Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0627
published 3 months, 1 week ago
Permalink CVE-2026-3497
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • openssh_hpn
    • opensshTest
    • openssh
    • openssh-askpass
    • opensshWithKerberos
    • openssh_hpnWithKerberos
    • perlPackages.NetOpenSSH
    • perl5Packages.NetOpenSSH
    • lxqt.lxqt-openssh-askpass
    • perl538Packages.NetOpenSSH
    • perl540Packages.NetOpenSSH
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago

Vulnerability in the OpenSSH GSSAPI delta included in various Linux …

openssh
  • <1:9.6p1-3ubuntu13.15
  • <1:10.0p1-5ubuntu5.1
  • <1:8.9p1-3ubuntu0.14 
Patch and OSS Sec advisory: https://www.openwall.com/lists/oss-security/2026/03/12/3
NIXPKGS-2026-0586
published 3 months, 2 weeks ago
Permalink CVE-2026-26311
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    11 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • tests.home-assistant-component-tests.enphase_envoy
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Envoy HTTP: filter chain execution on reset streams causing UAF crash

envoy
  • ==>= 1.37.0, < 1.37.1
  • ==< 1.34.13
  • ==>= 1.36.0, < 1.36.5
  • ==>= 1.35.0, < 1.35.9 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px
NIXPKGS-2026-0587
published 3 months, 2 weeks ago
Permalink CVE-2026-26310
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    11 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • tests.home-assistant-component-tests.enphase_envoy
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Crash for scoped ip address in Envoy during DNS

envoy
  • ==>= 1.36.0, < 1.36.5
  • ==< 1.34.13
  • ==>= 1.37.0, < 1.37.1
  • ==>= 1.35.0, < 1.35.9 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p
NIXPKGS-2026-0592
published 3 months, 2 weeks ago
Permalink CVE-2026-28692
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • imagemagick6Big
    • imagemagick6
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mrmj-x24c-wwcv
NIXPKGS-2026-0595
published 3 months, 2 weeks ago
Permalink CVE-2026-26982
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt ignored
    3 packages
    • tree-sitter-grammars.tree-sitter-ghostty
    • python313Packages.tree-sitter-grammars.tree-sitter-ghostty
    • python314Packages.tree-sitter-grammars.tree-sitter-ghostty
    3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Ghostty affected by arbitrary command execution via control characters in paste and drag-and-drop operations

ghostty
  • ==< 1.3.0 
Unstable: https://github.com/NixOS/nixpkgs/pull/498283
25.11: Unfixed
NIXPKGS-2026-0613
published 3 months, 2 weeks ago
Permalink CVE-2026-28690
6.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a stack write buffer overflow in MNG encoder

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf
NIXPKGS-2026-0601
published 3 months, 2 weeks ago
Permalink CVE-2026-28693
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has an integer overflow in DIB coder can result in out of bounds read or write

ImageMagick
  • ==>= 7.0.0, < 7.1.2-16
  • ==< 6.9.13-41 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hffp-q43q-qq76
NIXPKGS-2026-0597
published 3 months, 2 weeks ago
Permalink CVE-2026-25960
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • pkgsRocm.vllm
    • python312Packages.vllm
    • python313Packages.vllm
    • pkgsRocm.python3Packages.vllm
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SSRF Protection Bypass in vLLM

vllm
  • ==>= 0.15.1, < 0.17.0 
https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536
https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc
NIXPKGS-2026-0596
published 3 months, 2 weeks ago
Permalink CVE-2026-30926
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

siyuan
  • ==< 3.5.10 
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523
NIXPKGS-2026-0617
published 3 months, 2 weeks ago
Permalink CVE-2026-31837
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

istio
  • ==>= 1.29.0-alpha.0, < 1.29.1
  • ==>= 1.28.0-alpha.0, < 1.28.5
  • ==< 1.27.8 
https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c