NIXPKGS-2026-1759

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-42184

6.1 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): Passive (P)
• Vulnerable System Impact Confidentiality (VC): Low (L)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): Low (L)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Passive (P)
• Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): Low (L)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse ignored
  5 packages

  • cargo-tauri_1
  • python312Packages.datauri
  • python313Packages.datauri
  • python314Packages.datauri
  • vscode-extensions.tauri-apps.tauri-vscode
  2 weeks, 2 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

Tauri: Origin Confusion Allows Remote Pages to Invoke Local-Only IPC Commands

• https://github.com/tauri-apps/tauri/security/advisories/GHSA-7gmj-67g7-phm9 x_refsource_CONFIRMexploit

---

tauri

• ==>= 2.0, < 2.11.1

NIXPKGS-2026-1758

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-47104

5.1 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): Low (L)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): Low (L)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse ignored
  14 packages

  • libusbp
  • libusbgx
  • libusbsio
  • libusbmuxd
  • libusb-compat-0_1
  • python312Packages.libusb1
  • python313Packages.libusb1
  • python314Packages.libusb1
  • python312Packages.libusbsio
  • python313Packages.libusbsio
  • python314Packages.libusbsio
  • python312Packages.libusb-package
  • python313Packages.libusb-package
  • python314Packages.libusb-package
  2 weeks, 2 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

libusb < 1.0.30 Out-of-Bounds Read in parse_iad_array()

• https://github.com/libusb/libusb/releases/tag/v1.0.30 release-notes
• https://github.com/libusb/libusb/issues/1813 technical-description
• https://github.com/libusb/libusb/pull/1814 issue-tracking
• https://github.com/libusb/libusb/commit/578ab76b4c434f8b204137ab6d7310689c7a9704 patch
• https://www.vulncheck.com/advisories/libusb-out-of-bounds-read-in-parse-iad-arr… third-party-advisory

---

libusb

• <1.0.30

NIXPKGS-2026-1760

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-44346

8.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml

• https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44 x_refsource_CONFIRM

---

BentoML

• ==< 1.4.39

NIXPKGS-2026-1756

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-44345

8.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

BentoML: Dockerfile command injection via docker.base_image

• https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2 x_refsource_CONFIRMexploit

---

BentoML

• ==< 1.4.39

NIXPKGS-2026-1757

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-9759

5.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): None (N)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): High (H)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

NULL Pointer Dereference in Wireshark

• https://www.wireshark.org/security/wnpa-sec-2026-51.html
• https://gitlab.com/wireshark/wireshark/-/work_items/21243

---

Wireshark

• <4.4.16
• <4.6.6

NIXPKGS-2026-1755

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-44988

8.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes

• https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58 x_refsource_CONFIRM
• https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1 x_refsource_MISC

---

libvncserver

• ==<= 0.9.15

NIXPKGS-2026-1754

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-48962

7.3 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): Low (L)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): Low (L)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse ignored
  9 packages

  • perlPackages.CompressZlib
  • perl538Packages.IOCompress
  • perl5Packages.CompressZlib
  • perl538Packages.CompressZlib
  • perl540Packages.IOCompressBrotli
  • perl538Packages.IOCompressBrotli
  • perl5Packages.IOCompressBrotli
  • perlPackages.IOCompressBrotli
  • perl540Packages.CompressZlib
  2 weeks, 2 days ago
• @LeSuisse restored package perl538Packages.IOCompress 2 weeks, 2 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

• https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b… patch
• https://metacpan.org/release/PMQS/IO-Compress-2.220/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/05/27/4

---

IO-Compress

• <2.220

NIXPKGS-2026-1753

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2025-15649

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse ignored
  8 packages

  • perlPackages.CompressZlib
  • perlPackages.IOCompressBrotli
  • perl5Packages.IOCompressBrotli
  • perl538Packages.IOCompressBrotli
  • perl540Packages.CompressZlib
  • perl540Packages.IOCompressBrotli
  • perl5Packages.CompressZlib
  • perl538Packages.CompressZlib
  2 weeks, 2 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date

• https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf… patch
• https://github.com/pmqs/IO-Compress/issues/65 issue-tracking
• https://metacpan.org/release/PMQS/IO-Compress-2.215/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/05/27/1

---

IO-Compress

• <2.215

NIXPKGS-2026-1752

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-44590

9.3 CRITICAL

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): Low (L)
• Integrity (I): High (H)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): None (N)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 3 days ago
• @LeSuisse ignored
  2 packages

  • sherlock-launcher
  • open-music-kontrollers.sherlock
  2 weeks, 2 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml

• https://github.com/sherlock-project/sherlock/security/advisories/GHSA-v6wr-ccr4-x8g9 x_refsource_CONFIRM

---

sherlock

• ==< 0.16.1

NIXPKGS-2026-1751

GitHub issue published 2 weeks, 2 days ago

Permalink CVE-2026-44776

5.9 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): High (H)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): High (H)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Provider Urgency (U): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

• Created suggestion 2 weeks, 4 days ago
• @LeSuisse accepted 2 weeks, 2 days ago
• @LeSuisse published on GitHub 2 weeks, 2 days ago

Kavita: IDOR in /api/Download/*

• https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr x_refsource_CONFIRMexploit

---

Kavita

• ==< 0.9.0