Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0764
published 3 months ago
Permalink CVE-2026-33219
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS is vulnerable to pre-auth DoS through WebSockets client service

nats-server
  • ==< 2.11.15
  • ==>= 2.12.0-RC.1, < 2.12.6 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j
NIXPKGS-2026-0763
published 3 months ago
Permalink CVE-2026-33223
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

nats-server
  • ==< 2.11.15
  • ==>= 2.12.0-RC.1, < 2.12.6 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h
NIXPKGS-2026-0762
published 3 months ago
Permalink CVE-2026-33249
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS: Message tracing can be redirected to arbitrary subject

nats-server
  • ==>= 2.12.0-preview.1, < 2.12.6
  • ==>= 2.11.0, < 2.11.15 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j
NIXPKGS-2026-0761
published 3 months ago
Permalink CVE-2026-27889
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

nats-server
  • ==>= 2.12.0, < 2.12.5
  • ==>= 2.2.0, < 2.11.14 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6
NIXPKGS-2026-0760
published 3 months ago
Permalink CVE-2026-33246
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

nats-server
  • ==< 2.11.15
  • ==>= 2.12.0-RC.1, < 2.12.6 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj
NIXPKGS-2026-0759
published 3 months ago
Permalink CVE-2026-33218
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS has pre-auth server panic via leafnode handling

nats-server
  • ==< < 2.11.15
  • ==>= 2.12.0-RC.1, < 2.12.6 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
NIXPKGS-2026-0758
published 3 months ago
Permalink CVE-2026-33215
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS is vulnerable to MQTT hijacking via Client ID

nats-server
  • ==< 2.11.15
  • ==>= 2.12.0-RC.1, < 2.12.6 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
NIXPKGS-2026-0757
published 3 months ago
Permalink CVE-2026-33749
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

n8n
  • ==>= 2.0.0-rc.0, < 2.13.3
  • ==< 1.123.27
  • === 2.14.0 
https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77
NIXPKGS-2026-0754
published 3 months ago
Permalink CVE-2026-33722
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Has External Secrets Authorization Bypass in Credential Saving

n8n
  • ==>= 2.0.0-rc.0, < 2.6.4
  • ==< 1.123.23 
Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p
NIXPKGS-2026-0765
published 3 months ago
Permalink CVE-2026-33222
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago

NATS JetStream has an authorization bypass through its Management API

nats-server
  • ==< 2.11.15
  • ==>= 2.12.0-RC.1, < 2.12.6 
Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c