Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1780
published 2 weeks, 1 day ago
Permalink CVE-2026-44353
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored package streamlink-twitch-gui-bin 2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 1 day ago

Streamlink: Arbitrary local file read via file:// URI in HLS and DASH

streamlink
  • ==< 8.4.0
NIXPKGS-2026-1779
published 2 weeks, 1 day ago
Permalink CVE-2026-45261
9.3 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): High (H)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 1 day ago

GitButler: Link injection via forge integration enables arbitrary script execution

gitbutler
  • ==< 0.19.7
NIXPKGS-2026-1778
published 2 weeks, 1 day ago
Permalink CVE-2026-4408
9.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored package sambamba 2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 1 day ago

Samba: remote code execution in samr

rhcos
samba
samba4
https://www.samba.org/samba/security/CVE-2026-4408.html
NIXPKGS-2026-1777
published 2 weeks, 1 day ago
Permalink CVE-2026-49127
8.8 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    11 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    • mpd-mpris
    2 weeks, 1 day ago
  • @LeSuisse ignored reference https://w… 2 weeks, 1 day ago
  • @LeSuisse ignored
    35 packages
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • perl538Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl540Packages.TestTempDirTiny
    • haskellPackages.mpd-current-json
    • haskellPackages.compdata-fixplate
    • home-assistant-component-tests.mpd
    • chickenPackages_5.chickenEggs.mpd-client
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 1 day ago

Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be

MPD
  • <0.24.11
NIXPKGS-2026-1776
published 2 weeks, 1 day ago
Permalink CVE-2026-49129
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    10 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    2 weeks, 1 day ago
  • @LeSuisse ignored reference https://w… 2 weeks, 1 day ago
  • @LeSuisse ignored
    36 packages
    • mpd-mpris
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • perl538Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl540Packages.TestTempDirTiny
    • chickenPackages_5.chickenEggs.mpd-client
    • home-assistant-component-tests.mpd
    • haskellPackages.compdata-fixplate
    • haskellPackages.mpd-current-json
    2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 1 day ago

Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin

MPD
  • <0.24.11
NIXPKGS-2026-1775
published 2 weeks, 1 day ago
Permalink CVE-2026-49130
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    46 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    • mpd-mpris
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • chickenPackages_5.chickenEggs.mpd-client
    • home-assistant-component-tests.mpd
    • haskellPackages.compdata-fixplate
    • haskellPackages.mpd-current-json
    • perl540Packages.TestTempDirTiny
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl538Packages.FileUtilTempdir
    2 weeks, 1 day ago
  • @LeSuisse ignored reference https://w… 2 weeks, 1 day ago
  • @LeSuisse accepted 2 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 1 day ago

Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

MPD
  • <0.24.11
NIXPKGS-2026-1774
published 2 weeks, 2 days ago
Permalink CVE-2026-44463
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    48 packages
    • oxidized
    • zed
    • spicedb-zed
    • colorized-logs
    • zed-editor-fhs
    • guile-colorized
    • zed-open-capture
    • ocamlPackages.zed
    • dircolors-solarized
    • nerd-fonts.zed-mono
    • typstPackages.mazed
    • zed-discord-presence
    • ue4demos.stylized_demo
    • haskellPackages.bv-sized
    • ocamlPackages_latest.zed
    • numix-solarized-gtk-theme
    • typstPackages.mazed_0_1_0
    • haskellPackages.vector-sized
    • haskellPackages.parameterized
    • haskellPackages.sized-wrapper
    • gnomeExtensions.hide-minimized
    • python312Packages.parameterized
    • python313Packages.parameterized
    • python314Packages.parameterized
    • haskellPackages.sized-wrapper-text
    • gnomeExtensions.zed-search-provider
    • haskellPackages.parameterized-utils
    • haskellPackages.sized-wrapper-aeson
    • haskellPackages.hmatrix-vector-sized
    • perlPackages.MooseXRoleParameterized
    • python314Packages.mkdocs-git-revision-date-localized-plugin
    • python313Packages.mkdocs-git-revision-date-localized-plugin
    • python312Packages.mkdocs-git-revision-date-localized-plugin
    • vscode-extensions.brandonkirbyson.solarized-palenight
    • chickenPackages_5.chickenEggs.generalized-arrays
    • nixos-artwork.wallpapers.nineish-solarized-dark
    • vimPlugins.nvim-treesitter-parsers.authzed
    • gnomeExtensions.no-titlebar-when-maximized
    • python314Packages.drf-standardized-errors
    • haskellPackages.sized-wrapper-quickcheck
    • gnomeExtensions.maximized-by-default-actually-reborn
    • python313Packages.drf-standardized-errors
    • python312Packages.drf-standardized-errors
    • gnomeExtensions.minimized-windows-buttons
    • perl540Packages.MooseXRoleParameterized
    • perl538Packages.MooseXRoleParameterized
    • gnomeExtensions.truly-maximized-windows
    • perl5Packages.MooseXRoleParameterized
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions

