Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0906
published 2 months, 3 weeks ago
Permalink CVE-2026-33300
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v
NIXPKGS-2026-0905
published 2 months, 3 weeks ago
Permalink CVE-2026-33185
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Group SMTP test endpoint susceptible to SSRF

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3
NIXPKGS-2026-0904
published 2 months, 3 weeks ago
Permalink CVE-2026-32243
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Stored XSS in discourse-ai shared conversations onebox

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-pjc5-8x3w-rfwx
NIXPKGS-2026-0903
published 2 months, 3 weeks ago
Permalink CVE-2026-32273
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: XSS on category description update via API

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-h2h4-767x-6pc8
NIXPKGS-2026-0902
published 2 months, 3 weeks ago
Permalink CVE-2026-32620
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    6 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • discourseAllPlugins
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse restored package discourseAllPlugins 2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Missing post-level authorization allows whisper metadata disclosure

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65
NIXPKGS-2026-0901
published 2 months, 3 weeks ago
Permalink CVE-2026-33074
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghh
NIXPKGS-2026-0900
published 2 months, 3 weeks ago
Permalink CVE-2026-33415
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg
NIXPKGS-2026-0899
published 2 months, 3 weeks ago
Permalink CVE-2026-32607
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Stored XSS via unescaped assignee name

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-xg68-q7ff-6gqm
NIXPKGS-2026-0898
published 2 months, 3 weeks ago
Permalink CVE-2026-33073
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

discourse-subscriptions plugin leaking stripe API key in multisite environment

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-f866-8fcp-fgvv
NIXPKGS-2026-0897
published 2 months, 3 weeks ago
Permalink CVE-2026-32618
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    2 months, 3 weeks ago
  • @LeSuisse deleted maintainer @talyz 2 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

discourse
  • ==>= 2026.3.0-latest, < 2026.3.0
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.2.0-latest, < 2026.2.2 
https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3