Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0564
published 3 months, 2 weeks ago
Permalink CVE-2026-3606
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Ettercap etterfilter ef_output.c add_data_segment out-of-bounds

Ettercap
  • ==0.8.4-Garofalo 
Upstream issue: https://github.com/Ettercap/ettercap/issues/1297
NIXPKGS-2026-0567
published 3 months, 2 weeks ago
Permalink CVE-2026-29778
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    5 packages
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    • python314Packages.pyloadapi
    • home-assistant-component-tests.pyload
    • tests.home-assistant-component-tests.pyload
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

pyLoad: Arbitrary File Write via Path Traversal in edit_package()

pyload
  • ==>= 0.5.0b3.dev13, < 0.5.0b3.dev97 
Upstream advisory: https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw
NIXPKGS-2026-0572
published 3 months, 2 weeks ago
Permalink CVE-2026-29196
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys

netmaker
  • ==< 1.5.0 
Upstream advisory: https://github.com/gravitl/netmaker/security/advisories/GHSA-4hgg-c4rr-6h7f
NIXPKGS-2026-0577
published 3 months, 2 weeks ago
Permalink CVE-2026-30825
0.0 NONE
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token

hoppscotch
  • ==< 2026.2.1 
Upstream advisory: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7pfq-mwj3-xw9h
NIXPKGS-2026-0578
published 3 months, 2 weeks ago
Permalink CVE-2026-29771
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Netmaker: Denial of Service via Server Shutdown Endpoint

netmaker
  • ==< 1.2.0 
Upstream advisory: https://github.com/gravitl/netmaker/security/advisories/GHSA-rhr9-hgcm-x289
NIXPKGS-2026-0573
published 3 months, 2 weeks ago
Permalink CVE-2026-29194
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Netmaker: Insufficient Authorization in Host Token Verification

netmaker
  • ==< 1.5.0 
Upstream advisory: https://github.com/gravitl/netmaker/security/advisories/GHSA-hmqr-wjmj-376c
NIXPKGS-2026-0568
published 3 months, 2 weeks ago
Permalink CVE-2026-30830
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

defuddle
  • ==< 0.9.0 
Upstream advisory: https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq
NIXPKGS-2026-0565
published 3 months, 2 weeks ago
Permalink CVE-2026-29049
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    6 packages
    • ocamlPackages.melange
    • ocamlPackages.melange-json
    • ocamlPackages_latest.melange
    • ocamlPackages.melange-json-native
    • ocamlPackages_latest.melange-json
    • ocamlPackages_latest.melange-json-native
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

melange
  • ==<= 0.40.5 
NixOS Unstable: https://github.com/NixOS/nixpkgs/commit/fc16741b0fa908e009f5ca0c3b8437a9095628ab
NixOS 25.11: requires patch or backport
NIXPKGS-2026-0570
published 3 months, 2 weeks ago
Permalink CVE-2026-30832
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Soft Serve: SSRF via unvalidated LFS endpoint in repo import

soft-serve
  • ==>= 0.6.0, < 0.11.4 
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-3fvx-xrxq-8jvv

NixOS Unstable: https://github.com/NixOS/nixpkgs/pull/497054
NIXPKGS-2026-0580
published 3 months, 2 weeks ago
Permalink CVE-2026-29192
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

zitadel
  • ==>= 4.0.0, < 4.12.0 
Upstream advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7