Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0583
published 3 months, 2 weeks ago
Permalink CVE-2026-30928
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    5 packages
    • python312Packages.glances-api
    • python313Packages.glances-api
    • python314Packages.glances-api
    • home-assistant-component-tests.glances
    • tests.home-assistant-component-tests.glances
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Glances Exposes Unauthenticated Configuration Secrets

glances
  • ==< 4.5.1 
https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6
https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da
NIXPKGS-2026-0590
published 3 months, 2 weeks ago
Permalink CVE-2026-28494
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • graphicsmagick-imagemagick-compat
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick affected by stack corruption through long morphology kernel names or arrays

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-932h-jw47-73jm
NIXPKGS-2026-0623
published 3 months, 2 weeks ago
Permalink CVE-2026-31817
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

OliveTin has unsafe parsing of UniqueTrackingId can be used to write files

OliveTin
  • ==< 3000.11.2 
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc
NIXPKGS-2026-0621
published 3 months, 2 weeks ago
Permalink CVE-2026-30933
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

filebrowser
  • ==>= 1.2.6-beta, < 1.2.2-stable
  • === 1.1.3-stable
  • ==>= 1.3.0-beta, < 1.3.1-beta 
https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
NIXPKGS-2026-0599
published 3 months, 2 weeks ago
Permalink CVE-2026-28687
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a Heap Use-After-Free in ImageMagick MSL decoder

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fpvf-frm6-625q
NIXPKGS-2026-0616
published 3 months, 2 weeks ago
Permalink CVE-2026-30936
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    • imagemagick6_light
    • imagemagick6
    • imagemagick6Big
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a heap Buffer Overflow in WaveletDenoiseImage

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5ggv-92r5-cp4p
NIXPKGS-2026-0625
published 3 months, 2 weeks ago
Permalink CVE-2026-30934
8.9 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

filebrowser
  • ==< 1.2.2-stable
  • ==>= 1.3.0-beta, < 1.3.1-beta 
https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
NIXPKGS-2026-0620
published 3 months, 2 weeks ago
Permalink CVE-2026-31807
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

siyuan
  • ==< 3.5.10 
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27
NIXPKGS-2026-0585
published 3 months, 2 weeks ago
Permalink CVE-2026-26308
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    11 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • tests.home-assistant-component-tests.enphase_envoy
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation

envoy
  • ==>= 1.37.0, < 1.37.1
  • ==< 1.34.13
  • ==>= 1.36.0, < 1.36.5
  • ==>= 1.35.0, < 1.35.9 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5
https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867
NIXPKGS-2026-0612
published 3 months, 2 weeks ago
Permalink CVE-2026-30869
9.3 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage

siyuan
  • ==< 3.5.10 
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w