Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0845
published 2 months, 3 weeks ago
Permalink CVE-2026-31951
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

LibreChat's MCP Server Header Injection Enables OAuth Token Theft

LibreChat
  • ==>= v0.8.2-rc1, <= v0.8.3-rc1 
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954
NIXPKGS-2026-0847
published 2 months, 3 weeks ago
Permalink CVE-2026-31945
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

LibreChat Server-Side Request Forgery using DNS resolution

LibreChat
  • ==>= 0.8.2-rc2, < 0.8.3-rc1 
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2
NIXPKGS-2026-0849
published 2 months, 3 weeks ago
Permalink CVE-2026-33725
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

metabase
  • ==>= 1.57.0, < 1.57.16
  • ==>= 1.56.0, < 1.56.22
  • ==>= 1.55.0, < 1.55.22
  • ==>= 1.59.0, < 1.59.4
  • ==>= 1.58.0, < 1.58.10
  • ==< 1.54.22 
https://github.com/metabase/metabase/security/advisories/GHSA-fppj-vcm3-w229
likely only enterprise version only, please check
NIXPKGS-2026-0851
published 2 months, 3 weeks ago
Permalink CVE-2026-33757
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @emilylange
    • @brianmay
    2 months, 4 weeks ago maintainer.delete
  • @mweinelt added
    2 maintainers
    • @emilylange
    • @brianmay
    2 months, 3 weeks ago maintainer.add
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

OpenBao lacks user confirmation for OIDC direct callback mode

openbao
  • ==< 2.5.2 
https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3
NIXPKGS-2026-0853
published 2 months, 3 weeks ago
Permalink CVE-2026-5164
6.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Virtio-win: virtio-win: denial of service via unvalidated descriptor count in unmap request

virtio-win
https://github.com/virtio-win/kvm-guest-drivers-windows/pull/1504
NIXPKGS-2026-0855
published 2 months, 3 weeks ago
Permalink CVE-2026-31799
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • python312Packages.pytautulli
    • python313Packages.pytautulli
    • python314Packages.pytautulli
    • home-assistant-component-tests.tautulli
    • tests.home-assistant-component-tests.tautulli
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

Tautulli
  • ==>= 2.1.0-beta, < 2.17.0 
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q
NIXPKGS-2026-0857
published 2 months, 3 weeks ago
Permalink CVE-2026-31831
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    5 packages
    • tests.home-assistant-component-tests.tautulli
    • python312Packages.pytautulli
    • python313Packages.pytautulli
    • python314Packages.pytautulli
    • home-assistant-component-tests.tautulli
    2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

Tautulli
  • ==< 2.17.0 
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m
NIXPKGS-2026-0859
published 2 months, 3 weeks ago
Permalink CVE-2026-33986
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt accepted 2 months, 3 weeks ago
  • @mweinelt published on GitHub 2 months, 3 weeks ago

FreeRDP: H.264 YUV Buffer Dimension Desync - Heap OOB Write

FreeRDP
  • ==< 3.24.2 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97
NIXPKGS-2026-0838
published 2 months, 3 weeks ago
Permalink CVE-2026-4946
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • rizinPlugins.rz-ghidra
    • cutterPlugins.rz-ghidra
    • ghidra-extensions.ret-sync
    • python313Packages.pyghidra
    • python314Packages.pyghidra
    • python312Packages.ghidra-bridge
    • python313Packages.ghidra-bridge
    • python314Packages.ghidra-bridge
    • ghidra-extensions.ghidra-firmware-utils
    • ghidra-extensions.ghidra-delinker-extension
    • ghidra-extensions.ghidraninja-ghidra-scripts
    • ghidra-extensions.ghidra-golanganalyzerextension
    2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

NSA Ghidra Auto-Analysis Annotation Command Execution

Ghidra
  • <12.0.3 
Advisory: https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-mc3p-mq2p-xw6v
NIXPKGS-2026-0837
published 2 months, 4 weeks ago
Permalink CVE-2026-34385
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago

Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

fleet
  • ==< 4.81.0 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45