Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0966
published 2 months, 2 weeks ago
Permalink CVE-2026-35523
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • strawberry
    • strawberry-qt6
    • python312Packages.strawberry-django
    • python313Packages.strawberry-django
    • pkgsRocm.python3Packages.strawberry-django
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

strawberry
  • ==< 0.312.3
NIXPKGS-2026-0965
published 2 months, 2 weeks ago
Permalink CVE-2026-35605
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    4 packages
    • filebrowser-quantum
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

File Browser has an access rule bypass via HasPrefix without trailing separator in path matching

filebrowser
  • ==< 2.63.1
NIXPKGS-2026-0964
published 2 months, 2 weeks ago
Permalink CVE-2026-34976
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • coqPackages.dpdgraph
    • perlPackages.GDGraph
    • perl5Packages.GDGraph
    • perl538Packages.GDGraph
    • perl540Packages.GDGraph
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization

dgraph
  • ==< 25.3.1
NIXPKGS-2026-0963
published 2 months, 2 weeks ago
Permalink CVE-2026-34371
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @niklaskorz 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal

LibreChat
  • ==< 0.8.4
NIXPKGS-2026-0962
published 2 months, 2 weeks ago
Permalink CVE-2026-35533
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    10 packages
    • haskellPackages.promises
    • python312Packages.promise
    • python313Packages.promise
    • python314Packages.promise
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

mise has a local settings bypass config trust checks

mise
  • ==>= 2026.2.18, <= 2026.4.5
NIXPKGS-2026-0961
published 2 months, 2 weeks ago
Permalink CVE-2026-34580
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • botan2
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Botan has a certificate authentication bypass due to trust anchor confusion

botan
  • ==>= 3.11.0, < 3.11.1
NIXPKGS-2026-0960
published 2 months, 2 weeks ago
Permalink CVE-2026-34582
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    • botan2
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Botan has a TLS 1.3 certificate authentication bypass

botan
  • ==< 3.11.1
NIXPKGS-2026-0959
published 2 months, 2 weeks ago
Permalink CVE-2026-35046
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)

recipes
  • ==< 2.6.4
NIXPKGS-2026-0958
published 2 months, 2 weeks ago
Permalink CVE-2026-35045
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months ago by @ADMIN Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @ADMIN published on GitHub 2 months ago

Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

recipes
  • ==< 2.6.4
NIXPKGS-2026-0957
published 2 months, 2 weeks ago
Permalink CVE-2026-35489
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Tandoor Recipes — `amount`/`unit` bypass serializer in `food/{id}/shopping/`

recipes
  • ==< 2.6.4