Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0615
published 3 months, 2 weeks ago
Permalink CVE-2026-28431
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt added
    5 maintainers
    • @wegank
    • @Prince213
    • @phanirithvij
    • @ethancedwards8
    • @eljamm
    3 months, 2 weeks ago maintainer.add
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Misskey lacks proper authorization checks and input validation

misskey
  • ==>= 8.45.0, < 2026.3.1 
https://github.com/misskey-dev/misskey/security/advisories/GHSA-r33c-qg3g-v9cr
NIXPKGS-2026-0591
published 3 months, 2 weeks ago
Permalink CVE-2026-30929
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a stack buffer overflow in MagnifyImage

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rqq8-jh93-f4vg
NIXPKGS-2026-0622
published 3 months, 2 weeks ago
Permalink CVE-2026-31809
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

siyuan
  • ==< 3.5.10 
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr
NIXPKGS-2026-0610
published 3 months, 2 weeks ago
Permalink CVE-2026-28688
4.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a heap use-after-free in the MSL encoder

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xxw5-m53x-j38c
NIXPKGS-2026-0607
published 3 months, 2 weeks ago
Permalink CVE-2026-30913
4.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt added
    2 maintainers
    • @fsagbuya
    • @jasonodoom
    3 months, 2 weeks ago maintainer.add
  • @mweinelt ignored package sbclPackages.trivial-package-local-nicknames 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

flarum/nickname: Display name injection in notification emails (autolink & markdown)

nicknames
  • ==< 1.8.3 
1.8.2 visible in the flarum composer lockfile.
NIXPKGS-2026-0604
published 3 months, 2 weeks ago
Permalink CVE-2026-28432
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt added
    6 maintainers
    • @wegank
    • @Prince213
    • @OPNA2608
    • @fricklerhandwerk
    • @ethancedwards8
    • @eljamm
    3 months, 2 weeks ago maintainer.add
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

HTTP signature verification can be bypassed

misskey
  • ==< 2026.3.1 
https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp
NIXPKGS-2026-0589
published 3 months, 2 weeks ago
Permalink CVE-2026-26309
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    11 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • tests.home-assistant-component-tests.enphase_envoy
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Envoy has an off-by-one write in JsonEscaper::escapeString()

envoy
  • ==>= 1.37.0, < 1.37.1
  • ==< 1.34.13
  • ==>= 1.36.0, < 1.36.5
  • ==>= 1.35.0, < 1.35.9 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943
NIXPKGS-2026-0588
published 3 months, 2 weeks ago
Permalink CVE-2026-30930
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    5 packages
    • python312Packages.glances-api
    • python313Packages.glances-api
    • python314Packages.glances-api
    • home-assistant-component-tests.glances
    • tests.home-assistant-component-tests.glances
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Glances has SQL Injection via Process Names in TimescaleDB Export

glances
  • ==< 4.5.1 
https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6
https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336
NIXPKGS-2026-0594
published 3 months, 2 weeks ago
Permalink CVE-2026-28691
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has an uninitialized pointer dereference in JBIG decoder

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wj8w-pjxf-9g4f
NIXPKGS-2026-0605
published 3 months, 2 weeks ago
Permalink CVE-2026-30883
5.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder

ImageMagick
  • ==< 6.9.13-41
  • ==>= 7.0.0, < 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc