Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0730
published 3 months ago
Permalink CVE-2026-33179
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package haskellPackages.libfuse3 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization

libfuse
  • ==>= 3.18.0, < 3.18.2 
Upstream advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
Upstream patch: https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7
NIXPKGS-2026-0726
published 3 months ago
Permalink CVE-2026-33427
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse Authorization Page Displays Unvalidated Redirect Domain

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr
NIXPKGS-2026-0722
published 3 months ago
Permalink CVE-2026-33251
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse has a Hidden Solved topics permission bypass

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm
NIXPKGS-2026-0718
published 3 months ago
Permalink CVE-2026-31805
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse has a poll authorization bypass via post_id array parameter

discourse
  • === 2026.3.0-latest.1
  • ==>= 2026.1.0-latest, < 2026.1.2
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823
NIXPKGS-2026-0714
published 3 months ago
Permalink CVE-2026-33066
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v
Upstream patch: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428
NIXPKGS-2026-0710
published 3 months ago
Permalink CVE-2026-33194
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home

siyuan
  • ==< 3.6.2 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vm69-h85x-8p85
NIXPKGS-2026-0706
published 3 months ago
Permalink CVE-2026-32114
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse's unscoped status lookups leak restricted metadata

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-3cvr-pm4c-hx96
NIXPKGS-2026-0702
published 3 months ago
Permalink CVE-2026-3547
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

wolfSSL: out-of-bounds read (DoS) in ALPN parsing due to incomplete validation

wolfSSL
  • <5.9.0 
Upstream patch: https://github.com/wolfSSL/wolfssl/commit/9d3cc6e30c778b124002cc45b7974d718b6649fd
NIXPKGS-2026-0698
published 3 months ago
Permalink CVE-2026-32751
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3
Upstream patch: https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0
NIXPKGS-2026-0694
published 3 months ago
Permalink CVE-2026-33150
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package haskellPackages.libfuse3 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Use After Free in libfuse

libfuse
  • ==>= 3.18.0, < 3.18.2 
Upstream advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx
Patch: https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836