zed
  • ==< 0.229.0
NIXPKGS-2026-1773
published 2 weeks, 2 days ago
Permalink CVE-2026-44466
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    48 packages
    • zed
    • python314Packages.mkdocs-git-revision-date-localized-plugin
    • python313Packages.mkdocs-git-revision-date-localized-plugin
    • python312Packages.mkdocs-git-revision-date-localized-plugin
    • gnomeExtensions.maximized-by-default-actually-reborn
    • chickenPackages_5.chickenEggs.generalized-arrays
    • vimPlugins.nvim-treesitter-parsers.authzed
    • gnomeExtensions.no-titlebar-when-maximized
    • python314Packages.drf-standardized-errors
    • python312Packages.drf-standardized-errors
    • gnomeExtensions.minimized-windows-buttons
    • vscode-extensions.brandonkirbyson.solarized-palenight
    • nixos-artwork.wallpapers.nineish-solarized-dark
    • python313Packages.drf-standardized-errors
    • haskellPackages.sized-wrapper-quickcheck
    • perl540Packages.MooseXRoleParameterized
    • perl538Packages.MooseXRoleParameterized
    • gnomeExtensions.truly-maximized-windows
    • perl5Packages.MooseXRoleParameterized
    • perlPackages.MooseXRoleParameterized
    • haskellPackages.hmatrix-vector-sized
    • haskellPackages.sized-wrapper-aeson
    • haskellPackages.parameterized-utils
    • gnomeExtensions.zed-search-provider
    • haskellPackages.sized-wrapper-text
    • python314Packages.parameterized
    • python313Packages.parameterized
    • python312Packages.parameterized
    • gnomeExtensions.hide-minimized
    • haskellPackages.sized-wrapper
    • haskellPackages.parameterized
    • haskellPackages.vector-sized
    • typstPackages.mazed_0_1_0
    • numix-solarized-gtk-theme
    • ocamlPackages_latest.zed
    • ue4demos.stylized_demo
    • zed-discord-presence
    • typstPackages.mazed
    • dircolors-solarized
    • ocamlPackages.zed
    • nerd-fonts.zed-mono
    • haskellPackages.bv-sized
    • zed-open-capture
    • guile-colorized
    • zed-editor-fhs
    • colorized-logs
    • spicedb-zed
    • oxidized
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions

