NIXPKGS-2026-0804

GitHub issue published 2 months, 4 weeks ago

Permalink CVE-2026-33149

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 4 weeks ago
@LeSuisse ignored package gnome-recipes 2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

Tandoor Recipes Vulnerable to Host Header Injection

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-x636-4jx6-xc4w x_refsource_CONFIRM

recipes

==<= 2.5.3

Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-x636-4jx6-xc4w

NIXPKGS-2026-0766

GitHub issue published 3 months ago

          Permalink
          
            CVE-2026-29785
          
        7.5 HIGH
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): Low (L)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): None (N)
        
          Scope (S): Unchanged (U)
        
          Confidentiality (C): None (N)
        
          Integrity (I): None (N)
        
          Availability (A): High (H)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): None (N)
        
          Modified Confidentiality (MC): None (N)
        
          Modified Scope (MS): Unchanged (U)
        
          Modified Integrity (MI): None (N)
        
          Modified Availability (MA): High (H)
        
              updated
            
          2 months, 4 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 months ago
          
          @LeSuisse
          
              accepted
            
          2 months, 4 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 4 weeks ago
          
            NATS Server panic via malicious compression on leafnode port
          
      https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6
    
    x_refsource_CONFIRM
  
      https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8
    
    x_refsource_MISC
  
      https://advisories.nats.io/CVE/secnote-2026-04.txt
    
    x_refsource_MISC
  
    nats-server

            ==>= 2.12.0-RC.1, < 2.12.5
          
            ==< 2.11.14
          
          Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6

NIXPKGS-2026-0767

GitHub issue published 3 months ago

Permalink CVE-2026-33247

7.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

NATS credentials are exposed in monitoring port via command-line argv

https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv x_refsource_CONFIRM
https://advisories.nats.io/CVE/secnote-2026-14.txt x_refsource_MISC

nats-server

==< 2.11.15
==>= 2.12.0-RC.1, < 2.12.6

Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv

NIXPKGS-2026-0771

GitHub issue published 3 months ago

Permalink CVE-2026-33217

7.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

NATS allows MQTT clients to bypass ACL checks

https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5 x_refsource_CONFIRM
https://advisories.nats.io/CVE/secnote-2026-07.txt x_refsource_MISC

nats-server

==< 2.11.15
==>= 2.12.0-RC.1, < 2.12.6

Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5

NIXPKGS-2026-0775

GitHub issue published 3 months ago

Permalink CVE-2026-33509

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 months, 4 weeks ago by @mweinelt Activity log

Created suggestion 3 months ago
@mweinelt ignored
5 packages
- python312Packages.pyloadapi
- python313Packages.pyloadapi
- python314Packages.pyloadapi
- home-assistant-component-tests.pyload
- tests.home-assistant-component-tests.pyload
2 months, 4 weeks ago
@mweinelt accepted 2 months, 4 weeks ago
@mweinelt published on GitHub 2 months, 4 weeks ago

pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx x_refsource_CONFIRM

pyload

==>= 0.4.0, < 0.5.0b3.dev97

Upstream advisory: https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx

NIXPKGS-2026-0774

GitHub issue published 3 months ago

Permalink CVE-2026-33314

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

updated 2 months, 4 weeks ago by @mweinelt Activity log

Created suggestion 3 months ago
@mweinelt ignored
5 packages
- python312Packages.pyloadapi
- python313Packages.pyloadapi
- python314Packages.pyloadapi
- home-assistant-component-tests.pyload
- tests.home-assistant-component-tests.pyload
2 months, 4 weeks ago
@mweinelt accepted 2 months, 4 weeks ago
@mweinelt published on GitHub 2 months, 4 weeks ago

pyload-ng: Improper Authentication and Origin Validation Error

https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r x_refsource_CONFIRM

pyload

==< 0.5.0b3.dev97

Upstream advisory: https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r

NIXPKGS-2026-0770

GitHub issue published 3 months ago

Permalink CVE-2026-33248

4.2 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc x_refsource_CONFIRM
https://advisories.nats.io/CVE/secnote-2026-13.txt x_refsource_MISC

nats-server

==< 2.11.15
==>= 2.12.0-RC.1, < 2.12.6

Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc

NIXPKGS-2026-0756

GitHub issue published 3 months ago

Permalink CVE-2026-33665

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover

https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc x_refsource_CONFIRM

n8n

==< 1.121.0
==>= 2.0.0-rc.0, < 2.4.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc

NIXPKGS-2026-0755

GitHub issue published 3 months ago

          Permalink
          
            CVE-2026-30976
          
        8.6 HIGH
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): Low (L)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): None (N)
        
          Scope (S): Changed (C)
        
          Confidentiality (C): High (H)
        
          Integrity (I): None (N)
        
          Availability (A): None (N)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): None (N)
        
          Modified Confidentiality (MC): High (H)
        
          Modified Scope (MS): Changed (C)
        
          Modified Integrity (MI): None (N)
        
          Modified Availability (MA): None (N)
        
              updated
            
          2 months, 4 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 months ago
          
          @LeSuisse
          
              ignored
            
                2 packages
                home-assistant-component-tests.sonarr
tests.home-assistant-component-tests.sonarr

          2 months, 4 weeks ago
          
          @LeSuisse
          
              accepted
            
          2 months, 4 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 4 weeks ago
          
            Sonarr Path Traversal vulnerability
          
      https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f
    
    x_refsource_CONFIRM
  
      https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950
    
    x_refsource_MISC
  
      https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952
    
    x_refsource_MISC
  
    Sonarr

            ==>= 4.0, < 4.0.17.2950
          
          Upstream advisory: https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f

NIXPKGS-2026-0753

GitHub issue published 3 months ago

Permalink CVE-2026-33713

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression

https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3 x_refsource_CONFIRM

n8n

==>= 2.0.0-rc.0, < 2.13.3
=== 2.14.0
==< 1.123.26

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3

Nixpkgs security tracker

Published issues

Tandoor Recipes Vulnerable to Host Header Injection

NATS Server panic via malicious compression on leafnode port

NATS credentials are exposed in monitoring port via command-line argv

NATS allows MQTT clients to bypass ACL checks

pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

pyload-ng: Improper Authentication and Origin Validation Error

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover

Sonarr Path Traversal vulnerability

n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression