Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0733
published 3 months ago
Permalink CVE-2026-33203
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass

siyuan
  • ==< 3.6.2 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
NIXPKGS-2026-0737
published 3 months ago
Permalink CVE-2026-30889
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse has Unauthorized Post Data Exposure in discourse-user-notes

discourse
  • === 2026.3.0-latest.1
  • ==>= 2026.1.0-latest, < 2026.1.2
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-5qm9-r98f-g4mq
NIXPKGS-2026-0682
published 3 months ago
Permalink CVE-2026-33230
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

nltk Vulnerable to Cross-site Scripting

nltk
  • ==<= 3.9.3 
Upstream advisory: https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7
NIXPKGS-2026-0735
published 3 months ago
Permalink CVE-2026-33165
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

heap out-of-bounds write in libde265 1.0.16

libde265
  • ==< 1.0.17 
Upstream advisory: https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg
Upstream patch: https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658
NIXPKGS-2026-0727
published 3 months ago
Permalink CVE-2026-33155
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT

deepdiff
  • ==>= 5.0.0, < 8.6.2 
Upstream advisory: https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q
Upstream patch: https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb
NIXPKGS-2026-0723
published 3 months ago
Permalink CVE-2026-33132
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package zitadel-tools 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

ZITADEL is missing enforcement of organization scopes

zitadel
  • ==>= 4.0.0-rc.1, < 4.12.3
  • ==>= 3.0.0-rc.1, < 3.4.9
  • ==< 1.80.0-v2.20.0.20260317120401-d90285929ca0 
Upstream advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-g2pf-ww5m-2r9m
Upstream patch: https://github.com/zitadel/zitadel/commit/d90285929ca019fa817f31551fd0883429dda2a8
NIXPKGS-2026-0719
published 3 months ago
Permalink CVE-2026-33424
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

PM access granted through invites after access revocation

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-hgcp-p7hq-cwxw
NIXPKGS-2026-0715
published 3 months ago
Permalink CVE-2026-32811
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    2 packages
    • heimdall
    • heimdall-gui
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Heimdall: Path received via Envoy gRPC corrupted when containing query string

heimdall
  • ==>= 0.7.0-alpha, < 0.17.11 
Upstream advisory: https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp
NIXPKGS-2026-0711
published 3 months ago
Permalink CVE-2026-33154
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

dynaconf
  • ==< 3.2.13 
Upstream advisory: https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
Upstream patch: https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7
NIXPKGS-2026-0707
published 3 months ago
Permalink CVE-2026-33124
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package home-assistant-custom-components.frigate 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Frigate has insecure password change functionality

frigate
  • ==< 0.17.0-beta1 
Upstream advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2
Upstream patch: https://github.com/blakeblackshear/frigate/commit/152e58520614610988bff3b6ff55d0aefd89c1b2