Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0544
published 3 months, 2 weeks ago
Permalink CVE-2026-29073
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access

siyuan
  • ==< 3.6.0
NIXPKGS-2026-0553
published 3 months, 2 weeks ago
Permalink CVE-2026-29060
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Gokapi: Privilege escalation with auth token

Gokapi
  • ==< 2.2.3
NIXPKGS-2026-0548
published 3 months, 2 weeks ago
Permalink CVE-2026-28681
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links

irrd
  • ==>= 4.5.0, < 4.5.1
  • ==>= 4.4.0, < 4.4.5 
https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj
https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb
https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c
https://irrd.readthedocs.io/en/stable/releases/4.4.5
https://irrd.readthedocs.io/en/stable/releases/4.5.1
NIXPKGS-2026-0549
published 3 months, 2 weeks ago
Permalink CVE-2026-29183
9.3 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution

siyuan
  • ==< 3.5.9
NIXPKGS-2026-0543
published 3 months, 2 weeks ago
Permalink CVE-2026-29110
2.2 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

Cryptomator: Leaking of cleartext paths into log file in non-debug mode

cryptomator
  • ==< 1.19.0
NIXPKGS-2026-0546
published 3 months, 2 weeks ago
Permalink CVE-2026-29089
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    17 packages
    • timescaledb-tune
    • timescaledb-parallel-copy
    • postgresql14Packages.timescaledb
    • postgresql15Packages.timescaledb
    • postgresql16Packages.timescaledb
    • postgresql17Packages.timescaledb
    • postgresql18Packages.timescaledb
    • postgresqlPackages.timescaledb-apache
    • postgresqlPackages.timescaledb_toolkit
    • postgresql14Packages.timescaledb-apache
    • postgresql15Packages.timescaledb-apache
    • postgresql16Packages.timescaledb-apache
    • postgresql17Packages.timescaledb-apache
    • postgresql18Packages.timescaledb-apache
    • postgresql15Packages.timescaledb_toolkit
    • postgresql16Packages.timescaledb_toolkit
    • postgresql17Packages.timescaledb_toolkit
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

TimescaleDB uses untrusted search path during extension upgrade

timescaledb
  • ==>= 2.23.0, < 2.25.2 
NixOS Unstable fixed in https://github.com/NixOS/nixpkgs/pull/496218
NIXPKGS-2026-0554
published 3 months, 2 weeks ago
Permalink CVE-2026-28492
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • filebrowser-quantum
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory

filebrowser
  • ==< 2.61.0 
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69
https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83
NIXPKGS-2026-0538
published 3 months, 2 weeks ago
Permalink CVE-2026-30224
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session

OliveTin
  • ==< 3000.11.1
NIXPKGS-2026-0559
published 3 months, 2 weeks ago
Permalink CVE-2026-28790
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login

OliveTin
  • ==< 3000.11.0
NIXPKGS-2026-0561
published 3 months, 2 weeks ago
Permalink CVE-2026-28277
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @mweinelt ignored
    28 packages
    • langgraph-cli
    • python312Packages.langgraph-cli
    • python312Packages.langgraph-sdk
    • python313Packages.langgraph-cli
    • python313Packages.langgraph-sdk
    • python314Packages.langgraph-cli
    • python314Packages.langgraph-sdk
    • python312Packages.langgraph-prebuilt
    • python313Packages.langgraph-prebuilt
    • python314Packages.langgraph-prebuilt
    • python312Packages.langgraph-checkpoint
    • python313Packages.langgraph-checkpoint
    • python314Packages.langgraph-checkpoint
    • python312Packages.langgraph-runtime-inmem
    • python312Packages.langgraph-store-mongodb
    • python313Packages.langgraph-runtime-inmem
    • python313Packages.langgraph-store-mongodb
    • python314Packages.langgraph-runtime-inmem
    • python314Packages.langgraph-store-mongodb
    • python312Packages.langgraph-checkpoint-sqlite
    • python313Packages.langgraph-checkpoint-sqlite
    • python314Packages.langgraph-checkpoint-sqlite
    • python312Packages.langgraph-checkpoint-mongodb
    • python313Packages.langgraph-checkpoint-mongodb
    • python314Packages.langgraph-checkpoint-mongodb
    • python312Packages.langgraph-checkpoint-postgres
    • python313Packages.langgraph-checkpoint-postgres
    • python314Packages.langgraph-checkpoint-postgres
    3 months, 2 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading

langgraph
  • ==<= 1.0.9 
https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844