Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0848
published 2 months, 3 weeks ago
Permalink CVE-2026-31943
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

LibreChat has SSRF protection bypass via IPv4-mapped IPv6 normalization in isPrivateIP

LibreChat
  • ==< 0.8.3 
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-w5r7-4f94-vp4c
NIXPKGS-2026-0846
published 2 months, 3 weeks ago
Permalink CVE-2026-28375
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt ignored
    37 packages
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • garmin-grafana
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • grafana-image-renderer
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • python314Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • terraform-providers.grafana_grafana
    • grafanaPlugins.grafana-pyroscope-app
    • python312Packages.mypy-boto3-grafana
    • python313Packages.mypy-boto3-grafana
    • python314Packages.mypy-boto3-grafana
    • grafanaPlugins.grafana-piechart-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-metricsdrilldown-app
    • python312Packages.types-aiobotocore-grafana
    • python313Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-clickhouse-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-googlesheets-datasource
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Grafana Testdata datasource can issue unbounded memory allocations

Grafana
  • <v11.6.14
  • <v12.1.10
  • <v12.2.8
  • <v12.4.2
  • <v12.3.6 
https://grafana.com/security/security-advisories/cve-2026-28375
NIXPKGS-2026-0867
published 2 months, 3 weeks ago
Permalink CVE-2026-2286
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • pkgsRocm.crewai
    • python312Packages.crewai
    • python313Packages.crewai
    • python314Packages.crewai
    • pkgsRocm.python3Packages.crewai
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

CVE-2026-2286

CrewAI
  • ==1.0 
https://www.kb.cert.org/vuls/id/221883
NIXPKGS-2026-0844
published 2 months, 3 weeks ago
Permalink CVE-2026-27879
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt ignored
    37 packages
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • garmin-grafana
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • grafana-image-renderer
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • python314Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • terraform-providers.grafana_grafana
    • grafanaPlugins.grafana-pyroscope-app
    • python312Packages.mypy-boto3-grafana
    • python313Packages.mypy-boto3-grafana
    • python314Packages.mypy-boto3-grafana
    • grafanaPlugins.grafana-piechart-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-metricsdrilldown-app
    • python312Packages.types-aiobotocore-grafana
    • python313Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-clickhouse-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-googlesheets-datasource
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Query resampling can cause unbounded memory allocations

Grafana
  • <v11.6.14
  • <v12.1.10
  • <v12.2.8
  • <v12.4.2
  • <v12.3.6 
https://grafana.com/security/security-advisories/cve-2026-27879
NIXPKGS-2026-0842
published 2 months, 3 weeks ago
Permalink CVE-2026-31950
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats

LibreChat
  • ==>= 0.8.2-rc2, < 0.8.2 
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f6rf-vm44-wh5g
NIXPKGS-2026-0840
published 2 months, 3 weeks ago
Permalink CVE-2026-33996
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing

libjwt
  • ==>= 3.0.0, < 3.3.0 
https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66
NIXPKGS-2026-0883
published 2 months, 3 weeks ago
Permalink CVE-2026-33983
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

FreeRDP: Progressive Codec Quant BYTE Underflow - UB + CPU DoS

FreeRDP
  • ==< 3.24.2 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gfm-4p52-h478
NIXPKGS-2026-0882
published 2 months, 3 weeks ago
Permalink CVE-2026-33995
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

FreeRDP: Possible double free in kerberos_AcceptSecurityContext

FreeRDP
  • ==< 3.24.2 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mv25-f4p2-5mxx
NIXPKGS-2026-0861
published 2 months, 3 weeks ago
Permalink CVE-2026-2275
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • pkgsRocm.python3Packages.crewai
    • python314Packages.crewai
    • python313Packages.crewai
    • python312Packages.crewai
    • pkgsRocm.crewai
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

CVE-2026-2275

CrewAI
  • ==1.0 
https://www.kb.cert.org/vuls/id/221883
NIXPKGS-2026-0865
published 2 months, 3 weeks ago
Permalink CVE-2026-33977
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

FreeRDP: DoS via WINPR_ASSERT in IMA ADPCM audio decoder (dsp.c:331)

FreeRDP
  • ==< 3.24.2 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5