Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0643
published 3 months, 1 week ago
Permalink CVE-2026-30961
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Gokapi
  • ==< 2.2.4 
Upstream advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp
NIXPKGS-2026-0640
published 3 months, 1 week ago
Permalink CVE-2026-31885
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

FreeRDP has an out-of-bounds read in ADPCM decoders due to missing predictor/step_index bounds checks

FreeRDP
  • ==< 3.24.0 
Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h23r-3988-3wf3
Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8
NIXPKGS-2026-0648
published 3 months, 1 week ago
Permalink CVE-2026-29777
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package traefik-certs-dumper 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values

traefik
  • ==< 3.6.10 
Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj
NIXPKGS-2026-0655
published 3 months, 1 week ago
Permalink CVE-2026-32446
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability

wpforms-lite
  • =<<= 1.9.9.3
NIXPKGS-2026-0634
published 3 months, 1 week ago
Permalink CVE-2026-31897
0.0 NONE
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

FreeRDP has an out-of-bounds read in `freerdp_bitmap_decompress_planar`

FreeRDP
  • ==< 3.24.0 
Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xgv6-r22m-7c9x
Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/cd27c8faca0eeb0d4309cc5837dfdf3c42eba4e7
NIXPKGS-2026-0631
published 3 months, 1 week ago
Permalink CVE-2026-32302
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

openclaw
  • ==< 2026.3.11 
Upstream advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286
NIXPKGS-2026-0626
published 3 months, 1 week ago
Permalink CVE-2026-32240
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • capnproto-java
    • capnproto-rust
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Cap'n Proto: Integer overflow in KJ-HTTP chunk size

capnproto
  • ==< 1.4.0 
Upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm
NIXPKGS-2026-0628
published 3 months, 1 week ago
Permalink CVE-2026-32116
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • wormhole-rs
    • magic-wormhole-rs
    • python312Packages.magic-wormhole
    • python313Packages.magic-wormhole
    • python314Packages.magic-wormhole
    • python312Packages.magic-wormhole-transit-relay
    • python313Packages.magic-wormhole-transit-relay
    • python314Packages.magic-wormhole-transit-relay
    • python312Packages.magic-wormhole-mailbox-server
    • python313Packages.magic-wormhole-mailbox-server
    • python314Packages.magic-wormhole-mailbox-server
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite

magic-wormhole
  • ==>= 0.21.0, < 0.23.0 
Upstream advisory: https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r
NIXPKGS-2026-0629
published 3 months, 1 week ago
Permalink CVE-2026-32239
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • capnproto-java
    • capnproto-rust
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Cap'n Proto has an integer overflow in KJ-HTTP

capnproto
  • ==< 1.4.0 
Upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm
NIXPKGS-2026-0630
published 3 months, 1 week ago
Permalink CVE-2026-32260
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    15 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • python314Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    • tests.home-assistant-component-tests.denonavr
    • gnomeExtensions.marantz-and-denon-avr-controller
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)

deno
  • ==>= 2.7.0, < 2.7.2 
Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j