Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0025
published on
Permalink CVE-2026-23645
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

Affected products

siyuan
  • ==< 3.5.4-dev2

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

Package maintainers

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
Upstream patch: https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
NIXPKGS-2026-0018
published on
Permalink CVE-2026-22863
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    12 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Deno node:crypto doesn't finalize cipher

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

Affected products

deno
  • ==< 2.6.0

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Ignored packages (12)

Package maintainers

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v
NIXPKGS-2026-0017
published on
Permalink CVE-2026-22816
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    6 packages
    • gradle-dependency-tree-diff
    • vscode-extensions.vscjava.vscode-gradle
    • gradle_9-unwrapped
    • gradle_8-unwrapped
    • gradle_7-unwrapped
    • gradle-completion
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Gradle fails to disable repositories which can expose builds to malicious artifacts

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

Affected products

gradle
  • ==< 9.3.0

Matching in nixpkgs

pkgs.gradle_7

Enterprise-grade build system

pkgs.gradle_9

Enterprise-grade build system

Ignored packages (6) 
Upstream advisory: https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82
NIXPKGS-2026-0019
published on
Permalink CVE-2026-22856
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
FreeRDP has a heap-use-after-free in create_irp_thread

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv
NIXPKGS-2026-0013
published on
Permalink CVE-2026-0861
8.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    21 packages
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • getent
    • locale
    • iconv
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibcLocales
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Integer overflow in memalign leads to heap corruption

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc, valloc, pvalloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Ignored packages (21)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Package maintainers

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
NIXPKGS-2026-0015
published on
Permalink CVE-2026-0989
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • libxml2Python
    • sbclPackages.cl-libxml2
    • perlPackages.AlienLibxml2
    • python312Packages.libxml2
    • python313Packages.libxml2
    • perl538Packages.AlienLibxml2
    • perl540Packages.AlienLibxml2
    • tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Libxml2: unbounded relaxng include recursion leading to stack overflow

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

References

Affected products

rhcos
libxml2

Matching in nixpkgs

Ignored packages (8)

Package maintainers

Fix MR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
NIXPKGS-2026-0016
published on
Permalink CVE-2026-0716
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Libsoup: out-of-bounds read in libsoup websocket frame processing

A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.

Affected products

libsoup
libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

Ignored packages (1)

Package maintainers

Fix MR: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
NIXPKGS-2026-0014
published on
Permalink CVE-2026-0992
2.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • libxml2Python
    • sbclPackages.cl-libxml2
    • perlPackages.AlienLibxml2
    • python312Packages.libxml2
    • python313Packages.libxml2
    • perl538Packages.AlienLibxml2
    • perl540Packages.AlienLibxml2
    • tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
Libxml2: libxml2: denial of service via crafted xml catalogs

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

References

Affected products

rhcos
libxml2

Matching in nixpkgs

Ignored packages (8)

Package maintainers

Fix MR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/368
NIXPKGS-2026-0011
published on
Permalink CVE-2025-67554
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse accepted 4 months ago
  • @LeSuisse published on GitHub 4 months ago
WordPress Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.5.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS.This issue affects Cookie Notice & Compliance for GDPR / CCPA: from n/a through <= 2.5.8.

Affected products

cookie-notice
  • =<<= 2.5.8

Matching in nixpkgs

NIXPKGS-2026-0009
published on
Permalink CVE-2025-15346
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse deleted
    2 maintainers
    • @fabaff
    • @vifino
    4 months ago maintainer.delete
  • @LeSuisse accepted 4 months ago
  • @LeSuisse published on GitHub 4 months ago
wolfSSL Python library `CERT_REQUIRED` mode fails to enforce client certificate requirement

A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.  The issue affects versions up to and including 5.8.2.

Affected products

wolfssl
  • =<5.8.2

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

Package maintainers

Ignored maintainers (2)