Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0916
published 2 months, 3 weeks ago
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    11 packages
    • python312Packages.pymupdf
    • python313Packages.pymupdf
    • python314Packages.pymupdf
    • python312Packages.pymupdf4llm
    • mupdf-headless
    • python313Packages.pymupdf4llm
    • python314Packages.pymupdf4llm
    • zathuraPkgs.zathura_pdf_mupdf
    • python312Packages.pymupdf-fonts
    • python313Packages.pymupdf-fonts
    • python314Packages.pymupdf-fonts
  • @LeSuisse restored package mupdf-headless
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

CVE-2026-3308


MuPDF
  • =<1.27.0
Patch: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85
NIXPKGS-2026-0917
published 2 months, 3 weeks ago
Permalink CVE-2026-32725
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

SciTokens C++: Relative Path Traversal Vulnerability


scitokens-cpp
  • ==< 1.4.1
Advisory: https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp
Patch: https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08
NIXPKGS-2026-0918
published 2 months, 3 weeks ago
Permalink CVE-2026-34586
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoints


PdfDing
  • ==< 1.7.1
Upstream advisory: https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf
Patch: https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb
NIXPKGS-2026-0919
published 2 months, 3 weeks ago
Permalink CVE-2026-5236
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Axiomatic Bento4 DSI v1 Ap4Dac4Atom.cpp SkipBits heap-based overflow


Bento4
  • ==1.6.0-641
Upstream issue: https://github.com/axiomatic-systems/Bento4/issues/1059
Currently (2026-04-01) no patch available
NIXPKGS-2026-0920
published 2 months, 3 weeks ago
Permalink CVE-2026-34036
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php


dolibarr
  • ==<= 22.0.4
Advisory: https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r
Patch: https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a
NIXPKGS-2026-0921
published 2 months, 3 weeks ago
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

RAUC: Improper Signing of Plain Bundles Exceeding 2 GiB


rauc
  • ==< 1.15.2
Upstream advisory: https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
Patch: https://github.com/rauc/rauc/commit/4fb7c798d6ae412344fb8f8d310d773046af3441
NIXPKGS-2026-0922
published 2 months, 3 weeks ago
Permalink CVE-2026-32726
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

SciTokens C++: Sibling-Path Authorization Bypass


scitokens-cpp
  • ==< 1.4.1
Advisory: https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq
Patch: https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73
NIXPKGS-2026-0923
published 2 months, 3 weeks ago
Permalink CVE-2026-34448
9.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client


siyuan
  • ==< 3.6.2
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rx4h-526q-4458
NIXPKGS-2026-0924
published 2 months, 3 weeks ago
Permalink CVE-2026-34453
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content


siyuan
  • ==< 3.6.2
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q
NIXPKGS-2026-0925
published 2 months, 3 weeks ago
Permalink CVE-2026-34449
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection


siyuan
  • ==< 3.6.2
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv