Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0956
published 2 months, 2 weeks ago
Permalink CVE-2026-35488
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users

recipes
  • ==< 2.6.4
NIXPKGS-2026-0955
published 2 months, 2 weeks ago
Permalink CVE-2026-34079
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    7 packages
    • mpc-qt
    • flatpak-builder
    • flatpak-xdg-utils
    • libsForQt5.flatpak-kcm
    • kdePackages.flatpak-kcm
    • plasma5Packages.flatpak-kcm
    • haskellPackages.cabal-flatpak
    2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @getchoo 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Flatpak affected by arbitrary file deletion on the host filesystem

flatpak
  • ==< 1.16.4
NIXPKGS-2026-0954
published 2 months, 2 weeks ago
Permalink CVE-2026-34078
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    7 packages
    • mpc-qt
    • flatpak-builder
    • flatpak-xdg-utils
    • libsForQt5.flatpak-kcm
    • kdePackages.flatpak-kcm
    • plasma5Packages.flatpak-kcm
    • haskellPackages.cabal-flatpak
    2 months, 2 weeks ago
  • @LeSuisse deleted maintainer @getchoo 2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Flatpak has a complete sandbox escape leading to host file access and code execution in the host context

flatpak
  • ==< 1.16.4
NIXPKGS-2026-0953
published 2 months, 2 weeks ago
Permalink CVE-2026-39395
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse deleted
    3 maintainers
    • @06kellyjac
    • @developer-guy
    • @LeSuisse
    2 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Cosign's verify-blob-attestation reports false positive when payload parsing fails

cosign
  • ==< 2.6.3
  • ==>= 3.0.0, < 3.0.6
NIXPKGS-2026-0952
published 2 months, 2 weeks ago
Permalink CVE-2026-3184
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    27 packages
    • more
    • wall
    • mount
    • eject
    • umount
    • logger
    • hexdump
    • libuuid
    • libsmartcols
    • unixtools.col
    • unixtools.fsck
    • unixtools.more
    • unixtools.wall
    • unixtools.eject
    • unixtools.fdisk
    • unixtools.mount
    • unixtools.write
    • unixtools.column
    • unixtools.getopt
    • unixtools.logger
    • unixtools.script
    • unixtools.umount
    • unixtools.hexdump
    • unixtools.whereis
    • util-linuxMinimal
    • uutils-util-linux
    • unixtools.util-linux
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Util-linux: util-linux: access control bypass due to improper hostname canonicalization

Ignored references (1)
rhcos
util-linux
Patch: https://github.com/util-linux/util-linux/commit/8b29aeb081e297e48c4c1ac53d88ae07e1331984
NIXPKGS-2026-0951
published 2 months, 2 weeks ago
Permalink CVE-2026-35549
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    24 packages
    • libmysqlclient
    • mariadb-galera
    • mariadb-embedded
    • libmysqlclient_3_1
    • libmysqlclient_3_2
    • libmysqlclient_3_3
    • mariadb-connector-c
    • ocamlPackages.mariadb
    • mariadb-connector-java
    • mariadb-connector-c_3_1
    • mariadb-connector-c_3_2
    • mariadb-connector-c_3_3
    • perlPackages.DBDMariaDB
    • unixODBCDrivers.mariadb
    • unixodbcDrivers.mariadb
    • perl5Packages.DBDMariaDB
    • python312Packages.mariadb
    • python313Packages.mariadb
    • python314Packages.mariadb
    • perl538Packages.DBDMariaDB
    • perl540Packages.DBDMariaDB
    • ocamlPackages_latest.mariadb
    • ocamlPackages.caqti-driver-mariadb
    • ocamlPackages_latest.caqti-driver-mariadb
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

An issue was discovered in MariaDB Server before 11.4.10, 11.5.x …

MariaDB
  • <12.2.2
  • <11.4.10
  • <11.8.6
NIXPKGS-2026-0950
published 2 months, 2 weeks ago
Permalink CVE-2026-35385
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    7 packages
    • opensshTest
    • openssh-askpass
    • perlPackages.NetOpenSSH
    • perl5Packages.NetOpenSSH
    • lxqt.lxqt-openssh-askpass
    • perl538Packages.NetOpenSSH
    • perl540Packages.NetOpenSSH
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

In OpenSSH before 10.3, a file downloaded by scp may …

OpenSSH
  • <10.3
NIXPKGS-2026-0949
published 2 months, 2 weeks ago
Permalink CVE-2026-35387
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    8 packages
    • openssh-askpass
    • opensshWithKerberos
    • perlPackages.NetOpenSSH
    • perl5Packages.NetOpenSSH
    • lxqt.lxqt-openssh-askpass
    • perl538Packages.NetOpenSSH
    • perl540Packages.NetOpenSSH
    • openssh_gssapi
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of …

OpenSSH
  • <10.3
NIXPKGS-2026-0948
published 2 months, 2 weeks ago
Permalink CVE-2026-35414
4.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    7 packages
    • opensshTest
    • openssh-askpass
    • perlPackages.NetOpenSSH
    • perl5Packages.NetOpenSSH
    • lxqt.lxqt-openssh-askpass
    • perl538Packages.NetOpenSSH
    • perl540Packages.NetOpenSSH
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon …

OpenSSH
  • <10.3
NIXPKGS-2026-0947
published 2 months, 2 weeks ago
Permalink CVE-2026-35388
2.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    7 packages
    • opensshTest
    • openssh-askpass
    • perlPackages.NetOpenSSH
    • perl5Packages.NetOpenSSH
    • lxqt.lxqt-openssh-askpass
    • perl538Packages.NetOpenSSH
    • perl540Packages.NetOpenSSH
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing …

OpenSSH
  • <10.3