Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0028
published on
Permalink CVE-2026-22854
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse deleted maintainer @peterhoeg 3 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
FreeRDP has a heap-buffer-overflow in drive_process_irp_read

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0032
published on
Permalink CVE-2026-23528
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    16 packages
    • github-distributed-owners
    • haskellPackages.distributed-fork
    • haskellPackages.aivika-distributed
    • haskellPackages.distributed-static
    • haskellPackages.distributed-closure
    • haskellPackages.distributed-process
    • haskellPackages.powerqueue-distributed
    • haskellPackages.distributed-process-ekg
    • haskellPackages.distributed-process-async
    • haskellPackages.distributed-process-tests
    • haskellPackages.distributed-process-extras
    • haskellPackages.distributed-process-systest
    • haskellPackages.distributed-process-execution
    • haskellPackages.distributed-process-supervisor
    • haskellPackages.distributed-process-client-server
    • haskellPackages.distributed-process-monad-control
    3 months, 3 weeks ago
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
Dask distributed Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.

Affected products

distributed
  • ==< 2026.1.0

Matching in nixpkgs

Ignored packages (16)

Package maintainers

Upstream advisory: https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
Upstream fix: https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa
NIXPKGS-2026-0035
published on
Permalink CVE-2025-11731
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.libxslt
    • python313Packages.libxslt
    3 months, 3 weeks ago
  • @LeSuisse deleted maintainer @jtojnar 3 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 3 months, 3 weeks ago
  • @LeSuisse published on GitHub 3 months, 3 weeks ago
Libxslt: type confusion in exsltfuncresultcompfunction of libxslt

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Affected products

rhcos
libxslt
  • <1.1.44

Matching in nixpkgs

pkgs.libxslt

C library and tools to do XSL transformations

Ignored packages (2)

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0021
published on
Permalink CVE-2026-23490
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.pysnmp-pyasn1
    • python313Packages.pysnmp-pyasn1
    • python312Packages.pyasn1-modules
    • python313Packages.pyasn1-modules
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
pyasn1 has a DoS vulnerability in decoder

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Affected products

pyasn1
  • ==< 0.6.2

Matching in nixpkgs

Ignored packages (4) 
Upstream advisory: https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
Upstream fix: https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970
NIXPKGS-2026-0024
published on
Permalink CVE-2026-22865
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    6 packages
    • gradle-completion
    • gradle_7-unwrapped
    • gradle_8-unwrapped
    • gradle_9-unwrapped
    • gradle-dependency-tree-diff
    • vscode-extensions.vscjava.vscode-gradle
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Gradle's failure to disable repositories failing to answer can expose builds to malicious artifacts

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

Affected products

gradle
  • ==< 9.3.0

Matching in nixpkgs

pkgs.gradle_7

Enterprise-grade build system

pkgs.gradle_9

Enterprise-grade build system

Ignored packages (6) 
Upstream advisory: https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv
NIXPKGS-2026-0020
published on
Permalink CVE-2026-22852
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
FreeRDP has a heap-buffer-overflow in audin_process_formats

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
NIXPKGS-2026-0022
published on
Permalink CVE-2026-22853
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
FreeRDP has a heap-buffer-overflow in ndr_read_uint8Array

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
NIXPKGS-2026-0023
published on
Permalink CVE-2026-22857
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
FreeRDP has a heap-use-after-free in irp_thread_func

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
NIXPKGS-2026-0027
published on
Permalink CVE-2026-23535
8.0 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • wlcs
    • wlclock
    • imewlconverter
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
wlc Path traversal: Unsanitized API slugs in download command

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

Affected products

wlc
  • ==< 1.17.2

Matching in nixpkgs

pkgs.wlc

Weblate commandline client using Weblate's REST API

Ignored packages (3)

pkgs.wlcs

Wayland Conformance Test Suite

pkgs.wlclock

Digital analog clock for Wayland desktops

Package maintainers

Upstream advisory: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg
Upstream patch: https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f
NIXPKGS-2026-0026
published on
Permalink CVE-2026-0915
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    24 packages
    • iconv
    • getent
    • locale
    • libc
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibcLocales
    • glibc_memusage
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Ignored packages (24)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Package maintainers

Upstream advisory: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0002;hb=HEAD