Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0668
published 3 months, 1 week ago
Permalink CVE-2026-3084
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0672
published 3 months, 1 week ago
Permalink CVE-2026-32640
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.llm-tools-simpleeval
    • python313Packages.llm-tools-simpleeval
    • python314Packages.llm-tools-simpleeval
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

(SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.

simpleeval
  • ==< 1.0.5 
Upstream advisory: https://github.com/danthedeckie/simpleeval/security/advisories/GHSA-44vg-5wv2-h2hg
NIXPKGS-2026-0664
published 3 months, 1 week ago
Permalink CVE-2026-2921
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0660
published 3 months, 1 week ago
Permalink CVE-2026-32746
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write …

inetutils
  • =<2.7 
Upstream patch: https://codeberg.org/inetutils/inetutils/commit/6864598a29b652a6b69a958f5cd1318aa2b258af
NIXPKGS-2026-0676
published 3 months, 1 week ago
Permalink CVE-2026-3979
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.quickjs
    • python313Packages.quickjs
    • python314Packages.quickjs
    • haskellPackages.mquickjs-hs
    • python312Packages.llm-tools-quickjs
    • python313Packages.llm-tools-quickjs
    • python314Packages.llm-tools-quickjs
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free

quickjs
  • ==0.12.1
  • ==0.12.0 
Upstream issue: https://github.com/quickjs-ng/quickjs/issues/1368
Upstream patch: https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92def4cd
NIXPKGS-2026-0675
published 3 months, 1 week ago
Permalink CVE-2026-32230
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.uptime-kuma-api
    • python313Packages.uptime-kuma-api
    • python314Packages.uptime-kuma-api
    • gnomeExtensions.uptime-kuma-indicator
    • python312Packages.uptime-kuma-monitor
    • python313Packages.uptime-kuma-monitor
    • python314Packages.uptime-kuma-monitor
    3 months, 1 week ago
  • @LeSuisse deleted maintainer @JulienMalka 3 months, 1 week ago maintainer.delete
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page

uptime-kuma
  • ==>= 2.0.0, < 2.2.0 
Upstream advisory: https://github.com/louislam/uptime-kuma/security/advisories/GHSA-c7hf-c5p5-5g6h
Upstream patch: https://github.com/louislam/uptime-kuma/commit/303a609c05d0b174a5045c90f53c2b557d4febae
NIXPKGS-2026-0671
published 3 months, 1 week ago
Permalink CVE-2026-4092
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package clasp-common-lisp 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Arbitrary File Write via Path Traversal in Google clasp leading to RCE

Clasp
  • ==< 3.2.0 
Upstream patch: https://github.com/google/clasp/commit/ba6bd666fe74de54950122b5d92ecf1dcc02a9d3
NIXPKGS-2026-0665
published 3 months, 1 week ago
Permalink CVE-2026-2922
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0662
published 3 months, 1 week ago
Permalink CVE-2026-3082
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • gst_all_1.gst-vaapi
    • gst_all_1.gstreamermm
    • ocamlPackages.gstreamer
    • ocamlPackages_latest.gstreamer
    • obs-studio-plugins.obs-gstreamer
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    • tests.pkg-config.defaultPkgConfigPackages."gstreamer-controller-1.0"
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612 
OSS Sec announcement: https://www.openwall.com/lists/oss-security/2026/03/16/2
NIXPKGS-2026-0659
published 3 months, 1 week ago
Permalink CVE-2026-32772
3.4 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

telnet in GNU inetutils through 2.7 allows servers to read …

inetutils
  • =<2.7 
Upstream discussion: https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00038.html
OSS Sec thread: https://www.openwall.com/lists/oss-security/2026/03/13/1