Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-2034
published 5 hours ago
Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution
Permalink CVE-2026-55607
7.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    6 packages
    • claude-code-acp
    • claude-code-router
    • gnomeExtensions.claude-code-usage
    • gnomeExtensions.claude-code-switcher
    • vscode-extensions.anthropic.claude-code
    • gnomeExtensions.claude-code-usage-indicator
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution

claude-code
  • ==>= 2.1.38, < 2.1.163 
Needs backports to stable
NIXPKGS-2026-2033
published 5 hours ago
P11-kit: stack exhaustion via unbounded recursion in rpc attribute parsing
Permalink CVE-2026-13757
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

P11-kit: stack exhaustion via unbounded recursion in rpc attribute parsing

rhcos
p11-kit
NIXPKGS-2026-2032
published 5 hours ago
nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length
Permalink CVE-2026-58055
6.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    2 packages
    • libnghttp2_asio
    • libnghttp2
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length

nghttp2
  • =<1.69.0
NIXPKGS-2026-2031
published 5 hours ago
RustDesk - FileTransfer Session Authorization Scope Bypass
Permalink CVE-2026-58056
7.2 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    2 packages
    • rustdesk-server
    • rustdesk-flutter
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

RustDesk - FileTransfer Session Authorization Scope Bypass

RustDesk
  • =<ff226f6d8013dee2de5a6553abaf67bf32b3e875
NIXPKGS-2026-2030
published 5 hours ago
Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API
Permalink CVE-2026-56783
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored reference https://w… 5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API

Ignored references (1)
parseable
  • ==2.9.2
  • <2.9.2
NIXPKGS-2026-2029
published 5 hours ago
LibreTranslate - IP Spoofing via X-Forwarded-For Header
Permalink CVE-2026-57942
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

LibreTranslate - IP Spoofing via X-Forwarded-For Header

LibreTranslate
  • =<1.9.7
  • ==397fd224080515d4001a1bc60c8fed53e3c56b6f
NIXPKGS-2026-2028
published 5 hours ago
CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away
Permalink CVE-2026-13593
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away

CSS-Minifier-XS
  • <0.14
NIXPKGS-2026-2027
published 5 hours ago
Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications
Permalink CVE-2026-13601
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    2 packages
    • yelp
    • yelp-tools
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications

yelp
NIXPKGS-2026-2026
published 5 hours ago
Stack-Based Buffer Overflow in libxml2
Permalink CVE-2026-11979
1.8 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse ignored
    9 packages
    • libxml2Python
    • sbclPackages.cl-libxml2
    • perlPackages.AlienLibxml2
    • python312Packages.libxml2
    • python313Packages.libxml2
    • python314Packages.libxml2
    • perl5Packages.AlienLibxml2
    • perl538Packages.AlienLibxml2
    • perl540Packages.AlienLibxml2
    5 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

Stack-Based Buffer Overflow in libxml2

libxml2
  • =<2.15.3
NIXPKGS-2026-2025
published 5 hours ago
Spice-vdagent: path traversal in file transfer via unsanitized filename
Permalink CVE-2026-57966
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 13 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago

Spice-vdagent: path traversal in file transfer via unsanitized filename

spice-vdagent
mingw-spice-vdagent