Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0868
published 2 months, 3 weeks ago
Permalink CVE-2026-2287
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • pkgsRocm.crewai
    • python312Packages.crewai
    • python313Packages.crewai
    • python314Packages.crewai
    • pkgsRocm.python3Packages.crewai
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

CVE-2026-2287

CrewAI
  • ==1.0 
https://www.kb.cert.org/vuls/id/221883
NIXPKGS-2026-0866
published 2 months, 3 weeks ago
Permalink CVE-2026-2285
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • pkgsRocm.crewai
    • python312Packages.crewai
    • python313Packages.crewai
    • python314Packages.crewai
    • pkgsRocm.python3Packages.crewai
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

CVE-2026-2285

CrewAI
  • ==1.0 
https://www.kb.cert.org/vuls/id/221883
NIXPKGS-2026-0864
published 2 months, 3 weeks ago
Permalink CVE-2026-3945
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

An integer overflow vulnerability in the HTTP chunked transfer encoding …

tinyproxy
  • ==<=1.11.3 
https://github.com/tinyproxy/tinyproxy/pull/603
NIXPKGS-2026-0862
published 2 months, 3 weeks ago
Permalink CVE-2026-33987
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

FreeRDP: Persistent Cache bmpSize Desync - Heap OOB Write

FreeRDP
  • ==< 3.24.2 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc
NIXPKGS-2026-0860
published 2 months, 3 weeks ago
Permalink CVE-2026-5122
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Not Defined (X)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

osrg GoBGP BGP OPEN Message bgp.go DecodeFromBytes access control

GoBGP
  • ==4.2
  • ==4.1
  • ==4.0
  • ==4.3.0 
https://github.com/osrg/gobgp/pull/3343
https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d
NIXPKGS-2026-0858
published 2 months, 3 weeks ago
Permalink CVE-2025-66038
3.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    11 packages
    • openscad
    • openscap
    • openscreen
    • openscad-lsp
    • openscenegraph
    • openscad-unstable
    • kakounePlugins.openscad-kak
    • vscode-extensions.antyos.openscad
    • tree-sitter-grammars.tree-sitter-openscad
    • python313Packages.tree-sitter-grammars.tree-sitter-openscad
    • python314Packages.tree-sitter-grammars.tree-sitter-openscad
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers

OpenSC
  • ==< 0.27.0 
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459
NIXPKGS-2026-0856
published 2 months, 3 weeks ago
Permalink CVE-2026-5119
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment

libsoup
libsoup3
https://gitlab.gnome.org/GNOME/libsoup/-/issues/502
NIXPKGS-2026-0854
published 2 months, 3 weeks ago
Permalink CVE-2026-33985
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

FreeRDP: ClearCodec Glyph Cache Count Desync - Heap OOB Read

FreeRDP
  • ==< 3.24.2 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x6gr-8p7h-5h85
NIXPKGS-2026-0852
published 2 months, 3 weeks ago
Permalink CVE-2026-5037
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow

mxml
  • ==4.0.2
  • ==4.0.0
  • ==4.0.1
  • ==4.0.3
  • ==4.0.4 
https://github.com/michaelrsweet/mxml/issues/350
NIXPKGS-2026-0850
published 2 months, 3 weeks ago
Permalink CVE-2026-27880
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt ignored
    37 packages
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • garmin-grafana
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • grafana-image-renderer
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • python314Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • terraform-providers.grafana_grafana
    • grafanaPlugins.grafana-pyroscope-app
    • python312Packages.mypy-boto3-grafana
    • python313Packages.mypy-boto3-grafana
    • python314Packages.mypy-boto3-grafana
    • grafanaPlugins.grafana-piechart-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-metricsdrilldown-app
    • python312Packages.types-aiobotocore-grafana
    • python313Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-clickhouse-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-googlesheets-datasource
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

OpenFeature evaluation API reads input data with no bounds

Grafana
  • <v12.3.6
  • <v12.2.8
  • <v12.1.10
  • <v12.4.2 
https://grafana.com/security/security-advisories/cve-2026-27880