Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0523
published 3 months, 2 weeks ago
Permalink CVE-2026-26999
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package traefik-certs-dumper 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)

traefik
  • ==< 3.6.9
  • ==< 2.11.38 
Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94
NIXPKGS-2026-0525
published 3 months, 2 weeks ago
Permalink CVE-2026-25048
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

xgrammar: Multi-layer nesting causes DoS

xgrammar
  • ==< 0.1.32 
Upstream advisory: https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-7rgv-gqhr-fxg3
NIXPKGS-2026-0526
published 3 months, 2 weeks ago
Permalink CVE-2026-28222
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    10 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python314Packages.wagtail
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    3 months, 2 weeks ago
  • @LeSuisse restored package python314Packages.wagtail 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Wagtail: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes

wagtail
  • ==>= 7.3rc1, < 7.3.1
  • ==>= 6.4rc1, < 7.0.6
  • ==>= 7.1rc1, < 7.2.3
  • ==< 6.3.8 
Upstream advisory: https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm
Patch:
* 7.3.x: https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85
* 7.2.x: https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b
NIXPKGS-2026-0522
published 3 months, 2 weeks ago
Permalink CVE-2026-29054
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package traefik-certs-dumper 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

traefik
  • ==>= 3.1.3, < 3.6.9
  • ==>= 2.11.9, < 2.11.38 
Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52
NIXPKGS-2026-0524
published 3 months, 2 weeks ago
Permalink CVE-2026-26998
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package traefik-certs-dumper 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Traefik: unbounded io.ReadAll on auth server response body causes OOM denial of service(DOS)

traefik
  • ==< 3.6.9
  • ==< 2.11.38 
Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x
NIXPKGS-2026-0516
published 3 months, 2 weeks ago
Permalink CVE-2026-27803
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package vaultwarden-webvault 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @dotlambda
    • @SuperSandro2000
    3 months, 2 weeks ago maintainer.delete
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Vaultwarden: Collection Management Operations Allowed Without `manage` Verification for Manager Role

vaultwarden
  • ==< 1.35.4 
Upstream advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27
NIXPKGS-2026-0521
published 3 months, 2 weeks ago
Permalink CVE-2026-2297
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse added
    2 maintainers
    • @mweinelt
    • @natsukium
    3 months, 2 weeks ago maintainer.add
  • @LeSuisse ignored package haskellPackages.cpython 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

SourcelessFileLoader does not use io.open_code()

CPython
  • <3.15.0 
Upstream issue: https://github.com/python/cpython/issues/145506
NIXPKGS-2026-0520
published 3 months, 2 weeks ago
Permalink CVE-2025-12801
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package mkinitcpio-nfs-utils 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Nfs-utils: rpc.mountd in the nfs-utils privilege escalation

rhcos
nfs-utils
nfs-utils-lib
RH issue: https://bugzilla.redhat.com/show_bug.cgi?id=2413081
NIXPKGS-2026-0518
published 3 months, 2 weeks ago
Permalink CVE-2026-27802
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package vaultwarden-webvault 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @dotlambda
    • @SuperSandro2000
    3 months, 2 weeks ago maintainer.delete
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

vaultwarden
  • ==< 1.35.4 
Upstream advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m
NIXPKGS-2026-0515
published 3 months, 2 weeks ago
Permalink CVE-2026-27801
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package vaultwarden-webvault 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @dotlambda
    • @SuperSandro2000
    3 months, 2 weeks ago maintainer.delete
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Vaultwarden: 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement

vaultwarden
  • ==< 1.35.0 
Upstream advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr