Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0611
published 3 months, 2 weeks ago
Permalink CVE-2026-30931
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a heap-based buffer overflow in UHDR encoder

ImageMagick
  • ==< 7.1.2-16 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h95r-c8c7-mrwx
NIXPKGS-2026-0606
published 3 months, 2 weeks ago
Permalink CVE-2025-62166
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    7 packages
    • freshrss-extensions.demo
    • freshrss-extensions.youtube
    • freshrss-extensions.auto-ttl
    • freshrss-extensions.title-wrap
    • freshrss-extensions.reading-time
    • freshrss-extensions.reddit-image
    • freshrss-extensions.unsafe-auto-login
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens

FreshRSS
  • ==< 1.28.0 
https://github.com/NixOS/nixpkgs/pull/473921

Patch not backported
NIXPKGS-2026-0618
published 3 months, 2 weeks ago
Permalink CVE-2026-23868
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Giflib contains a double-free vulnerability that is the result of …

giflib
  • =<6.1.1 
https://www.facebook.com/security/advisories/cve-2026-23868
https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106/tree/gifalloc.c?diff=5146815377b7395944cb683a08c43eee3f631eb7
NIXPKGS-2026-0602
published 3 months, 2 weeks ago
Permalink CVE-2026-28689
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • imagemagick6
    • imagemagick6Big
    • imagemagick6_light
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ImageMagick has a Path Policy TOCTOU symlink race bypass

ImageMagick
  • ==>= 7.0.0, < 7.1.2-16
  • ==< 6.9.13-41 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3
NIXPKGS-2026-0582
published 3 months, 2 weeks ago
Permalink CVE-2026-3706
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

mkj Dropbear S Range Check curve25519.c unpackneg signature verification

Dropbear
  • ==2025.79
  • ==2025.46
  • ==2025.88
  • ==2025.26
  • ==2025.43
  • ==2025.75
  • ==2025.64
  • ==2025.51
  • ==2025.62
  • ==2025.12
  • ==2025.6
  • ==2025.73
  • ==2025.83
  • ==2025.47
  • ==2025.5
  • ==2025.8
  • ==2025.78
  • ==2025.21
  • ==2025.34
  • ==2025.4
  • ==2025.20
  • ==2025.86
  • ==2025.56
  • ==2025.50
  • ==2025.69
  • ==2025.16
  • ==2025.14
  • ==2025.41
  • ==2025.87
  • ==2025.58
  • ==2025.7
  • ==2025.54
  • ==2025.45
  • ==2025.59
  • ==2025.52
  • ==2025.40
  • ==2025.80
  • ==2025.84
  • ==2025.19
  • ==2025.55
  • ==2025.71
  • ==2025.77
  • ==2025.15
  • ==2025.85
  • ==2025.76
  • ==2025.70
  • ==2025.33
  • ==2025.65
  • ==2025.48
  • ==2025.57
  • ==2025.9
  • ==2025.61
  • ==2025.0
  • ==2025.44
  • ==2025.37
  • ==2025.22
  • ==2025.38
  • ==2025.82
  • ==2025.63
  • ==2025.36
  • ==2025.17
  • ==2025.1
  • ==2025.11
  • ==2025.24
  • ==2025.81
  • ==2025.32
  • ==2025.66
  • ==2025.25
  • ==2025.89
  • ==2025.18
  • ==2025.27
  • ==2025.67
  • ==2025.3
  • ==2025.29
  • ==2025.28
  • ==2025.23
  • ==2025.53
  • ==2025.72
  • ==2025.2
  • ==2025.30
  • ==2025.42
  • ==2025.68
  • ==2025.31
  • ==2025.35
  • ==2025.74
  • ==2025.49
  • ==2025.39
  • ==2025.60
  • ==2025.10
  • ==2025.13 
https://github.com/mkj/dropbear/issues/406#issue-3978907798
https://github.com/mkj/dropbear/pull/407
NIXPKGS-2026-0581
published 3 months, 2 weeks ago
Permalink CVE-2026-3731
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Not Defined (X)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    8 packages
    • libssh2
    • haskellPackages.libssh
    • haskellPackages.libssh2
    • haskellPackages.libssh2-conduit
    • python312Packages.ansible-pylibssh
    • python313Packages.ansible-pylibssh
    • python314Packages.ansible-pylibssh
    • tests.pkg-config.defaultPkgConfigPackages.libssh2
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds

libssh
  • ==0.11.3
  • ==0.12.0
  • ==0.11.0
  • ==0.11.2
  • ==0.11.4
  • ==0.11.1 
https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt
NIXPKGS-2026-0575
published 3 months, 2 weeks ago
Permalink CVE-2026-29195
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Netmaker: Privilege Escalation from Admin to Super-Admin via User Update

netmaker
  • ==< 1.5.0 
Upstream advisory: https://github.com/gravitl/netmaker/security/advisories/GHSA-ch3w-9456-38v3
NIXPKGS-2026-0579
published 3 months, 2 weeks ago
Permalink CVE-2026-2219
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

It was discovered that dpkg-deb (a component of dpkg, the …

dpkg
  • <1.23.6 
Upstream issue: https://bugs.debian.org/challenge.html?original=%2f1129722
Patch: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
NIXPKGS-2026-0574
published 3 months, 2 weeks ago
Permalink CVE-2026-29067
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored package zitadel-tools 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login

zitadel
  • ==>= 4.0.0-rc.1, < 4.7.1 
Upstream advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5
NIXPKGS-2026-0569
published 3 months, 2 weeks ago
Permalink CVE-2026-29191
9.3 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored package zitadel-tools 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint

zitadel
  • ==>= 4.0.0, < 4.12.0 
Upstream advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-pr34-2v5x-6qjq