NIXPKGS-2026-0926

GitHub issue published 2 months, 3 weeks ago

          Permalink
          
            CVE-2026-34605
          
              updated
            
          2 months, 3 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          2 months, 3 weeks ago
          
          @LeSuisse
          
              accepted
            
          2 months, 3 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 3 weeks ago
          
            SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )
          
      https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3
    
    x_refsource_CONFIRM
  
      https://github.com/siyuan-note/siyuan/issues/17246
    
    x_refsource_MISC
  
      https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
    
    x_refsource_MISC
  
    siyuan

            ==>= 3.6.0, < 3.6.2
          
          Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3

NIXPKGS-2026-0927

GitHub issue published 2 months, 3 weeks ago

          Permalink
          
            CVE-2026-34585
          
        8.6 HIGH
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Local (L)
        
          Attack Complexity (AC): Low (L)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): Required (R)
        
          Scope (S): Changed (C)
        
          Confidentiality (C): High (H)
        
          Integrity (I): High (H)
        
          Availability (A): High (H)
        
          Modified Attack Vector (MAV): Local (L)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): Required (R)
        
          Modified Confidentiality (MC): High (H)
        
          Modified Scope (MS): Changed (C)
        
          Modified Integrity (MI): High (H)
        
          Modified Availability (MA): High (H)
        
              updated
            
          2 months, 3 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          2 months, 3 weeks ago
          
          @LeSuisse
          
              accepted
            
          2 months, 3 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 3 weeks ago
          
            SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution
          
      https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg
    
    x_refsource_CONFIRM
  
      https://github.com/siyuan-note/siyuan/issues/17246
    
    x_refsource_MISC
  
      https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
    
    x_refsource_MISC
  
    siyuan

            ==< 3.6.2
          
          Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg

NIXPKGS-2026-0928

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-24030

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

Unbounded memory allocation for DoQ and DoH3

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-…

dnsdist

<2.0.3
<1.9.12

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

NIXPKGS-2026-0929

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-24028

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

Out-of-bounds read when parsing DNS packets via Lua

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-…

dnsdist

<2.0.3
<1.9.12

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

NIXPKGS-2026-0930

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-27854

4.8 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

Use after free when parsing EDNS options in Lua

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-…

dnsdist

<2.0.3
<1.9.12

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

NIXPKGS-2026-0931

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-24029

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

DNS over HTTPS ACL bypass

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-…

dnsdist

<2.0.3
<1.9.12

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

NIXPKGS-2026-0932

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-0397

3.1 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

Information disclosure via CORS misconfiguration

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-…

dnsdist

<2.0.3
<1.9.12

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

NIXPKGS-2026-0933

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-27853

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

Out-of-bounds write when rewriting large DNS packets

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-…

dnsdist

<2.0.3
<1.9.12

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

NIXPKGS-2026-0934

GitHub issue published 2 months, 3 weeks ago

          Permalink
          
            CVE-2026-34400
          
              updated
            
          2 months, 3 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          2 months, 3 weeks ago
          
          @LeSuisse
          
              ignored
            
                4 packages
                alerta
python312Packages.meteoalertapi
python313Packages.meteoalertapi
python314Packages.meteoalertapi

          2 months, 3 weeks ago
          
          @LeSuisse
          
              accepted
            
          2 months, 3 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 3 weeks ago
          
            alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
          
      https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j
    
    x_refsource_CONFIRM
  
      https://github.com/alerta/alerta/pull/2040
    
    x_refsource_MISC
  
      https://github.com/alerta/alerta/pull/712
    
    x_refsource_MISC
  
      https://github.com/alerta/alerta/commit/aeba85a37a09e5769a7a2da56481aa979ff99a00
    
    x_refsource_MISC
  
      https://github.com/alerta/alerta/commit/fdd52cd1abad8d02d1dfb8ecdcdbb43b6af3b883
    
    x_refsource_MISC
  
      https://github.com/alerta/alerta/releases/tag/v9.1.0
    
    x_refsource_MISC
  
    alerta

            ==< 9.1.0
          
          Upstream advisory: https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j

NIXPKGS-2026-0857

GitHub issue published 2 months, 3 weeks ago

Permalink CVE-2026-31831

updated 2 months, 3 weeks ago by @mweinelt Activity log

Created suggestion 2 months, 3 weeks ago
@mweinelt ignored
5 packages
- tests.home-assistant-component-tests.tautulli
- python312Packages.pytautulli
- python313Packages.pytautulli
- python314Packages.pytautulli
- home-assistant-component-tests.tautulli
2 months, 3 weeks ago
@mweinelt accepted 2 months, 3 weeks ago
@mweinelt published on GitHub 2 months, 3 weeks ago

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m x_refsource_CONFIRM
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 x_refsource_MISC

Tautulli

==< 2.17.0

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m

Nixpkgs security tracker

Published issues

SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )

SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution

Unbounded memory allocation for DoQ and DoH3

Out-of-bounds read when parsing DNS packets via Lua

Use after free when parsing EDNS options in Lua

DNS over HTTPS ACL bypass

Information disclosure via CORS misconfiguration

Out-of-bounds write when rewriting large DNS packets

alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint