Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1770
published 2 weeks, 2 days ago
Permalink CVE-2026-49128
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    2 packages
    • ympd
    • mpdas
    2 weeks, 2 days ago
  • @LeSuisse ignored reference https://w… 2 weeks, 2 days ago
  • @LeSuisse ignored
    45 packages
    • mympd
    • rtmpdump
    • mpd-mpris
    • mpd-small
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • mpdcron
    • mpdris2
    • rofi-mpd
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • mpd-sima
    • chickenPackages_5.chickenEggs.mpd-client
    • home-assistant-component-tests.mpd
    • haskellPackages.mpd-current-json
    • perl540Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • libmpd
    • perl538Packages.FileUtilTempdir
    • haskellPackages.compdata-fixplate
    • compdb
    2 weeks, 2 days ago
  • @LeSuisse restored package mpd-small 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling

MPD
  • <0.24.11
NIXPKGS-2026-1769
published 2 weeks, 2 days ago
Permalink CVE-2026-44465
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    48 packages
    • oxidized
    • zed
    • spicedb-zed
    • colorized-logs
    • zed-editor-fhs
    • zed-open-capture
    • ocamlPackages.zed
    • dircolors-solarized
    • nerd-fonts.zed-mono
    • typstPackages.mazed
    • zed-discord-presence
    • ue4demos.stylized_demo
    • haskellPackages.bv-sized
    • ocamlPackages_latest.zed
    • numix-solarized-gtk-theme
    • typstPackages.mazed_0_1_0
    • haskellPackages.vector-sized
    • haskellPackages.parameterized
    • haskellPackages.sized-wrapper
    • gnomeExtensions.hide-minimized
    • python312Packages.parameterized
    • python313Packages.parameterized
    • python314Packages.parameterized
    • haskellPackages.sized-wrapper-text
    • gnomeExtensions.zed-search-provider
    • haskellPackages.parameterized-utils
    • haskellPackages.sized-wrapper-aeson
    • haskellPackages.hmatrix-vector-sized
    • perlPackages.MooseXRoleParameterized
    • perl5Packages.MooseXRoleParameterized
    • gnomeExtensions.truly-maximized-windows
    • perl538Packages.MooseXRoleParameterized
    • perl540Packages.MooseXRoleParameterized
    • haskellPackages.sized-wrapper-quickcheck
    • gnomeExtensions.minimized-windows-buttons
    • python312Packages.drf-standardized-errors
    • python313Packages.drf-standardized-errors
    • python314Packages.drf-standardized-errors
    • gnomeExtensions.no-titlebar-when-maximized
    • vimPlugins.nvim-treesitter-parsers.authzed
    • nixos-artwork.wallpapers.nineish-solarized-dark
    • chickenPackages_5.chickenEggs.generalized-arrays
    • gnomeExtensions.maximized-by-default-actually-reborn
    • vscode-extensions.brandonkirbyson.solarized-palenight
    • python312Packages.mkdocs-git-revision-date-localized-plugin
    • guile-colorized
    • python314Packages.mkdocs-git-revision-date-localized-plugin
    • python313Packages.mkdocs-git-revision-date-localized-plugin
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config

zed
  • ==< 0.227.1
NIXPKGS-2026-1768
published 2 weeks, 2 days ago
Permalink CVE-2026-4868
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    45 packages
    • gitlab-art
    • ocamlPackages.gitlab-jsoo
    • ocamlPackages.gitlab-unix
    • rubyPackages.gitlab-markup
    • terraform-providers.gitlab
    • ocamlPackages_latest.gitlab
    • gitlab-elasticsearch-indexer
    • haskellPackages.gitlab-haskell
    • rubyPackages_3_3.gitlab-markup
    • rubyPackages_3_4.gitlab-markup
    • rubyPackages_4_0.gitlab-markup
    • python312Packages.mkdocs-gitlab
    • python312Packages.python-gitlab
    • python313Packages.mkdocs-gitlab
    • python313Packages.python-gitlab
    • python314Packages.mkdocs-gitlab
    • python314Packages.python-gitlab
    • ocamlPackages_latest.gitlab-jsoo
    • ocamlPackages_latest.gitlab-unix
    • terraform-providers.gitlabhq_gitlab
    • gnomeExtensions.gitlab-time-tracking
    • prometheus-gitlab-ci-pipelines-exporter
    • vscode-extensions.gitlab.gitlab-workflow
    • perlPackages.AlienBuildPluginDownloadGitLab
    • perl5Packages.AlienBuildPluginDownloadGitLab
    • perl538Packages.AlienBuildPluginDownloadGitLab
    • perl540Packages.AlienBuildPluginDownloadGitLab
    • gitlab-runner
    • gitlab-triage
    • gitlab-ci-local
    • gitlab-timelogs
    • gitlab-ci-linter
    • gitlab-workhorse
    • gitlab-release-cli
    • ocamlPackages.gitlab
    • vimPlugins.gitlab-vim
    • gitlab-container-registry
    • gitlab-duo
    • gitlab-kas
    • gitlab-ci-ls
    • gitlab-pages
    • gitlab-ee
    • danger-gitlab
    • gitlab-clippy
    • gitlab-shell
    2 weeks, 2 days ago
  • @LeSuisse restored package gitlab-ee 2 weeks, 2 days ago
  • @LeSuisse ignored
    5 maintainers
    • @yayayayaka
    • @leona-ya
    • @talyz
    • @globin
    • @krav
    2 weeks, 2 days ago maintainer.ignore
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Authorization Bypass Through User-Controlled Key in GitLab

