Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0691
published 3 months ago
Permalink CVE-2026-4115
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification

PuTTY
  • ==0.83 
Upstream patch: https://git.tartarus.org/?p=simon%2Fputty.git%3Ba%3Dcommitdiff%3Bh%3Daf996b5ec27ab79bae3882071b9d6acf16044549
Exploit: https://github.com/py-thok/putty-ed25519-malleability-s-plus-l
NIXPKGS-2026-0687
published 3 months ago
Permalink CVE-2026-33130
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.uptime-kuma-api
    • python313Packages.uptime-kuma-api
    • python314Packages.uptime-kuma-api
    • gnomeExtensions.uptime-kuma-indicator
    • python312Packages.uptime-kuma-monitor
    • python313Packages.uptime-kuma-monitor
    • python314Packages.uptime-kuma-monitor
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix for GHSA-vffh-c9pq-4crh)

uptime-kuma
  • ==>= 1.23.0, < 2.2.1 
Upstream advisory: https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j
NIXPKGS-2026-0683
published 3 months ago
Permalink CVE-2026-33067
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf
NIXPKGS-2026-0732
published 3 months ago
Permalink CVE-2026-32940
9.3 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4mx9-3c2h-hwhg
Upstream patch: https://github.com/siyuan-note/siyuan/commit/d01d561875d4f744e9f6232f1d4831e3642b8696
NIXPKGS-2026-0736
published 3 months ago
Permalink CVE-2026-33426
3.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse users can edit or synonymize hidden tags they can't see

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-2289-4m46-2hxh
NIXPKGS-2026-0734
published 3 months ago
Permalink CVE-2026-32828
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Kargo: SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration

kargo
  • ==>= 1.4.0, < 1.6.4
  • ==>= 1.9.0-rc.1, < 1.9.5
  • ==>= 1.8.0-rc.1, < 1.8.12
  • ==>= 1.7.0-rc.1, < 1.7.9 
Upstream advisory: https://github.com/akuity/kargo/security/advisories/GHSA-j94x-8wcp-x7hm
Upstream patch: https://github.com/akuity/kargo/commit/fd25620c2473ed19bec4be4d0f181287ef0f0391
NIXPKGS-2026-0728
published 3 months ago
Permalink CVE-2026-32309
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package cryptomator-cli 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Cryptomator: Hub unlocking accepts plaintext HTTP and unvalidated endpoint schemes

cryptomator
  • ==< 1.19.1 
Upstream advisory: https://github.com/cryptomator/cryptomator/security/advisories/GHSA-vv33-h7qx-c264
NIXPKGS-2026-0724
published 3 months ago
Permalink CVE-2026-32938
9.9 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has an Arbitrary File Read in its Desktop Publish Service

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fq2j-j8hc-8vw8
Upstream patch: https://github.com/siyuan-note/siyuan/commit/294b8b429dea152cd1df522cddf406054c1619ad
NIXPKGS-2026-0720
published 3 months ago
Permalink CVE-2026-31869
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-5f9h-vp7v-7vq5
NIXPKGS-2026-0716
published 3 months ago
Permalink CVE-2026-33428
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership

discourse
  • ==>= 2026.2.0-latest, < 2026.2.1
  • === 2026.3.0-latest
  • ==>= 2026.1.0-latest, < 2026.1.2 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp