Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0803
published 2 months, 4 weeks ago
Permalink CVE-2026-33945
9.9 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • terraform-providers.incus
    • terraform-providers.lxc_incus
    • incus-ui-canonical
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Abitrary file write through systemd-creds option

incus
  • ==< 6.23.0 
Upstream advisory: https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f
NIXPKGS-2026-0801
published 2 months, 4 weeks ago
Permalink CVE-2026-33670
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

SiYuan has directory traversal within its publishing service

siyuan
  • ==< 3.6.2 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xmw9-6r43-x9ww
NIXPKGS-2026-0799
published 2 months, 4 weeks ago
Permalink CVE-2014-125112
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution

Plack-Middleware-Session
  • =<0.21 
Advisory: http://www.openwall.com/lists/oss-security/2026/03/26/2
NIXPKGS-2026-0797
published 2 months, 4 weeks ago
Permalink CVE-2026-33526
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    5 packages
    • prometheus-squid-exporter
    • python312Packages.flyingsquid
    • python313Packages.flyingsquid
    • python314Packages.flyingsquid
    • pkgsRocm.python3Packages.flyingsquid
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Squid vulnerable to Denial of Service in ICP Request handling

squid
  • ==< 7.5 
Upstream advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-hpfx-h48q-gvwg
NIXPKGS-2026-0778
published 2 months, 4 weeks ago
Permalink CVE-2026-33495
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Ory Oathkeeper has an authentication bypass by usage of untrusted header

oathkeeper
  • ==< 26.2.0 
Upstream advisory: https://github.com/ory/oathkeeper/security/advisories/GHSA-vhr5-ggp3-qq85
Upstream patch: https://github.com/ory/oathkeeper/commit/e9acca14a04d246250557550065e4b4576525bd5
NIXPKGS-2026-0782
published 2 months, 4 weeks ago
Permalink CVE-2026-33153
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic

recipes
  • ==< 2.6.0 
Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf
NIXPKGS-2026-0783
published 2 months, 4 weeks ago
Permalink CVE-2026-33640
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    17 packages
    • go-outline
    • mdbook-pdf-outline
    • typstPackages.suboutline
    • python312Packages.outlines
    • python313Packages.outlines
    • typstPackages.suboutline_0_1_0
    • typstPackages.suboutline_0_2_0
    • typstPackages.suboutline_0_3_0
    • mplus-outline-fonts.osdnRelease
    • python312Packages.outlines-core
    • python313Packages.outlines-core
    • python314Packages.outlines-core
    • typstPackages.outline-summaryst
    • mplus-outline-fonts.githubRelease
    • pkgsRocm.python3Packages.outlines
    • typstPackages.outline-summaryst_0_1_0
    • pkgsRocm.python3Packages.outlines-core
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Outline has a rate limit bypass that allows brute force of email login OTP

outline
  • ==>= 0.86.0, < 1.6.0 
Upstream advisory: https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6
NIXPKGS-2026-0785
published 2 months, 4 weeks ago
Permalink CVE-2026-33320
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service

dasel
  • ==>= 3.0.0, < 3.3.2 
Upstream advisory: https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8
NIXPKGS-2026-0786
published 2 months, 4 weeks ago
Permalink CVE-2026-34352
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users …

TigerVNC
  • <1.16.2 
Upstream announce: https://groups.google.com/g/tigervnc-announce/c/anHL9WLshLI
NIXPKGS-2026-0788
published 2 months, 4 weeks ago
Permalink CVE-2026-33658
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests

activestorage
  • ==>= 8.1.0, < 8.1.2.1
  • ==>= 8.0.0, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg