Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0632
published 3 months, 1 week ago
Permalink CVE-2026-29079
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Type Confusion in Lexbor Fragment Parser

lexbor
  • ==< 2.7.0 
Upstream advisory: https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8
NIXPKGS-2026-0639
published 3 months, 1 week ago
Permalink CVE-2026-29774
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

FreeRDP has a heap-buffer-overflow in avc420_yuv_to_rgb via OOB regionRects

FreeRDP
  • ==< 3.24.0 
Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5q35-hv9x-7794
Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/6482b7a92fff3959582cef052d1967ad6bde3738
NIXPKGS-2026-0644
published 3 months, 1 week ago
Permalink CVE-2026-31949
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos

LibreChat
  • ==< 0.8.3-rc1 
Upstream advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5m32-chq6-232p
NIXPKGS-2026-0651
published 3 months, 1 week ago
Permalink CVE-2026-32245
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Tinyauth's OIDC authorization codes are not bound to client on token exchange

tinyauth
  • ==< 5.0.3 
Upstream advisory: https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm
Upstream patch: https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89
NIXPKGS-2026-0653
published 3 months, 1 week ago
Permalink CVE-2026-30914
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

SFTPGo has a Path Traversal and Permission Bypass via Path Normalization Discrepancy

sftpgo
  • ==< 2.7.1 
Upstream advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-x8qh-7475-c5mp
NIXPKGS-2026-0647
published 3 months, 1 week ago
Permalink CVE-2026-31944
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

LibreChat MCP OAuth callback does not validate browser session — allows token theft via redirect link

LibreChat
  • ==>= v0.8.2, <= 0.8.2-rc3 
Upstream advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vf7j-7mrx-hp7g
NIXPKGS-2026-0642
published 3 months, 1 week ago
Permalink CVE-2026-30955
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Gokapi vulnerable to DoS in E2E Metadata Parser

Gokapi
  • ==< 2.2.4 
Upstream advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj
NIXPKGS-2026-0649
published 3 months, 1 week ago
Permalink CVE-2026-3949
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds

libheif
  • ==1.21.0
  • ==1.21.1
  • ==1.21.2 
Upstream issue: https://github.com/strukturag/libheif/issues/1712
Upstream patch: https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03
NIXPKGS-2026-0635
published 3 months, 1 week ago
Permalink CVE-2026-29775
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId

FreeRDP
  • ==< 3.24.0 
Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj
Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f
NIXPKGS-2026-0633
published 3 months, 1 week ago
Permalink CVE-2026-29078
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Integer Underflow in Lexbor ISO‑2022‑JP Encoder

lexbor
  • ==< 2.7.0 
Upstream advisory: https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3