Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0976
published 2 months, 2 weeks ago
Permalink CVE-2026-35592
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    • python314Packages.pyloadapi
    • home-assistant-component-tests.pyload
    • tests.home-assistant-component-tests.pyload
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass

pyload
  • ==< 0.5.0b3.dev97
NIXPKGS-2026-0975
published 2 months, 2 weeks ago
Permalink CVE-2026-35585
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    4 packages
    • filebrowser-quantum
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

File Browser has a Command Injection via Hook Runner

filebrowser
  • ==>= 2.0.0-rc.1, <= 2.63.1
NIXPKGS-2026-0974
published 2 months, 2 weeks ago
Permalink CVE-2026-35176
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

openFPGALoader has a heap buffer overflow in POFParser::parseSection() via crafted .pof file

openFPGALoader
  • ==<= 1.1.1
NIXPKGS-2026-0973
published 2 months, 2 weeks ago
Permalink CVE-2026-34444
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr

lupa
  • ==<= 2.6
NIXPKGS-2026-0972
published 2 months, 2 weeks ago
Permalink CVE-2026-35471
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs

goshs
  • ==< 2.0.0-beta.3
NIXPKGS-2026-0971
published 2 months, 2 weeks ago
Permalink CVE-2026-35044
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation

BentoML
  • ==< 1.4.38
NIXPKGS-2026-0970
published 2 months, 2 weeks ago
Permalink CVE-2026-35170
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

openFPGALoader has a heap buffer overflow in BitParser::parseHeader() via crafted .bit file

openFPGALoader
  • ==<= 1.1.1
NIXPKGS-2026-0969
published 2 months, 2 weeks ago
Permalink CVE-2026-34380
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • openexrid-unstable
    • haskellPackages.openexr-write
    • openexr_2
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

OpenEXR has a signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression

openexr
  • ==>= 3.2.0, < 3.2.7
  • ==>= 3.4.0, < 3.4.9
  • ==>= 3.3.0, < 3.3.9
NIXPKGS-2026-0968
published 2 months, 2 weeks ago
Permalink CVE-2026-33866
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.sagemaker-mlflow
    • python313Packages.sagemaker-mlflow
    • python314Packages.sagemaker-mlflow
    • pkgsRocm.python3Packages.sagemaker-mlflow
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Authorization Bypass in MLflow AJAX Endpoint

mlflow
  • =<3.10.1
NIXPKGS-2026-0967
published 2 months, 2 weeks ago
Permalink CVE-2026-35586
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    • python314Packages.pyloadapi
    • home-assistant-component-tests.pyload
    • tests.home-assistant-component-tests.pyload
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng

pyload
  • ==< 0.5.0b3.dev97