Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0832
published 2 months, 4 weeks ago
Permalink CVE-2026-29180
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet's team maintainer can transfer hosts from any team via missing source team authorization

fleet
  • ==< 4.81.1 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m
NIXPKGS-2026-0835
published 2 months, 4 weeks ago
Permalink CVE-2026-34387
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts

fleet
  • ==< 4.81.1 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h
NIXPKGS-2026-0834
published 2 months, 4 weeks ago
Permalink CVE-2026-34388
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint

fleet
  • ==< 4.81.0 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-w254-4hp5-7cvv
NIXPKGS-2026-0830
published 2 months, 4 weeks ago
Permalink CVE-2026-34386
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin

fleet
  • ==< 4.81.0 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m
NIXPKGS-2026-0828
published 2 months, 4 weeks ago
Permalink CVE-2026-4988
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package open5gs-webui 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Open5GS CCA Message smf_s6b denial of service

Open5GS
  • ==2.7.6 
Upstream issue: https://github.com/open5gs/open5gs/issues/4342
NIXPKGS-2026-0826
published 2 months, 4 weeks ago
Permalink CVE-2026-33433
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package traefik-certs-dumper 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

traefik
  • ==>= 3.7.0-ea.1, < 3.7.0-ea.3
  • ==>= 3.0.0-beta1, < 3.6.11
  • ==< 2.11.42 
Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-qr99-7898-vr7c
NIXPKGS-2026-0824
published 2 months, 4 weeks ago
Permalink CVE-2026-33205
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • calibre-web
    • pkgsRocm.calibre-no-speech
    • calibre-no-speech
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

calibre has Server-Side Request Forgery in ebook viewer backend

calibre
  • ==< 9.6.0 
Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
NIXPKGS-2026-0822
published 2 months, 4 weeks ago
Permalink CVE-2026-4985
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Not Defined (X)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

dloebl CGIF GIF Image cgif.c cgif_addframe integer overflow

CGIF
  • ==0.5.1
  • ==0.5.2
  • ==0.5.0 
Patch: https://github.com/dloebl/cgif/commit/b0ba830093f4317a5d1f345715d2fa3cd2dab474
NIXPKGS-2026-0820
published 2 months, 4 weeks ago
Permalink CVE-2026-33744
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

BentoML
  • ==< 1.4.37 
Advisory: https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf
NIXPKGS-2026-0818
published 2 months, 4 weeks ago
Permalink CVE-2026-33699
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    4 packages
    • capypdf
    • python312Packages.pypdfium2
    • python313Packages.pypdfium2
    • python314Packages.pypdfium2
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

pypdf
  • ==< 6.9.2 
Advisory: https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3