Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0506
published 3 months, 3 weeks ago
Permalink CVE-2026-3336
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago

PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

AWS-LC
  • <1.69.0 
Upstream advisory: https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp
NIXPKGS-2026-0503
published 3 months, 3 weeks ago
Permalink CVE-2026-3337
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago

Timing Side-Channel in AES-CCM Tag Verification in AWS-LC

AWS-LC
  • <1.69.0
AWS-LC-FIPS
  • <3.2.0 
Upstream advisory: https://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh
NIXPKGS-2026-0508
published 3 months, 3 weeks ago
Permalink CVE-2026-27167
0.0 NONE
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.gradio-pdf
    • python313Packages.gradio-pdf
    • python314Packages.gradio-pdf
    • python312Packages.gradio-client
    • python313Packages.gradio-client
    • python314Packages.gradio-client
    • pkgsRocm.python3Packages.gradio-pdf
    • pkgsRocm.python3Packages.gradio-client
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago

Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

gradio
  • ==>= 4.16.0, < 6.6.0 
Upstream advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m
NIXPKGS-2026-0505
published 3 months, 3 weeks ago
Permalink CVE-2026-28351
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @anthonyroussel ignored
    4 packages
    • capypdf
    • python312Packages.pypdf3
    • python313Packages.pypdf3
    • python314Packages.pypdf3
    3 months, 4 weeks ago
  • @anthonyroussel restored
    3 packages
    • python312Packages.pypdf3
    • python314Packages.pypdf3
    • python313Packages.pypdf3
    3 months, 4 weeks ago
  • @anthonyroussel ignored
    3 packages
    • python314Packages.pypdfium2
    • python313Packages.pypdfium2
    • python312Packages.pypdfium2
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago

Manipulated RunLengthDecode streams can exhaust RAM

pypdf
  • ==< 6.7.4 
Upstream advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw
Upstream patch: https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858
NIXPKGS-2026-0487
published 3 months, 4 weeks ago
Permalink CVE-2026-22716
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    40 packages
    • helio-workstation
    • linuxPackages.vmware
    • linuxPackages_lqx.vmware
    • linuxPackages_zen.vmware
    • linuxPackages-libre.vmware
    • linuxPackages_latest.vmware
    • linuxPackages_xanmod.vmware
    • linuxPackages_hardened.vmware
    • linuxPackages_6_1_hardened.vmware
    • linuxPackages_6_6_hardened.vmware
    • linuxPackages_latest-libre.vmware
    • linuxPackages_5_10_hardened.vmware
    • linuxPackages_5_15_hardened.vmware
    • linuxPackages_xanmod_latest.vmware
    • linuxPackages_xanmod_stable.vmware
    • linuxKernel.packages.linux_5_4.vmware
    • linuxKernel.packages.linux_6_1.vmware
    • linuxKernel.packages.linux_6_6.vmware
    • linuxKernel.packages.linux_ham.vmware
    • linuxKernel.packages.linux_lqx.vmware
    • linuxKernel.packages.linux_zen.vmware
    • linuxKernel.packages.linux_5_10.vmware
    • linuxKernel.packages.linux_5_15.vmware
    • linuxKernel.packages.linux_6_12.vmware
    • linuxKernel.packages.linux_6_18.vmware
    • linuxKernel.packages.linux_6_19.vmware
    • linuxKernel.packages.linux_libre.vmware
    • linuxKernel.packages.linux_xanmod.vmware
    • linuxKernel.packages.linux_hardened.vmware
    • python312Packages.google-cloud-workstations
    • python313Packages.google-cloud-workstations
    • python314Packages.google-cloud-workstations
    • linuxKernel.packages.linux_6_1_hardened.vmware
    • linuxKernel.packages.linux_6_6_hardened.vmware
    • linuxKernel.packages.linux_latest_libre.vmware
    • linuxKernel.packages.linux_5_10_hardened.vmware
    • linuxKernel.packages.linux_5_15_hardened.vmware
    • linuxKernel.packages.linux_6_12_hardened.vmware
    • linuxKernel.packages.linux_xanmod_latest.vmware
    • linuxKernel.packages.linux_xanmod_stable.vmware
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago

