Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0836
published 2 months, 4 weeks ago
Permalink CVE-2026-26061
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet's unbounded request body read allows remote Denial of Service

fleet
  • ==< 4.81.0 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp
NIXPKGS-2026-0833
published 2 months, 4 weeks ago
Permalink CVE-2026-34389
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet's user account creation via invite does not enforce invited email address

fleet
  • ==< 4.81.0 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h
NIXPKGS-2026-0831
published 2 months, 4 weeks ago
Permalink CVE-2026-26060
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet: Password reset tokens remain valid after password change for 24 hours

fleet
  • ==< 4.81.0 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4
NIXPKGS-2026-0829
published 2 months, 4 weeks ago
Permalink CVE-2026-34391
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Fleet Vulnerable to Windows MDM cross-device command disclosure

fleet
  • ==< 4.81.1 
Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-wg7j-pcc3-h4rh
NIXPKGS-2026-0827
published 2 months, 4 weeks ago
Permalink CVE-2026-33881
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor

windmill
  • ==< 1.664.0 
Advisory: https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q
NIXPKGS-2026-0825
published 2 months, 4 weeks ago
Permalink CVE-2026-33206
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package calibre-web 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

calibre has a path traversal vulnerability

calibre
  • ==< 9.6.0 
Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6
NIXPKGS-2026-0823
published 2 months, 4 weeks ago
Permalink CVE-2026-32695
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package traefik-certs-dumper 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass

traefik
  • ==>= 3.7.0-ea.1, < 3.7.0-ea.2
  • ==< 3.6.11 
Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj
NIXPKGS-2026-0821
published 2 months, 4 weeks ago
Permalink CVE-2026-33748
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    7 packages
    • buildkit-nix
    • buildkite-cli
    • buildkite-agent
    • buildkite-agent-metrics
    • buildkite-test-collector-rust
    • terraform-providers.buildkite
    • terraform-providers.buildkite_buildkite
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

BuildKit Git URL subdir component can cause access to restricted files

buildkit
  • ==< 0.28.1 
Advisory: https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg
NIXPKGS-2026-0819
published 2 months, 4 weeks ago
Permalink CVE-2026-33747
8.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    7 packages
    • buildkit-nix
    • buildkite-cli
    • buildkite-agent
    • buildkite-agent-metrics
    • buildkite-test-collector-rust
    • terraform-providers.buildkite
    • terraform-providers.buildkite_buildkite
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

BuildKit vulnerable to malicious frontend causing file escape outside of storage root

buildkit
  • ==< 0.28.1 
Advisory: https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj
NIXPKGS-2026-0817
published 2 months, 4 weeks ago
Permalink CVE-2026-32241
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package cni-plugin-flannel 2 months, 4 weeks ago
  • @LeSuisse deleted maintainer @offlinehacker 2 months, 4 weeks ago maintainer.delete
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection

flannel
  • ==< 0.28.2 
Advisory: https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2