Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0742
published 3 months ago
Permalink CVE-2026-33173
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Storage has possible content type bypass via metadata in direct uploads

activestorage
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
NIXPKGS-2026-0744
published 3 months ago
Permalink CVE-2026-33170
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    4 packages
    • rubyPackages.yard-activesupport-concern
    • rubyPackages_3_3.yard-activesupport-concern
    • rubyPackages_3_4.yard-activesupport-concern
    • rubyPackages_4_0.yard-activesupport-concern
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

activesupport
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
NIXPKGS-2026-0746
published 3 months ago
Permalink CVE-2026-33176
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    4 packages
    • rubyPackages.yard-activesupport-concern
    • rubyPackages_3_3.yard-activesupport-concern
    • rubyPackages_3_4.yard-activesupport-concern
    • rubyPackages_4_0.yard-activesupport-concern
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Support has a possible DoS vulnerability in its number helpers

activesupport
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
NIXPKGS-2026-0740
published 3 months ago
Permalink CVE-2026-1940
5.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gstreamermm
    • gst_all_1.gst-vaapi
    • ocamlPackages_latest.gstreamer
    • ocamlPackages.gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • obs-studio-plugins.obs-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Gstreamer: incomplete fix of cve-2026-1940

gstreamer
gstreamer1
mingw-gstreamer1
Advisory: https://gstreamer.freedesktop.org/security/sa-2026-0001.html
NIXPKGS-2026-0741
published 3 months ago
Permalink CVE-2026-33195
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Storage has possible Path Traversal in DiskService

activestorage
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
NIXPKGS-2026-0743
published 3 months ago
Permalink CVE-2026-33168
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails has a possible XSS vulnerability in its Action View tag helpers

actionview
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
NIXPKGS-2026-0745
published 3 months ago
Permalink CVE-2026-33174
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

activestorage
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
NIXPKGS-2026-0738
published 3 months ago
Permalink CVE-2026-33169
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    4 packages
    • rubyPackages.yard-activesupport-concern
    • rubyPackages_3_3.yard-activesupport-concern
    • rubyPackages_3_4.yard-activesupport-concern
    • rubyPackages_4_0.yard-activesupport-concern
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

activesupport
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
NIXPKGS-2026-0739
published 3 months ago
Permalink CVE-2026-33202
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Rails Active Storage has possible glob injection in its DiskService

activestorage
  • ==>= 8.1.0.beta1, < 8.1.2.1
  • ==>= 8.0.0.beta1, < 8.0.4.1
  • ==< 7.2.3.1 
Upstream advisory: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
NIXPKGS-2026-0695
published 3 months ago
Permalink CVE-2026-32815
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6
Upstream patch: https://github.com/siyuan-note/siyuan/commit/1e370e37359778c0932673e825182ff555b504a3