Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0519
published 3 months, 2 weeks ago
Permalink CVE-2026-22040
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash

nanomq
  • === 0.24.6 
Upstream advisory: https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r
NIXPKGS-2026-0517
published 3 months, 2 weeks ago
Permalink CVE-2026-27898
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package vaultwarden-webvault 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @dotlambda
    • @SuperSandro2000
    3 months, 2 weeks ago maintainer.delete
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher

vaultwarden
  • ==< 1.35.4 
Upstream advisory: https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh
NIXPKGS-2026-0512
published 3 months, 3 weeks ago
Permalink CVE-2026-27600
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

HomeBox affected by Blind SSRF

homebox
  • ==< 0.24.0-rc.1 
Upstream advisory: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-cm7p-5mg5-82pm
NIXPKGS-2026-0510
published 3 months, 3 weeks ago
Permalink CVE-2026-27622
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • haskellPackages.openexr-write
    • openexrid-unstable
    3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write

openexr
  • ==>= 3.4.0, < 3.4.6
  • ==>= 2.3.0, < 3.2.6
  • ==>= 3.3.0, < 3.3.8 
Upstream advisory: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963
NIXPKGS-2026-0514
published 3 months, 3 weeks ago
Permalink CVE-2026-26272
4.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

HomeBox affected by Stored XSS via HTML/SVG Attachment Upload

homebox
  • ==< 0.24.0-rc.1 
Upstream advisory: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-55fv-9q6q-vpcr
Upstream patch: https://github.com/sysadminsmedia/homebox/commit/51bd04e5f4656b306a296745ddd854d45aa3b892
NIXPKGS-2026-0511
published 3 months, 3 weeks ago
Permalink CVE-2026-27932
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

joserfc PBES2 p2c Unbounded Iteration Count enables Denial of Service (DoS)

joserfc
  • ==<= 1.6.2 
Upstream advisory: https://github.com/authlib/joserfc/security/advisories/GHSA-w5r5-m38g-f9f9
Upstream patch: https://github.com/authlib/joserfc/commit/696a9611ab982c45ee2190ed79ca8e1d8e09398f
NIXPKGS-2026-0513
published 3 months, 3 weeks ago
Permalink CVE-2026-27981
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago

HomeBox has an Auth Rate Limit Bypass via IP Spoofing

homebox
  • ==< 0.24.0 
Upstream advisory: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3
NIXPKGS-2026-0509
published 3 months, 3 weeks ago
Permalink CVE-2026-27905
updated 3 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @mweinelt accepted 3 months, 2 weeks ago
  • @mweinelt published on GitHub 3 months, 2 weeks ago

BentoML has an Arbitrary File Write via Symlink Path Traversal in Tar Extraction

BentoML
  • ==< 1.4.36 
https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670
https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf
NIXPKGS-2026-0507
published 3 months, 3 weeks ago
Permalink CVE-2026-28416
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.gradio-pdf
    • python313Packages.gradio-pdf
    • python314Packages.gradio-pdf
    • pkgsRocm.python3Packages.gradio-client
    • pkgsRocm.python3Packages.gradio-pdf
    • python314Packages.gradio-client
    • python313Packages.gradio-client
    • python312Packages.gradio-client
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago

Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing

gradio
  • ==< 6.6.0 
Upstream advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9
NIXPKGS-2026-0498
published 3 months, 3 weeks ago
Permalink CVE-2026-23865
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    8 packages
    • haskellPackages.freetype2
    • sbclPackages.cl-freetype2
    • haskellPackages.gi-freetype2
    • python312Packages.freetype-py
    • python313Packages.freetype-py
    • python314Packages.freetype-py
    • chickenPackages_5.chickenEggs.freetype
    • tests.pkg-config.defaultPkgConfigPackages.freetype2
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago

An integer overflow in the tt_var_load_item_variation_store function of the Freetype …

FreeType
  • =<2.13.3
  • =<2.14.1 
Upstream patch: https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
Advisory: https://www.facebook.com/security/advisories/cve-2026-23865