Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-2087
published 16 hours ago
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder
Permalink CVE-2026-14803
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    22 packages
    • perlPackages.MojoliciousPluginI18N
    • perlPackages.MojoliciousPluginMail
    • perl5Packages.MojoliciousPluginI18N
    • perl5Packages.MojoliciousPluginMail
    • perlPackages.MojoliciousPluginStatus
    • perlPackages.MojoliciousPluginSyslog
    • perl5Packages.MojoliciousPluginStatus
    • perl5Packages.MojoliciousPluginSyslog
    • perlPackages.MojoliciousPluginOpenAPI
    • perlPackages.MojoliciousPluginWebpack
    • perl5Packages.MojoliciousPluginOpenAPI
    • perl5Packages.MojoliciousPluginWebpack
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perlPackages.MojoliciousPluginAssetPack
    • perl5Packages.MojoliciousPluginAssetPack
    • perlPackages.MojoliciousPluginRenderFile
    • perl5Packages.MojoliciousPluginRenderFile
    • perlPackages.MojoliciousPluginTextExceptions
    • perl5Packages.MojoliciousPluginTextExceptions
    • perlPackages.MojoliciousPluginTemplateToolkit
    • perl5Packages.MojoliciousPluginTemplateToolkit
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder


Mojolicious
  • <9.47
NIXPKGS-2026-2086
published 16 hours ago
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle
Permalink CVE-2026-13705
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    10 packages
    • gimagereader-qt
    • imager
    • usbimager
    • vcdimager
    • rpi-imager
    • gImageReader
    • gimagereader
    • gImageReader-qt
    • perlPackages.ImagerQRCode
    • perl5Packages.ImagerQRCode
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle


Imager
  • <1.032
NIXPKGS-2026-2085
published 16 hours ago
Gimp: gimp: stack buffer overflow in pnmscanner_gettoken()
Permalink CVE-2026-58380
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    18 packages
    • zigimports
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gimp
    • gimp2Plugins.gmic
    • gimp2-with-plugins
    • gimp3-with-plugins
    • gimp2Plugins.fourier
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimp2Plugins.waveletSharpen
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Gimp: gimp: stack buffer overflow in pnmscanner_gettoken()


gimp
gimp:2.8/gimp
Fixed in 3.2.4, needs some backports/patching on stable.
NIXPKGS-2026-2084
published 16 hours ago
NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
Permalink CVE-2026-58203
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size


pydantic-settings
  • ==>= 2.12.0, < 2.14.2
NIXPKGS-2026-2083
published 16 hours ago
Gimp: gimp: denial of service via integer overflow in playstation tim loader
Permalink CVE-2026-59089
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    19 packages
    • zigimports
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gimp
    • gimp2Plugins.gmic
    • gimp2-with-plugins
    • gimp3-with-plugins
    • gimp2Plugins.fourier
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimp2Plugins.waveletSharpen
    • gimp2
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Gimp: gimp: denial of service via integer overflow in playstation tim loader


gimp
NIXPKGS-2026-2082
published 16 hours ago
GPAC Media File write_nhml.c nhmldump_send_frame null pointer dereference
Permalink CVE-2026-14790
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package msgpack-c
  • @LeSuisse ignored
    4 references
  • @LeSuisse ignored
    31 packages
    • msgpack-cxx
    • msgpack-tools
    • rubyPackages.msgpack
    • phpExtensions.msgpack
    • haskellPackages.msgpack
    • perlPackages.MsgPackRaw
    • php82Extensions.msgpack
    • php83Extensions.msgpack
    • php84Extensions.msgpack
    • php85Extensions.msgpack
    • luaPackages.lua-cmsgpack
    • perl5Packages.MsgPackRaw
    • rubyPackages_3_3.msgpack
    • rubyPackages_3_4.msgpack
    • rubyPackages_4_0.msgpack
    • python313Packages.msgpack
    • python314Packages.msgpack
    • lua51Packages.lua-cmsgpack
    • lua52Packages.lua-cmsgpack
    • lua53Packages.lua-cmsgpack
    • lua54Packages.lua-cmsgpack
    • lua55Packages.lua-cmsgpack
    • python313Packages.ormsgpack
    • python314Packages.ormsgpack
    • haskellPackages.data-msgpack
    • python313Packages.msgpack-numpy
    • python314Packages.msgpack-numpy
    • haskellPackages.data-msgpack-types
    • python313Packages.u-msgpack-python
    • python314Packages.u-msgpack-python
    • chickenPackages_5.chickenEggs.msgpack
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GPAC Media File write_nhml.c nhmldump_send_frame null pointer dereference


