Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0881
published 2 months, 3 weeks ago
Permalink CVE-2026-32883
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

botan
  • ==>= 3.0.0, < 3.11.0 
https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x
NIXPKGS-2026-0879
published 2 months, 3 weeks ago
Permalink CVE-2026-32877
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • chickenPackages_5.chickenEggs.botan
    • haskellPackages.botan-bindings
    • haskellPackages.botan-low
    • python314Packages.botan3
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field

botan
  • ==>= 2.3.0, < 3.11.0 
https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
NIXPKGS-2026-0877
published 2 months, 3 weeks ago
Permalink CVE-2026-32884
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Botan: Case-Insensitive CN Values Bypass DNS excludedSubtrees Name Constraints (RFC 5280 Violation)

botan
  • ==< 3.11.0 
https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5
NIXPKGS-2026-0875
published 2 months, 3 weeks ago
Permalink CVE-2026-33721
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored package mapserver 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing

MapServer
  • ==>= 4.2, < 8.6.1 
https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
NIXPKGS-2026-0873
published 2 months, 3 weeks ago
Permalink CVE-2026-5124
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Not Defined (X)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

osrg GoBGP BGP Header bgp.go BGPHeader.DecodeFromBytes access control

GoBGP
  • ==4.2
  • ==4.1
  • ==4.0
  • ==4.3.0 
https://github.com/osrg/gobgp/commit/f0f24a2a901cbf159260698211ab15c583ced131
https://github.com/osrg/gobgp/pull/3340
NIXPKGS-2026-0871
published 2 months, 3 weeks ago
Permalink CVE-2026-32275
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • python312Packages.pytautulli
    • python313Packages.pytautulli
    • python314Packages.pytautulli
    • home-assistant-component-tests.tautulli
    • tests.home-assistant-component-tests.tautulli
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

Tautulli
  • ==>= 1.3.10, < 2.17.0 
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh
NIXPKGS-2026-0869
published 2 months, 3 weeks ago
Permalink CVE-2026-5165
6.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Virtio-win: virtio-win: memory corruption via use-after-free in virtio blk device reset

virtio-win
https://github.com/virtio-win/kvm-guest-drivers-windows/pull/1493
NIXPKGS-2026-0839
published 2 months, 3 weeks ago
Permalink CVE-2026-4948
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt ignored package firewalld-gui 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Firewalld: firewalld: local unprivileged user can modify firewall state due to d-bus setter mis-authorization

rhcos
firewalld
https://access.redhat.com/security/cve/CVE-2026-4948
NIXPKGS-2026-0841
published 2 months, 3 weeks ago
Permalink CVE-2026-27877
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt ignored
    37 packages
    • python312Packages.grafanalib
    • terraform-providers.grafana
    • python313Packages.grafanalib
    • python314Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • terraform-providers.grafana_grafana
    • grafanaPlugins.grafana-pyroscope-app
    • python312Packages.mypy-boto3-grafana
    • python313Packages.mypy-boto3-grafana
    • python314Packages.mypy-boto3-grafana
    • grafanaPlugins.grafana-piechart-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-metricsdrilldown-app
    • python312Packages.types-aiobotocore-grafana
    • python313Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-clickhouse-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-googlesheets-datasource
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • garmin-grafana
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • grafana-image-renderer
    • dhallPackages.dhall-grafana
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Public dashboards discloses all direct mode datasources

Grafana
  • <v11.6.14
  • <v12.1.10
  • <v12.2.8
  • <v12.4.2
  • <v12.3.6 
https://grafana.com/security/security-advisories/cve-2026-27877
NIXPKGS-2026-0843
published 2 months, 3 weeks ago
Permalink CVE-2026-33758
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

OpenBao has Reflected XSS in its OIDC authentication error message

openbao
  • ==< 2.5.2 
https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59