Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0810
published 2 months, 4 weeks ago
Permalink CVE-2026-33470
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package home-assistant-custom-components.frigate 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp

frigate
  • === 0.17.0 
Upstream advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g
NIXPKGS-2026-0812
published 2 months, 4 weeks ago
Permalink CVE-2026-34071
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package stirling-pdf-desktop 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Stirling-PDF has Stored Cross Site Scripting (XSS) via EML-to-HTML Export

Stirling-PDF
  • === 2.7.3 
Upstream advisory: https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-xmhg-fv84-jgfc
NIXPKGS-2026-0814
published 2 months, 4 weeks ago
Permalink CVE-2026-33496
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Ory Oathkeeper has an authentication bypass by cache key confusion

oathkeeper
  • ==< 26.2.0 
Upstream advisory: https://github.com/ory/oathkeeper/security/advisories/GHSA-4mq7-pvjg-xp2r
Upstream patch: https://github.com/ory/oathkeeper/commit/198a2bc82a99e0a77bd0ffe290cbdd5285a1b17c
NIXPKGS-2026-0816
published 2 months, 4 weeks ago
Permalink CVE-2026-33664
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

kestra
  • ==<= 1.3.3 
Upstream advisory: https://github.com/kestra-io/kestra/security/advisories/GHSA-v2mc-8q95-g7hp
NIXPKGS-2026-0777
published 2 months, 4 weeks ago
Permalink CVE-2026-2239
2.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    28 packages
    • zigimports
    • gimpPlugins.bimp
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gimp
    • gimp2Plugins.gmic
    • gimp3Plugins.gimp
    • gimp3Plugins.gmic
    • gimp2-with-plugins
    • gimp3-with-plugins
    • gimpPlugins.fourier
    • gimp2Plugins.fourier
    • gimpPlugins.farbfeld
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimpPlugins.lqrPlugin
    • gimpPlugins.texturize
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp3Plugins.lightning
    • gimpPlugins.gimplensfun
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimpPlugins.waveletSharpen
    • gimp2Plugins.waveletSharpen
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Gimp: gimp: application crash (dos) via crafted psd file due to heap-buffer-overflow

gimp
gimp:2.8/gimp
Upstream issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/15812
NIXPKGS-2026-0776
published 2 months, 4 weeks ago
Permalink CVE-2026-33743
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • incus-ui-canonical
    • terraform-providers.incus
    • terraform-providers.lxc_incus
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Incus vulnerable to denial of source through crafted bucket backup file

incus
  • ==< 6.23.0 
Upstream advisory: https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3
NIXPKGS-2026-0779
published 2 months, 4 weeks ago
Permalink CVE-2026-33898
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • incus-ui-canonical
    • terraform-providers.incus
    • terraform-providers.lxc_incus
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Local Incus UI web server vulnerable to nuthentication bypass

incus
  • ==< 6.23.0 
Upstream advisory: https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq
NIXPKGS-2026-0780
published 2 months, 4 weeks ago
Permalink CVE-2026-32748
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    5 packages
    • prometheus-squid-exporter
    • python312Packages.flyingsquid
    • python313Packages.flyingsquid
    • python314Packages.flyingsquid
    • pkgsRocm.python3Packages.flyingsquid
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Squid has Denial of Service in ICP Response handling

squid
  • ==< 7.5 
Upstream advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-f9p7-3jqg-hhvq
Upstream patch: https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
NIXPKGS-2026-0781
published 2 months, 4 weeks ago
Permalink CVE-2026-33413
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    28 packages
    • netcdf
    • pnetcdf
    • etcd_3_4
    • etcd_3_5
    • netcdf-mpi
    • netcdfcxx4
    • netcdffortran
    • pkgsRocm.pnetcdf
    • pkgsRocm.netcdf-mpi
    • octavePackages.netcdf
    • python312Packages.etcd
    • python313Packages.etcd
    • python314Packages.etcd
    • python312Packages.aetcd
    • python312Packages.etcd3
    • python313Packages.aetcd
    • python313Packages.etcd3
    • python314Packages.aetcd
    • python314Packages.etcd3
    • python312Packages.netcdf4
    • python313Packages.netcdf4
    • python314Packages.netcdf4
    • python312Packages.h5netcdf
    • python313Packages.h5netcdf
    • python314Packages.h5netcdf
    • python312Packages.python-etcd
    • python313Packages.python-etcd
    • python314Packages.python-etcd
    2 months, 4 weeks ago
  • @LeSuisse restored
    2 packages
    • etcd_3_4
    • etcd_3_5
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

etcd: Authorization bypasses in multiple APIs

etcd
  • ==>= 3.6.0-alpha.0, < 3.6.9
  • ==>= 3.5.0-alpha.0, < 3.5.28
  • ==< 3.4.42 
Upstream advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg
NIXPKGS-2026-0784
published 2 months, 4 weeks ago
Permalink CVE-2026-33536
5.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • imagemagick6
    • imagemagickBig
    • imagemagick6Big
    • imagemagick_light
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

ImageMagick
  • ==< 7.1.2-18
  • ==< 6.9.13-43 
Upstream advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8793-7xv6-82cf