Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0571
published 3 months, 2 weeks ago
Permalink CVE-2026-29193
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored package zitadel-tools 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2

zitadel
  • ==>= 4.0.0, < 4.12.1 
Upstream advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8
NIXPKGS-2026-0576
published 3 months, 2 weeks ago
Permalink CVE-2026-30838
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    33 packages
    • rubyPackages_4_0.jekyll-commonmark-ghpages
    • rubyPackages_3_4.jekyll-commonmark-ghpages
    • rubyPackages_3_3.jekyll-commonmark-ghpages
    • guile-commonmark
    • rubyPackages.commonmarker
    • haskellPackages.commonmark
    • python312Packages.commonmark
    • python313Packages.commonmark
    • python314Packages.commonmark
    • rubyPackages_3_1.commonmarker
    • rubyPackages_3_2.commonmarker
    • rubyPackages_3_3.commonmarker
    • rubyPackages_3_4.commonmarker
    • rubyPackages_4_0.commonmarker
    • haskellPackages.commonmark-cli
    • python312Packages.recommonmark
    • python313Packages.recommonmark
    • python314Packages.recommonmark
    • rubyPackages.jekyll-commonmark
    • tests.nixosOptionsDoc.commonMark
    • haskellPackages.commonmark-pandoc
    • haskellPackages.commonmark-simple
    • haskellPackages.commonmark-initial
    • rubyPackages_3_1.jekyll-commonmark
    • rubyPackages_3_2.jekyll-commonmark
    • rubyPackages_3_3.jekyll-commonmark
    • rubyPackages_3_4.jekyll-commonmark
    • rubyPackages_4_0.jekyll-commonmark
    • haskellPackages.commonmark-wikilink
    • haskellPackages.commonmark-extensions
    • rubyPackages.jekyll-commonmark-ghpages
    • rubyPackages_3_1.jekyll-commonmark-ghpages
    • rubyPackages_3_2.jekyll-commonmark-ghpages
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names

commonmark
  • ==< 2.8.1 
Affects flarum per composer.lock file
@jasondoom @fsagbuya
NIXPKGS-2026-0566
published 3 months, 2 weeks ago
Permalink CVE-2025-15602
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation

Snipe-IT
  • <8.3.7 
NixOS Unstable: https://github.com/NixOS/nixpkgs/commit/ab0b678bb6d6b564079108ff431e6fb01d1b492e
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/486331 (unmerged)
NIXPKGS-2026-0528
published 3 months, 2 weeks ago
Permalink CVE-2026-26018
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

CoreDNS Loop Detection Denial of Service Vulnerability

coredns
  • ==< 1.14.2
NIXPKGS-2026-0547
published 3 months, 2 weeks ago
Permalink CVE-2026-28685
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Kimai: API invoice endpoint missing customer-level access control (IDOR)

kimai
  • ==< 2.51.0
NIXPKGS-2026-0540
published 3 months, 2 weeks ago
Permalink CVE-2026-28802
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    15 packages
    • python314Packages.google-auth-oauthlib
    • python313Packages.google-auth-oauthlib
    • python312Packages.google-auth-oauthlib
    • python314Packages.requests-oauthlib
    • python313Packages.requests-oauthlib
    • python312Packages.requests-oauthlib
    • python314Packages.aiohttp-oauthlib
    • python313Packages.aiohttp-oauthlib
    • python312Packages.aiohttp-oauthlib
    • python314Packages.hawkauthlib
    • python313Packages.hawkauthlib
    • python312Packages.hawkauthlib
    • python314Packages.oauthlib
    • python313Packages.oauthlib
    • python312Packages.oauthlib
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

authlib
  • ==>= 1.6.5, < 1.6.7 
https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7
NIXPKGS-2026-0545
published 3 months, 2 weeks ago
Permalink CVE-2026-30233
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

OliveTin: View permission not being checked when returning dashboards

OliveTin
  • ==< 3000.11.1
NIXPKGS-2026-0542
published 3 months, 2 weeks ago
Permalink CVE-2026-29082
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Kestra: Stored Cross-Site Scripting in Markdown File Preview

kestra
  • ==<= 1.1.10
NIXPKGS-2026-0550
published 3 months, 2 weeks ago
Permalink CVE-2026-29783
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    2 packages
    • copilot-cli
    • fishPlugins.github-copilot-cli-fish
    3 months, 2 weeks ago
  • @mweinelt added maintainer @dbreyfogle 3 months, 2 weeks ago maintainer.add
  • @mweinelt deleted maintainer @malob 3 months, 2 weeks ago maintainer.delete
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

GitHub Copilot CLI allows for dangerous shell expansion patterns that enable arbitrary command execution

copilot-cli
  • ==<= 0.0.422 
https://github.com/github/copilot-cli/security/advisories/GHSA-g8r9-g2v8-jv6f
NIXPKGS-2026-0555
published 3 months, 2 weeks ago
Permalink CVE-2026-30790
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force

rustdesk-server
  • =<1.1.15
rustdesk-server-pro
  • =<1.7.5 
Advisory: https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub