proxy-mysql
    • zabbix70.proxy-pgsql
    • zabbix72.proxy-mysql
    • zabbix72.proxy-pgsql
    • zabbix74.proxy-mysql
    • zabbix74.proxy-pgsql
    • zabbix60.proxy-sqlite
    • zabbix60.server-mysql
    • zabbix60.server-pgsql
    • zabbix70.proxy-sqlite
    • zabbix70.server-mysql
    • zabbix70.server-pgsql
    • zabbix72.proxy-sqlite
    • zabbix72.server-mysql
    • zabbix72.server-pgsql
    • zabbix74.proxy-sqlite
    • zabbix74.server-mysql
    • zabbix74.server-pgsql
    • python312Packages.pyzabbix
    • python313Packages.pyzabbix
    • python314Packages.pyzabbix
    • python312Packages.py-zabbix
    • python313Packages.py-zabbix
    • python314Packages.py-zabbix
    • python312Packages.zabbix-utils
    • python313Packages.zabbix-utils
    • python314Packages.zabbix-utils
    • zabbix-agent2-plugin-postgresql
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Stored XSS vulnerability in the Item history/Plain text widget

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Affected products

Zabbix
  • =<7.0.23
  • =<7.4.7
  • =<6.0.44

Matching in nixpkgs

pkgs.zabbix.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix60.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix70.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix72.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix74.web

Enterprise-class open source distributed monitoring solution (web frontend)

Ignored packages (52)

pkgs.zabbix.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix72.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

Package maintainers

NIXPKGS-2026-1421
published on
updated 31 minutes ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database

### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.

Affected products

rucio
  • ==>= 40.0.0, < 40.1.1
  • ==>= 1.30.0, < 35.8.5
  • ==>= 38.6.0, < 39.4.2
  • ==>= 35.9.0, < 38.5.5

Matching in nixpkgs

Package maintainers