Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0703
published 3 months ago
Permalink CVE-2026-33476
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal

siyuan
  • ==< 3.6.2 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7
Upstream patch: https://github.com/siyuan-note/siyuan/commit/009bb598b3beccc972aa5f1ed88b3b224326bf2a
NIXPKGS-2026-0699
published 3 months ago
Permalink CVE-2026-32749
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SiYuan importSY/importZipMd: Path Traversal via multipart filename enables arbitrary file write

siyuan
  • ==< 3.6.1 
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qvvf-q994-x79v
Upstream patch: https://github.com/siyuan-note/siyuan/commit/5ee00907f0b0c4aca748ce21ef1977bb98178e14
NIXPKGS-2026-0686
published 3 months ago
Permalink CVE-2026-32305
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package traefik-certs-dumper 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

traefik
  • ==< 2.11.41
  • ==>= 3.7.0-ea.1, < 3.7.0-ea.2
  • ==>= 3.0.0-beta1, < 3.6.11 
Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48
NIXPKGS-2026-0690
published 3 months ago
Permalink CVE-2025-71276
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

SOGo before 5.12.5 is prone to a XSS vulnerability with …

SOGo
  • <5.12.5 
Upstream patch: https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1
NIXPKGS-2026-0731
published 3 months ago
Permalink CVE-2026-30888
2.2 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @LeSuisse accepted 3 months ago
  • @LeSuisse published on GitHub 3 months ago

Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint

discourse
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==< 2026.3.0-latest.1
  • ==>= 2026.1.0-latest, < 2026.1.2 
Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96
NIXPKGS-2026-0677
published 3 months ago
Permalink CVE-2026-30891
updated 3 months ago by @mweinelt Activity log
  • Created suggestion 3 months ago
  • @mweinelt accepted 3 months ago
  • @mweinelt ignored
    6 packages
    • discourseAllPlugins
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @mweinelt published on GitHub 3 months ago

Discourse hasUnauthorized Exposure of Private User Action Types

discourse
  • === 2026.3.0-latest.1
  • ==>= 2026.1.0-latest, < 2026.1.2
  • ==>= 2026.2.0-latest, < 2026.2.1 
https://github.com/discourse/discourse/security/advisories/GHSA-ww5f-24g5-c33g
NIXPKGS-2026-0680
published 3 months ago
Permalink CVE-2026-33425
updated 3 months ago by @mweinelt Activity log
  • Created suggestion 3 months ago
  • @mweinelt accepted 3 months ago
  • @mweinelt ignored
    6 packages
    • discourseAllPlugins
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @mweinelt published on GitHub 3 months ago

Discourse has inferable private group membership or existence via exclude_groups parameter

discourse
  • ==>= 2026.2.0-latest, < 2026.2.1
  • === 2026.3.0-latest
  • ==>= 2026.1.0-latest, < 2026.1.2 
https://github.com/discourse/discourse/security/advisories/GHSA-r6rh-xvf5-r5f2
NIXPKGS-2026-0681
published 3 months ago
Permalink CVE-2026-33068
updated 3 months ago by @mweinelt Activity log
  • Created suggestion 3 months ago
  • @mweinelt accepted 3 months ago
  • @mweinelt ignored
    7 packages
    • claude-code-acp
    • claude-code-bin
    • claude-code-router
    • gnomeExtensions.claude-code-usage
    • gnomeExtensions.claude-code-switcher
    • vscode-extensions.anthropic.claude-code
    • gnomeExtensions.claude-code-usage-indicator
    3 months ago
  • @mweinelt published on GitHub 3 months ago

Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File

claude-code
  • ==< 2.1.53 
Vulnerability remains unfixed on NixOS 25.11
NIXPKGS-2026-0679
published 3 months ago
Permalink CVE-2026-29794
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months ago by @mweinelt Activity log
  • Created suggestion 3 months ago
  • @mweinelt accepted 3 months ago
  • @mweinelt ignored package vikunja-desktop 3 months ago
  • @mweinelt published on GitHub 3 months ago

Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

vikunja
  • ==>= 0.8, < 2.2.0 
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx
NIXPKGS-2026-0678
published 3 months ago
Permalink CVE-2026-33422
3.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months ago by @mweinelt Activity log
  • Created suggestion 3 months ago
  • @mweinelt accepted 3 months ago
  • @mweinelt ignored
    6 packages
    • discourseAllPlugins
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
    3 months ago
  • @mweinelt published on GitHub 3 months ago

Discourse exposes ip_address of flagged user

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1 
https://github.com/discourse/discourse/security/advisories/GHSA-x32r-45vg-vm84