Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0027
published on
Permalink CVE-2026-23535
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • wlcs
    • wlclock
    • imewlconverter
    3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
wlc Path traversal: Unsanitized API slugs in download command

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

Affected products

wlc
  • ==< 1.17.2

Matching in nixpkgs

pkgs.wlc

Weblate commandline client using Weblate's REST API

Ignored packages (3)

pkgs.wlcs

Wayland Conformance Test Suite

pkgs.wlclock

Digital analog clock for Wayland desktops

Package maintainers

Upstream advisory: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg
Upstream patch: https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f
NIXPKGS-2026-0025
published on
Permalink CVE-2026-23645
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

Affected products

siyuan
  • ==< 3.5.4-dev2

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

Package maintainers

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
Upstream patch: https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
NIXPKGS-2026-0026
published on
Permalink CVE-2026-0915
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    24 packages
    • iconv
    • getent
    • locale
    • libc
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibcLocales
    • glibc_memusage
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Ignored packages (24)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Package maintainers

Upstream advisory: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0002;hb=HEAD
NIXPKGS-2026-0023
published on
Permalink CVE-2026-22857
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
FreeRDP has a heap-use-after-free in irp_thread_func

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
NIXPKGS-2026-0022
published on
Permalink CVE-2026-22853
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
FreeRDP has a heap-buffer-overflow in ndr_read_uint8Array

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
NIXPKGS-2026-0021
published on
Permalink CVE-2026-23490
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.pysnmp-pyasn1
    • python313Packages.pysnmp-pyasn1
    • python312Packages.pyasn1-modules
    • python313Packages.pyasn1-modules
    3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
pyasn1 has a DoS vulnerability in decoder

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Affected products

pyasn1
  • ==< 0.6.2

Matching in nixpkgs

Ignored packages (4) 
Upstream advisory: https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
Upstream fix: https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970
NIXPKGS-2026-0020
published on
Permalink CVE-2026-22852
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
FreeRDP has a heap-buffer-overflow in audin_process_formats

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
NIXPKGS-2026-0016
published on
Permalink CVE-2026-0716
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
Libsoup: out-of-bounds read in libsoup websocket frame processing

A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.

Affected products

libsoup
libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

Ignored packages (1)

Package maintainers

Fix MR: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
NIXPKGS-2026-0013
published on
Permalink CVE-2026-0861
8.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    21 packages
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • getent
    • locale
    • iconv
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibcLocales
    3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
Integer overflow in memalign leads to heap corruption

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc, valloc, pvalloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Ignored packages (21)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Package maintainers

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
NIXPKGS-2026-0014
published on
Permalink CVE-2026-0992
2.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • libxml2Python
    • sbclPackages.cl-libxml2
    • perlPackages.AlienLibxml2
    • python312Packages.libxml2
    • python313Packages.libxml2
    • perl538Packages.AlienLibxml2
    • perl540Packages.AlienLibxml2
    • tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
    3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
Libxml2: libxml2: denial of service via crafted xml catalogs

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

References

Affected products

rhcos
libxml2

Matching in nixpkgs

Ignored packages (8)

Package maintainers

Fix MR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/368