Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0712
published 3 months ago
Permalink CVE-2026-32595
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package traefik-certs-dumper 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

traefik
  • ==< 2.11.41
  • ==>= 3.7.0-ea.1, < 3.7.0-ea.2
  • ==>= 3.0.0-beta1, < 3.6.11 
Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr
NIXPKGS-2026-0708
published 3 months ago
Permalink CVE-2026-33231
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

NLTK has unauthenticated remote shutdown in nltk.app.wordnet_app

nltk
  • ==<= 3.9.3 
Upstream advisory: https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g
Upstream patch: https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b
NIXPKGS-2026-0704
published 3 months ago
Permalink CVE-2026-32303
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package cryptomator-cli 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Cryptomator: Tampered vault configuration allows MITM attack on Hub API

cryptomator
  • ==< 1.19.1 
Upstream advisory: https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43
Upstream patch: https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625
NIXPKGS-2026-0700
published 3 months ago
Permalink CVE-2026-3230
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Improper key_share validation in TLS 1.3 HelloRetryRequest

wolfSSL
  • <5.9.0 
Upstream patch: https://github.com/wolfSSL/wolfssl/commit/f810dc2a017b0e95f755740cb37c8884345c4de7
NIXPKGS-2026-0696
published 3 months ago
Permalink CVE-2026-4395
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Heap-based buffer overflow in wc_ecc_import_x963_ex KCAPI path

wolfssl
  • =<5.8.4 
Upstream patch: https://github.com/wolfSSL/wolfssl/commit/ddc177b669cff9d3c7e1b51751f9df73062b872a
NIXPKGS-2026-0692
published 3 months ago
Permalink CVE-2026-33550
2.0 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SOGo before 5.12.5 does not renew the OTP if a …

SOGo
  • <5.12.5 
Upstream patch: https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2
NIXPKGS-2026-0688
published 3 months ago
Permalink CVE-2026-33236
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite

nltk
  • ==<= 3.9.3 
Upstream advisory: https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7
Upstream patch: https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a
NIXPKGS-2026-0684
published 3 months ago
Permalink CVE-2026-33164
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

NULL Pointer Dereference in libde265

libde265
  • ==< 1.0.17 
Upstream advisory: https://github.com/strukturag/libde265/security/advisories/GHSA-wqrf-6rf5-v78r
NIXPKGS-2026-0685
published 3 months ago
Permalink CVE-2026-32810
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Halloy has insecure file permissions on credential files

halloy
  • ==<= 2026.4 
Upstream advisory: https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g
Upstream patch: https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb
NIXPKGS-2026-0689
published 3 months ago
Permalink CVE-2026-4438
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    26 packages
    • tests.hardeningFlags.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • iconv
    • getent
    • locale
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibcLocales
    • glibc_memusage
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames

glibc
  • =<2.43 
Proposed patch: https://inbox.sourceware.org/libc-alpha/20260320194250.1089143-1-carlos@redhat.com/
Proposed advisory: https://inbox.sourceware.org/libc-alpha/20260320194804.1089897-2-carlos@redhat.com/