GitLab
  • <18.10.7
  • <19.0.1
  • <18.11.4
NIXPKGS-2026-1766
published 2 weeks, 2 days ago
Permalink CVE-2026-48959
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    10 packages
    • perlPackages.CompressZlib
    • perl538Packages.IOCompress
    • perl540Packages.IOCompress
    • perl538Packages.CompressZlib
    • perl540Packages.CompressZlib
    • perl5Packages.CompressZlib
    • perlPackages.IOCompressBrotli
    • perl5Packages.IOCompressBrotli
    • perl538Packages.IOCompressBrotli
    • perl540Packages.IOCompressBrotli
    2 weeks, 2 days ago
  • @LeSuisse restored
    2 packages
    • perl540Packages.IOCompress
    • perl538Packages.IOCompress
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward

IO-Compress
  • <2.220
NIXPKGS-2026-1767
published 2 weeks, 2 days ago
Permalink CVE-2026-23679
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    14 packages
    • libusbmuxd
    • libusb-compat-0_1
    • python312Packages.libusb1
    • python313Packages.libusb1
    • python314Packages.libusb1
    • python312Packages.libusbsio
    • python313Packages.libusbsio
    • python314Packages.libusbsio
    • python312Packages.libusb-package
    • python313Packages.libusb-package
    • python314Packages.libusb-package
    • libusbsio
    • libusbgx
    • libusbp
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

libusb < 1.0.30 NULL Pointer Dereference in parse_interface()

libusb
  • <1.0.30
NIXPKGS-2026-1763
published 2 weeks, 2 days ago
Permalink CVE-2026-44681
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    15 packages
    • python312Packages.oauthlib
    • python313Packages.oauthlib
    • python314Packages.oauthlib
    • python312Packages.hawkauthlib
    • python313Packages.hawkauthlib
    • python314Packages.hawkauthlib
    • python312Packages.aiohttp-oauthlib
    • python313Packages.aiohttp-oauthlib
    • python314Packages.aiohttp-oauthlib
    • python312Packages.requests-oauthlib
    • python313Packages.requests-oauthlib
    • python314Packages.requests-oauthlib
    • python312Packages.google-auth-oauthlib
    • python314Packages.google-auth-oauthlib
    • python313Packages.google-auth-oauthlib
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Authlib: Open Redirect in Authlib OIDC Implicit/Hybrid Authorization

authlib
  • ==< 1.6.12
  • ==>= 1.7.0, < 1.7.1
NIXPKGS-2026-1765
published 2 weeks, 2 days ago
Permalink CVE-2026-48545
7.6 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.gradio-pdf
    • python313Packages.gradio-pdf
    • python314Packages.gradio-pdf
    • pkgsRocm.python3Packages.gradio
    • python312Packages.gradio-client
    • python313Packages.gradio-client
    • python314Packages.gradio-client
    • pkgsRocm.python3Packages.gradio-pdf
    • pkgsRocm.python3Packages.gradio-client
    2 weeks, 2 days ago
  • @LeSuisse restored package pkgsRocm.python3Packages.gradio 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

Gradio < 6.15.0 Cookie Injection via Shared Proxy Client

gradio
  • <6.15.0
NIXPKGS-2026-1764
published 2 weeks, 2 days ago
Permalink CVE-2026-8450
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    2 packages
    • perlPackages.HTTPDaemonSSL
    • perl5Packages.HTTPDaemonSSL
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()

HTTP-Daemon
  • <6.17
NIXPKGS-2026-1762
published 2 weeks, 2 days ago
Permalink CVE-2026-48961
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    9 packages
    • perl540Packages.IOCompressBrotli
    • perl538Packages.IOCompressBrotli
    • perl5Packages.IOCompressBrotli
    • perlPackages.IOCompressBrotli
    • perl540Packages.CompressZlib
    • perl5Packages.CompressZlib
    • perl540Packages.IOCompress
    • perlPackages.CompressZlib
    • perl538Packages.CompressZlib
    2 weeks, 2 days ago
  • @LeSuisse restored package perl540Packages.IOCompress 2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID

IO-Compress
  • <2.220
NIXPKGS-2026-1761
published 2 weeks, 2 days ago
Permalink CVE-2026-49014
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    3 packages
    • ocamlPackages.gdal
    • haskellPackages.hgdal
    • ocamlPackages_latest.gdal
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago

In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver …

GDAL
  • =<3.13.0 
Patch: https://github.com/OSGeo/gdal/commit/c49254dc6380af2f02ff43ca79e3cf7c1bc82f01 (master)
Patch: https://github.com/OSGeo/gdal/commit/50eea7456d83c9586f112ef96b43249372839dea (3.13)