GPAC
  • ==26.02.0
NIXPKGS-2026-2081
published 16 hours ago
GPAC TeXML File load_text.c txtin_probe_duration divide by zero
Permalink CVE-2026-14801
4.8 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): Not Defined (X)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 references
  • @LeSuisse ignored
    33 packages
    • gpac-unstable
    • msgpack-cxx
    • msgpack-c
    • msgpack-tools
    • rubyPackages.msgpack
    • phpExtensions.msgpack
    • haskellPackages.msgpack
    • perlPackages.MsgPackRaw
    • php82Extensions.msgpack
    • php83Extensions.msgpack
    • php84Extensions.msgpack
    • php85Extensions.msgpack
    • luaPackages.lua-cmsgpack
    • perl5Packages.MsgPackRaw
    • rubyPackages_3_3.msgpack
    • rubyPackages_3_4.msgpack
    • rubyPackages_4_0.msgpack
    • python313Packages.msgpack
    • python314Packages.msgpack
    • lua51Packages.lua-cmsgpack
    • lua52Packages.lua-cmsgpack
    • lua53Packages.lua-cmsgpack
    • lua54Packages.lua-cmsgpack
    • lua55Packages.lua-cmsgpack
    • python313Packages.ormsgpack
    • python314Packages.ormsgpack
    • haskellPackages.data-msgpack
    • python313Packages.msgpack-numpy
    • python314Packages.msgpack-numpy
    • haskellPackages.data-msgpack-types
    • python313Packages.u-msgpack-python
    • python314Packages.u-msgpack-python
    • chickenPackages_5.chickenEggs.msgpack
  • @LeSuisse restored package gpac-unstable
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

GPAC TeXML File load_text.c txtin_probe_duration divide by zero


GPAC
  • ==26.03-DEV-rev342-g80071f700-master
NIXPKGS-2026-2080
published 16 hours ago
pnpm: security issues < 10.34.4, < 11.7.0
Permalink CVE-2026-59196
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

pnpm: hoisted install imports lockfile alias outside node_modules


pnpm
  • ==>= 11.0.0, < 11.7.0
  • ==< 10.34.4
Permalink CVE-2026-59195
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config


pnpm
  • ==>= 11.0.0, < 11.8.0
  • ==< 10.34.4
Permalink CVE-2026-59194
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmConfigHook
    • pnpmBuildHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

pnpm: patch-remove could delete project-selected files outside the patches directory


pnpm
  • ==>= 11.0.0, < 11.7.0
  • ==< 10.34.4
NIXPKGS-2026-2079
published 16 hours ago
openvpn: CVE-2026-13122 and CVE-2026-13698 (security issues < 2.6.20)
Permalink CVE-2026-13122
5.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    6 packages
    • openvpn3
    • openvpn-auth-ldap
    • namespaced-openvpn
    • openvpn_learnaddress
    • networkmanager-openvpn
    • nagiosPlugins.check_openvpn
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

OpenVPN version 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows …


OpenVPN
  • =<2.6.20
  • =<2.7.4
Permalink CVE-2026-13698
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    6 packages
    • openvpn-auth-ldap
    • openvpn3
    • namespaced-openvpn
    • openvpn_learnaddress
    • networkmanager-openvpn
    • nagiosPlugins.check_openvpn
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 …


OpenVPN
  • =<2.5.11
  • =<2.6.20
  • =<2.7.4
NIXPKGS-2026-2078
published 16 hours ago
radare2: security issues < 6.1.8
Permalink CVE-2026-14788
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log

radareorg radare2 cfile.c r_core_bin_load use after free


radare2
  • ==6.1.6
  • ==6.1.4
  • ==6.1.2
  • ==6.1.3
  • ==6.1.1
  • ==6.1.5
  • ==6.1.0
Patch: https://github.com/radareorg/radare2/commit/635ab1eeb30340c26076722a90cb91fb2272130b
Permalink CVE-2026-14787
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log

radareorg radare2 pb Print cmd_print.inc cmd_print integer overflow


radare2
  • ==6.1.6
  • ==6.1.4
  • ==6.1.2
  • ==6.1.3
  • ==6.1.1
  • ==6.1.5
  • ==6.1.0
Fixed in 6.1.8.
Patch: https://github.com/radareorg/radare2/commit/2b6265476c75567006b0fcbb749f4ae7b189c5df
Permalink CVE-2026-14789
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log

radareorg radare2 Memory64ListStream mdmp.c stack-based overflow


radare2
  • ==6.1.6
  • ==6.1.4
  • ==6.1.2
  • ==6.1.3
  • ==6.1.1
  • ==6.1.5
  • ==6.1.0
Patch: https://github.com/radareorg/radare2/commit/175d4addb68981331c85b10681c2161c38fb5762
Permalink CVE-2026-14786
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log

radareorg radare2 str.c r_str_word_get0set integer overflow


radare2
  • ==6.1.6
  • ==6.1.4
  • ==6.1.2
  • ==6.1.3
  • ==6.1.1
  • ==6.1.5
  • ==6.1.0
Fixed in 6.1.8