Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0030
published on
Permalink CVE-2025-62395
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 3 months, 3 weeks ago
  • @LeSuisse deleted maintainer @freezeboy 3 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
Moodle: external cohort search service leaks system cohort data

A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.

References

Affected products

moodle
  • <4.1.21
  • <4.4.11
  • <4.5.7
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Ignored packages (1)

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0032
published on
Permalink CVE-2026-23528
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    16 packages
    • github-distributed-owners
    • haskellPackages.distributed-fork
    • haskellPackages.aivika-distributed
    • haskellPackages.distributed-static
    • haskellPackages.distributed-closure
    • haskellPackages.distributed-process
    • haskellPackages.powerqueue-distributed
    • haskellPackages.distributed-process-ekg
    • haskellPackages.distributed-process-async
    • haskellPackages.distributed-process-tests
    • haskellPackages.distributed-process-extras
    • haskellPackages.distributed-process-systest
    • haskellPackages.distributed-process-execution
    • haskellPackages.distributed-process-supervisor
    • haskellPackages.distributed-process-client-server
    • haskellPackages.distributed-process-monad-control
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
Dask distributed Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.

Affected products

distributed
  • ==< 2026.1.0

Matching in nixpkgs

Ignored packages (16)

Package maintainers

Upstream advisory: https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
Upstream fix: https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa
NIXPKGS-2026-0021
published on
Permalink CVE-2026-23490
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.pysnmp-pyasn1
    • python313Packages.pysnmp-pyasn1
    • python312Packages.pyasn1-modules
    • python313Packages.pyasn1-modules
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
pyasn1 has a DoS vulnerability in decoder

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Affected products

pyasn1
  • ==< 0.6.2

Matching in nixpkgs

Ignored packages (4) 
Upstream advisory: https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
Upstream fix: https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970
NIXPKGS-2026-0020
published on
Permalink CVE-2026-22852
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
FreeRDP has a heap-buffer-overflow in audin_process_formats

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
NIXPKGS-2026-0018
published on
Permalink CVE-2026-22863
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
Deno node:crypto doesn't finalize cipher

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

Affected products

deno
  • ==< 2.6.0

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Ignored packages (12)

Package maintainers

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v
NIXPKGS-2026-0025
published on
Permalink CVE-2026-23645
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

Affected products

siyuan
  • ==< 3.5.4-dev2

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

Package maintainers

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
Upstream patch: https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
NIXPKGS-2026-0017
published on
Permalink CVE-2026-22816
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    6 packages
    • gradle-dependency-tree-diff
    • vscode-extensions.vscjava.vscode-gradle
    • gradle_9-unwrapped
    • gradle_8-unwrapped
    • gradle_7-unwrapped
    • gradle-completion
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
Gradle fails to disable repositories which can expose builds to malicious artifacts

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

Affected products

gradle
  • ==< 9.3.0

Matching in nixpkgs

pkgs.gradle_7

Enterprise-grade build system

pkgs.gradle_9

Enterprise-grade build system

Ignored packages (6) 
Upstream advisory: https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82
NIXPKGS-2026-0027
published on
Permalink CVE-2026-23535
8.0 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • wlcs
    • wlclock
    • imewlconverter
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
wlc Path traversal: Unsanitized API slugs in download command

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

Affected products

wlc
  • ==< 1.17.2

Matching in nixpkgs

pkgs.wlc

Weblate commandline client using Weblate's REST API

Ignored packages (3)

pkgs.wlcs

Wayland Conformance Test Suite

pkgs.wlclock

Digital analog clock for Wayland desktops

Package maintainers

Upstream advisory: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg
Upstream patch: https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f
NIXPKGS-2026-0019
published on
Permalink CVE-2026-22856
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
FreeRDP has a heap-use-after-free in create_irp_thread

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv
NIXPKGS-2026-0023
published on
Permalink CVE-2026-22857
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
FreeRDP has a heap-use-after-free in irp_thread_func

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8