zed
  • ==< 0.229.0
NIXPKGS-2026-1772
published 2 weeks, 2 days ago
Permalink CVE-2026-44462
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    48 packages
    • zed
    • oxidized
    • python314Packages.mkdocs-git-revision-date-localized-plugin
    • python313Packages.mkdocs-git-revision-date-localized-plugin
    • python312Packages.mkdocs-git-revision-date-localized-plugin
    • vscode-extensions.brandonkirbyson.solarized-palenight
    • gnomeExtensions.maximized-by-default-actually-reborn
    • chickenPackages_5.chickenEggs.generalized-arrays
    • vimPlugins.nvim-treesitter-parsers.authzed
    • gnomeExtensions.no-titlebar-when-maximized
    • python314Packages.drf-standardized-errors
    • python312Packages.drf-standardized-errors
    • gnomeExtensions.minimized-windows-buttons
    • perl540Packages.MooseXRoleParameterized
    • perl538Packages.MooseXRoleParameterized
    • gnomeExtensions.truly-maximized-windows
    • perlPackages.MooseXRoleParameterized
    • haskellPackages.hmatrix-vector-sized
    • haskellPackages.sized-wrapper-aeson
    • haskellPackages.parameterized-utils
    • gnomeExtensions.zed-search-provider
    • haskellPackages.sized-wrapper-text
    • python314Packages.parameterized
    • python313Packages.parameterized
    • python312Packages.parameterized
    • gnomeExtensions.hide-minimized
    • haskellPackages.sized-wrapper
    • haskellPackages.parameterized
    • typstPackages.mazed_0_1_0
    • numix-solarized-gtk-theme
    • ocamlPackages_latest.zed
    • ue4demos.stylized_demo
    • zed-discord-presence
    • typstPackages.mazed
    • dircolors-solarized
    • ocamlPackages.zed
    • zed-open-capture
    • nixos-artwork.wallpapers.nineish-solarized-dark
    • haskellPackages.sized-wrapper-quickcheck
    • haskellPackages.vector-sized
    • haskellPackages.bv-sized
    • nerd-fonts.zed-mono
    • guile-colorized
    • spicedb-zed
    • colorized-logs
    • zed-editor-fhs
    • perl5Packages.MooseXRoleParameterized
    • python313Packages.drf-standardized-errors
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions

zed
  • ==< 0.229.0
NIXPKGS-2026-1771
published 2 weeks, 2 days ago
Permalink CVE-2026-44461
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    48 packages
    • zed
    • oxidized
    • spicedb-zed
    • colorized-logs
    • zed-editor-fhs
    • guile-colorized
    • zed-open-capture
    • ocamlPackages.zed
    • dircolors-solarized
    • nerd-fonts.zed-mono
    • typstPackages.mazed
    • zed-discord-presence
    • ue4demos.stylized_demo
    • haskellPackages.bv-sized
    • ocamlPackages_latest.zed
    • numix-solarized-gtk-theme
    • typstPackages.mazed_0_1_0
    • haskellPackages.vector-sized
    • haskellPackages.parameterized
    • haskellPackages.sized-wrapper
    • gnomeExtensions.hide-minimized
    • python312Packages.parameterized
    • python313Packages.parameterized
    • python314Packages.parameterized
    • haskellPackages.sized-wrapper-text
    • gnomeExtensions.zed-search-provider
    • haskellPackages.parameterized-utils
    • haskellPackages.sized-wrapper-aeson
    • haskellPackages.hmatrix-vector-sized
    • perlPackages.MooseXRoleParameterized
    • perl5Packages.MooseXRoleParameterized
    • gnomeExtensions.truly-maximized-windows
    • perl538Packages.MooseXRoleParameterized
    • perl540Packages.MooseXRoleParameterized
    • haskellPackages.sized-wrapper-quickcheck
    • gnomeExtensions.minimized-windows-buttons
    • python312Packages.drf-standardized-errors
    • python313Packages.drf-standardized-errors
    • python314Packages.drf-standardized-errors
    • gnomeExtensions.no-titlebar-when-maximized
    • vimPlugins.nvim-treesitter-parsers.authzed
    • nixos-artwork.wallpapers.nineish-solarized-dark
    • chickenPackages_5.chickenEggs.generalized-arrays
    • gnomeExtensions.maximized-by-default-actually-reborn
    • vscode-extensions.brandonkirbyson.solarized-palenight
    • python312Packages.mkdocs-git-revision-date-localized-plugin
    • python313Packages.mkdocs-git-revision-date-localized-plugin
    • python314Packages.mkdocs-git-revision-date-localized-plugin
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

zed
  • ==< 0.227.1