Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1800
published 1 week, 6 days ago
Permalink CVE-2026-41565
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers

CryptX
  • <0.088_001
NIXPKGS-2026-1799
published 1 week, 6 days ago
Permalink CVE-2026-48526
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed

pyjwt
  • ==< 2.13.0
NIXPKGS-2026-1798
published 1 week, 6 days ago
Permalink CVE-2026-46561
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    4 packages
    • home-assistant-component-tests.pyload
    • python314Packages.pyloadapi
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API

pyload
  • ==< 0.5.0b3.dev100
NIXPKGS-2026-1797
published 1 week, 6 days ago
Permalink CVE-2026-48522
4.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes

pyjwt
  • ==< 2.13.0
NIXPKGS-2026-1796
published 1 week, 6 days ago
Permalink CVE-2026-45348
8.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    • python314Packages.pyloadapi
    • home-assistant-component-tests.pyload
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal

pyload
  • ==< 0.5.0b3.dev100
NIXPKGS-2026-1795
published 1 week, 6 days ago
Permalink CVE-2026-48524
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

pyjwt
  • ==< 2.13.0
NIXPKGS-2026-1794
published 1 week, 6 days ago
Permalink CVE-2026-44604
7.0 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    21 packages
    • makerpm
    • rpm2targz
    • rpm-ostree
    • rpmextract
    • rpm-sequoia
    • perlPackages.RPM2
    • perl5Packages.RPM2
    • perl538Packages.RPM2
    • perl540Packages.RPM2
    • python312Packages.rpm
    • python313Packages.rpm
    • python314Packages.rpm
    • haskellPackages.rpm-nvr
    • haskellPackages.cabal-rpm
    • python312Packages.rpmfile
    • python313Packages.rpmfile
    • python314Packages.rpmfile
    • python312Packages.rpmfluff
    • haskellPackages.select-rpms
    • python314Packages.rpmfluff
    • python313Packages.rpmfluff
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command

rpm
rhcos
rust-bootupd
satellite/iop-puptoo-rhel9
satellite/iop-yuptoo-rhel9
pen-drive/pen-drive-scanner-rhel9
satellite/iop-insights-engine-rhel9
NIXPKGS-2026-1793
published 1 week, 6 days ago
Permalink CVE-2026-48155
4.8 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    10 packages
    • capypdf
    • python312Packages.pypdf2
    • python312Packages.pypdf3
    • python313Packages.pypdf2
    • python313Packages.pypdf3
    • python314Packages.pypdf2
    • python314Packages.pypdf3
    • python312Packages.pypdfium2
    • python313Packages.pypdfium2
    • python314Packages.pypdfium2
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

pypdf: Possible large memory usage for large offsets for layout mode text

pypdf
  • ==< 6.12.0
NIXPKGS-2026-1792
published 1 week, 6 days ago
Permalink CVE-2026-41184
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Low (L)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    10 packages
    • calico-app-policy
    • calicoctl
    • cni-plugins
    • dnsname-cni
    • calico-typha
    • confd-calico
    • calico-apiserver
    • calico-pod2daemon
    • cni-plugin-flannel
    • calico-kube-controllers
    2 weeks, 1 day ago
  • @LeSuisse ignored reference https://w… 2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

ServiceAccount token disclosure via install-cni container logs

cni-plugin
  • <3.31.6
  • ==3.32.0
NIXPKGS-2026-1791
published 1 week, 6 days ago
Permalink CVE-2026-48156
5.1 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    10 packages
    • capypdf
    • python312Packages.pypdf2
    • python312Packages.pypdf3
    • python313Packages.pypdf2
    • python313Packages.pypdf3
    • python314Packages.pypdf2
    • python314Packages.pypdf3
    • python312Packages.pypdfium2
    • python313Packages.pypdfium2
    • python314Packages.pypdfium2
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 1 week, 6 days ago

pypdf: Possible long runtimes for zero-only width values in cross-reference streams

pypdf
  • ==< 6.12.0