Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0906
published 2 months, 3 weeks ago
Permalink CVE-2026-33300
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v
NIXPKGS-2026-0907
published 2 months, 3 weeks ago
Permalink CVE-2026-34073
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    14 packages
    • python312Packages.django-cryptography
    • python313Packages.django-cryptography
    • python314Packages.django-cryptography
    • python312Packages.mypy-boto3-payment-cryptography
    • python313Packages.mypy-boto3-payment-cryptography
    • python314Packages.mypy-boto3-payment-cryptography
    • python312Packages.mypy-boto3-payment-cryptography-data
    • python313Packages.mypy-boto3-payment-cryptography-data
    • python314Packages.mypy-boto3-payment-cryptography-data
    • python312Packages.types-aiobotocore-payment-cryptography
    • python313Packages.types-aiobotocore-payment-cryptography
    • python312Packages.types-aiobotocore-payment-cryptography-data
    • python314Packages.cryptography
    • python313Packages.types-aiobotocore-payment-cryptography-data
    2 months, 3 weeks ago
  • @LeSuisse restored package python314Packages.cryptography 2 months, 3 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @SuperSandro2000
    • @mdaniels5757
    2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

cryptography has incomplete DNS name constraint enforcement on peer names

cryptography
  • ==< 46.0.6 
https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43
NIXPKGS-2026-0908
published 2 months, 3 weeks ago
Permalink CVE-2026-34200
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port

nhost
  • ==< 1.41.0 
Advisory: https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2
Patch: https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9
NIXPKGS-2026-0909
published 2 months, 3 weeks ago
Permalink CVE-2026-32716
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking

scitokens
  • ==< 1.9.6 
Advisory: https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh
Patch: https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583
NIXPKGS-2026-0910
published 2 months, 3 weeks ago
Permalink CVE-2026-32714
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

SciTokens vulnerable to SQL Injection in KeyCache

scitokens
  • ==< 1.9.6 
Advisory: https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c
Patch: https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2
NIXPKGS-2026-0911
published 2 months, 3 weeks ago
Permalink CVE-2026-34214
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.trino-python-client
    • python313Packages.trino-python-client
    • python314Packages.trino-python-client
    2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

trino
  • ==>= 439, < 480 
Advisory: https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644
NIXPKGS-2026-0912
published 2 months, 3 weeks ago
Permalink CVE-2026-5235
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow

Bento4
  • ==1.6.0-641 
Unpatched
Upstream issue: https://github.com/axiomatic-systems/Bento4/issues/1058
NIXPKGS-2026-0913
published 2 months, 3 weeks ago
Permalink CVE-2026-32727
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

SciTokens: Authorization Bypass via Path Traversal in Scope Validation

scitokens
  • ==< 1.9.7 
Advisory: https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw
Patch: https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9
NIXPKGS-2026-0914
published 2 months, 3 weeks ago
Permalink CVE-2026-34060
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored package vscode-extensions.shopify.ruby-lsp 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Ruby LSP has arbitrary code execution through branch setting

ruby-lsp
  • ==< 0.26.9
Shopify.ruby-lsp
  • ==< 0.10.2 
Advisory: https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93
NIXPKGS-2026-0915
published 2 months, 3 weeks ago
Permalink CVE-2026-5190
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

AWS C Event Stream Streaming Decoder Stack Buffer Overflow

aws-c-event-stream
  • ==0.6.0 
Advisory: https://github.com/awslabs/aws-c-event-stream/security/advisories/GHSA-xvjw-fjq5-68hf