Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0787
published 2 months, 4 weeks ago
Permalink CVE-2026-32857
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Firecrawl Playwright Service SSRF Protection Bypass via Missing Post-Redirect Validation

Firecrawl
  • =<2.8.0 
Upstream advisory: https://github.com/firecrawl/firecrawl/security/advisories/GHSA-vjp8-2wgg-p734
NIXPKGS-2026-0789
published 2 months, 4 weeks ago
Permalink CVE-2026-33469
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package home-assistant-custom-components.frigate 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw

frigate
  • === 0.17.0 
Upstream advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh
NIXPKGS-2026-0791
published 2 months, 4 weeks ago
Permalink CVE-2026-33494
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Ory Oathkeeper has a path traversal authorization bypass

oathkeeper
  • ==< 26.2.0 
Upstream advisory: https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm
Upstream patch: https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2
NIXPKGS-2026-0793
published 2 months, 4 weeks ago
Permalink CVE-2026-28503
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404

recipes
  • ==< 2.6.0 
Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv
NIXPKGS-2026-0795
published 2 months, 4 weeks ago
Permalink CVE-2026-33515
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    5 packages
    • prometheus-squid-exporter
    • python312Packages.flyingsquid
    • python313Packages.flyingsquid
    • python314Packages.flyingsquid
    • pkgsRocm.python3Packages.flyingsquid
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Squid has issues in ICP message handling

squid
  • ==< 7.5 
Upstream advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-84p4-hcx7-jj7c
Upstream patch: https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
NIXPKGS-2026-0815
published 2 months, 4 weeks ago
Permalink CVE-2026-4833
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Orc discount Markdown markdown.c compile recursion

discount
  • ==3.0.1.2
  • ==3.0.1.1
  • ==3.0.1.0 
Upstream issue: https://github.com/Orc/discount/issues/305
NIXPKGS-2026-0813
published 2 months, 4 weeks ago
Permalink CVE-2026-33505
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Ory Keto has a SQL injection via forged pagination tokens

keto
  • ==< 26.2.0 
Upstream advisory: https://github.com/ory/keto/security/advisories/GHSA-c38g-mx2c-9wf2
NIXPKGS-2026-0811
published 2 months, 4 weeks ago
Permalink CVE-2026-33152
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored package gnome-recipes 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication

recipes
  • ==< 2.6.0 
Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522
NIXPKGS-2026-0809
published 2 months, 4 weeks ago
Permalink CVE-2026-30892
0.0 NONE
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • nym
    • crunch
    • y-cruncher
    • speedcrunch
    • ocaml-crunch
    • ocamlPackages.crunch
    • ocamlPackages_latest.crunch
    • vscode-extensions.42crunch.vscode-openapi
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation

crun
  • ==>= 1.19, < 1.27 
Upstream advisory: https://github.com/containers/crun/security/advisories/GHSA-4vg2-xjqj-7chj
Upstream patch: https://github.com/containers/crun/commit/1bd7f42446999b0e76bc3d575392e05c943b0b01
NIXPKGS-2026-0807
published 2 months, 4 weeks ago
Permalink CVE-2026-4887
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    29 packages
    • zigimports
    • gimpPlugins.bimp
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gimp
    • gimp2Plugins.gmic
    • gimp3Plugins.gimp
    • gimp3Plugins.gmic
    • gimp2-with-plugins
    • gimp3-with-plugins
    • gimpPlugins.fourier
    • gimp2Plugins.fourier
    • gimpPlugins.farbfeld
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimpPlugins.lqrPlugin
    • gimpPlugins.texturize
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp3Plugins.lightning
    • gimpPlugins.gimplensfun
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimp3
    • gimpPlugins.waveletSharpen
    • gimp2Plugins.waveletSharpen
    2 months, 4 weeks ago
  • @LeSuisse restored package gimp3 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

Gimp: gimp:memory disclosure and denial of service via specially crafted pcx image

gimp
gimp:2.8/gimp
Upstream advisory: https://gitlab.gnome.org/GNOME/gimp/-/issues/15960