VMware Workstation out-of-bounds write vulnerability

Workstation
  • <25H2U1 
Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36986
NIXPKGS-2026-0489
published 3 months, 4 weeks ago
Permalink CVE-2026-28338
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    21 packages
    • phpPackages.phpmd
    • php81Packages.phpmd
    • php82Packages.phpmd
    • php83Packages.phpmd
    • php84Packages.phpmd
    • php85Packages.phpmd
    • python312Packages.pyppmd
    • python313Packages.pyppmd
    • python314Packages.pyppmd
    • python312Packages.pmdarima
    • python313Packages.pmdarima
    • python314Packages.pmdarima
    • python312Packages.pytun-pmd3
    • python313Packages.pytun-pmd3
    • python314Packages.pytun-pmd3
    • python312Packages.sslpsk-pmd3
    • python313Packages.sslpsk-pmd3
    • python314Packages.sslpsk-pmd3
    • python312Packages.pmdsky-debug-py
    • python313Packages.pmdsky-debug-py
    • python314Packages.pmdsky-debug-py
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago

PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

pmd
  • ==< 7.22.0 
Upstream advisory: https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
Upstream patch: https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
NIXPKGS-2026-0488
published 3 months, 4 weeks ago
Permalink CVE-2026-22717
2.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    40 packages
    • helio-workstation
    • linuxPackages.vmware
    • linuxPackages_lqx.vmware
    • linuxPackages_zen.vmware
    • linuxPackages-libre.vmware
    • linuxPackages_latest.vmware
    • linuxPackages_xanmod.vmware
    • linuxPackages_hardened.vmware
    • linuxPackages_6_1_hardened.vmware
    • linuxPackages_6_6_hardened.vmware
    • linuxPackages_latest-libre.vmware
    • linuxPackages_5_10_hardened.vmware
    • linuxPackages_5_15_hardened.vmware
    • linuxPackages_xanmod_latest.vmware
    • linuxPackages_xanmod_stable.vmware
    • linuxKernel.packages.linux_5_4.vmware
    • linuxKernel.packages.linux_6_1.vmware
    • linuxKernel.packages.linux_6_6.vmware
    • linuxKernel.packages.linux_ham.vmware
    • linuxKernel.packages.linux_lqx.vmware
    • linuxKernel.packages.linux_zen.vmware
    • linuxKernel.packages.linux_5_15.vmware
    • linuxKernel.packages.linux_5_10.vmware
    • linuxKernel.packages.linux_latest_libre.vmware
    • linuxKernel.packages.linux_6_6_hardened.vmware
    • linuxKernel.packages.linux_5_10_hardened.vmware
    • linuxKernel.packages.linux_5_15_hardened.vmware
    • linuxKernel.packages.linux_6_12_hardened.vmware
    • linuxKernel.packages.linux_6_1_hardened.vmware
    • linuxKernel.packages.linux_xanmod_latest.vmware
    • python314Packages.google-cloud-workstations
    • linuxKernel.packages.linux_xanmod_stable.vmware
    • python313Packages.google-cloud-workstations
    • python312Packages.google-cloud-workstations
    • linuxKernel.packages.linux_hardened.vmware
    • linuxKernel.packages.linux_xanmod.vmware
    • linuxKernel.packages.linux_libre.vmware
    • linuxKernel.packages.linux_6_19.vmware
    • linuxKernel.packages.linux_6_18.vmware
    • linuxKernel.packages.linux_6_12.vmware
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago

VMware Workstation out-of-bound read vulnerability

Workstation
  • <25H1U1 
Upstream advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36986
NIXPKGS-2026-0492
published 3 months, 4 weeks ago
Permalink CVE-2026-28372
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 3 weeks ago by @anthonyroussel Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @anthonyroussel accepted 3 months, 4 weeks ago
  • @anthonyroussel published on GitHub 3 months, 3 weeks ago

telnetd in GNU inetutils through 2.7 allows privilege escalation that …

inetutils
  • =<2.7 
Upstream advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html
Upstream patch: https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386
NIXPKGS-2026-0491
published 3 months, 4 weeks ago
Permalink CVE-2026-27734
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 3 weeks ago by @anthonyroussel Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @anthonyroussel accepted 3 months, 3 weeks ago
  • @anthonyroussel published on GitHub 3 months, 3 weeks ago

Beszel Vulnerable to Docker API Path Traversal via Unsanitized Container ID

beszel
  • ==< 0.18.4 
Upstream advisory: https://github.com/henrygd/beszel/security/advisories/GHSA-phwh-4f42-gwf3
Upstream patch: https://github.com/henrygd/beszel/commit/311095cfddda113863ca9656cf9e99411be1cef5
NIXPKGS-2026-0486
published 3 months, 4 weeks ago
Permalink CVE-2026-28406
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago

kaniko has tar archive path traversal in build context extraction allows writing files outside destination directory

kaniko
  • ==>= 1.25.4, < 1.25.10 
Upstream advisory: https://github.com/chainguard-forks/kaniko/security/advisories/GHSA-6rxq-q92g-4rmf
Upstream patch: https://github.com/chainguard-forks/kaniko/commit/a370e4b1f66e6e842b685c8f70ed507964c4b221