Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0693
published 3 months ago
Permalink CVE-2026-4539
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    24 packages
    • python312Packages.fluent-pygments
    • python313Packages.fluent-pygments
    • python314Packages.fluent-pygments
    • python312Packages.xstatic-pygments
    • python313Packages.xstatic-pygments
    • python314Packages.xstatic-pygments
    • python312Packages.accessible-pygments
    • python312Packages.jupyterlab-pygments
    • python313Packages.accessible-pygments
    • python313Packages.jupyterlab-pygments
    • python314Packages.accessible-pygments
    • python314Packages.jupyterlab-pygments
    • python312Packages.pygments-better-html
    • python313Packages.pygments-better-html
    • python314Packages.pygments-better-html
    • python312Packages.pygments-style-github
    • python313Packages.pygments-style-github
    • python314Packages.pygments-style-github
    • python312Packages.ipython-pygments-lexers
    • python312Packages.pygments-markdown-lexer
    • python313Packages.ipython-pygments-lexers
    • python313Packages.pygments-markdown-lexer
    • python314Packages.ipython-pygments-lexers
    • python314Packages.pygments-markdown-lexer
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

pygments archetype.py AdlLexer redos

pygments
  • ==2.19.2
  • ==2.19.0
  • ==2.19.1 
Upstream advisory: https://github.com/advisories/GHSA-5239-wwwm-4pmq
NIXPKGS-2026-0697
published 3 months ago
Permalink CVE-2026-3503
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Fault injection attack with ML-DSA and ML-KEM on ARM

wolfssl
  • <5.9.0 
Upstream patch: https://github.com/wolfSSL/wolfssl/commit/65a1a6887747949ed148d8be3350b86ecff24fbc
NIXPKGS-2026-0701
published 3 months ago
Permalink CVE-2026-32747
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secrets

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h5vh-m7fg-w5h6
Upstream patch: https://github.com/siyuan-note/siyuan/commit/9914fd1d39e5f0a8dcc9fb587e1c0b46f31490a1
NIXPKGS-2026-0705
published 3 months ago
Permalink CVE-2026-33423
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse staff can modify any user's group notification level

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-qggq-wr6h-vhrg
NIXPKGS-2026-0709
published 3 months ago
Permalink CVE-2026-32711
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

pydicom: Path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root

pydicom
  • ==>= 2.0.0-rc.1, < 3.0.2 
Upstream advisory: https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28
Upstream patch: https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82
NIXPKGS-2026-0713
published 3 months ago
Permalink CVE-2026-33411
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse's solved topic stream has potential stored XSS in topic title

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2
NIXPKGS-2026-0717
published 3 months ago
Permalink CVE-2026-32733
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Halloy has a file transfer path traveral vulnerability

halloy
  • ==<= 2026.4 
Upstream advisory: https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89
Upstream patch: https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6
NIXPKGS-2026-0721
published 3 months ago
Permalink CVE-2026-32767
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7
Upstream patch: https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5
NIXPKGS-2026-0725
published 3 months ago
Permalink CVE-2026-32310
4.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package cryptomator-cli 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Cryptomator: Unverified masterkeyfile key IDs can access arbitrary local or UNC paths

cryptomator
  • ==>= 1.6.0, <= 1.19.0 
Upstream advisory: https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52
Upstream patch: https://github.com/cryptomator/cryptomator/commit/1e3dfe3de1623b1b85d24db91e49d31d1ea11f40
NIXPKGS-2026-0729
published 3 months ago
Permalink CVE-2026-4541
2.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification

tinyssh
  • ==20260301
  • ==20250501 
Issue: https://github.com/janmojzis/tinyssh/issues/101#issue-3983586116
Patch: https://github.com/janmojzis/tinyssh/commit/9c87269607e0d7d20174df742accc49c042cff17