Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0005
published 5 months, 4 weeks ago
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

wb2osz/direwolf <= 1.8 Reachable Assertion DoS


direwolf
  • =<1.8
  • ==commit 3658a87
  • =<1.8.1
Patch: https://github.com/wb2osz/direwolf/commit/3658a878920803bbb69a4567579dcc4d6cb80a92
NIXPKGS-2026-0004
published 5 months, 4 weeks ago
Permalink CVE-2025-69194
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse deleted maintainer @SuperSandro2000 maintainer.delete
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Wget2: arbitrary file write via metalink path traversal in gnu wget2


wget2
  • =<2.2.0
  • ==2.2.1
NIXPKGS-2026-0008
published 5 months, 4 weeks ago
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package pretix-banktool
  • @LeSuisse deleted maintainer @mweinelt maintainer.delete
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Insecure direct object reference


pretix
  • <2025.9.0
  • <2025.10.0
  • <2025.8.0
  • <2025.11.0
https://github.com/NixOS/nixpkgs/pull/472420 (Unstable)
https://github.com/NixOS/nixpkgs/pull/472424 (25.11)
NIXPKGS-2026-0002
published 5 months, 4 weeks ago
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

wb2osz/direwolf <= 1.8 Stack-based Buffer Overflow DoS


direwolf
  • =<1.8
  • =<1.8.1
  • ==commit 694c954
Patch: https://github.com/wb2osz/direwolf/commit/694c95485b21c1c22bc4682703771dec4d7a374b
NIXPKGS-2026-0001
published 5 months, 4 weeks ago
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package qtscrcpy
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Genymobile/scrcpy <= 3.3.3 Global Buffer Overflow


scrcpy
  • =<3.3.3
  • ==commit 3e40b24
Patch: https://github.com/Genymobile/scrcpy/commit/3e40b2473772cea3a23d4932088fd0bc4cc0f52c

Fixed in 3.3.4 https://github.com/Genymobile/scrcpy/releases/tag/v3.3.4
NIXPKGS-2026-0007
published 5 months, 4 weeks ago
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package pretix-banktool
  • @mweinelt accepted
  • @LeSuisse deleted maintainer @mweinelt maintainer.delete
  • @LeSuisse published on GitHub

Limited HTML injection in emails


pretix
  • <2025.9.0
  • <2025.7.0
  • <2025.10.0
  • <2025.8.0
fbad460b426553178200c2c13d3c3ffef3db61dd (unstable)
d367441a2a542b46bcd8966f654045b7054f5d39 (25.11)
95c90c7122daae516db39fffda5bb4e13dd9161e (25.05)
NIXPKGS-2025-0023
published 6 months, 1 week ago
Permalink CVE-2025-11683
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

YAML::Syck versions before 1.36 for Perl has missing Null-Terminators which causes Out-of-Bounds Read and potential Information Disclosure


YAML-Syck
  • <1.36
NIXPKGS-2025-0015
published 6 months, 3 weeks ago
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    14 packages
    • temporal-cli
    • python312Packages.temporalio
    • python313Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • haskellPackages.temporal-music-notation-western
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Insufficiently specific bounds checking on authorization header could lead to …


temporal
  • <1.26.3
  • <1.27.3
  • <1.28.1
NIXPKGS-2025-0022
published 6 months, 3 weeks ago
Permalink CVE-2025-11060
5.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package surrealdb-migrations
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Surrealdb: surrealdb is vulnerable to unauthorized data exposure via live query subscriptions


surrealdb
  • <2.1.9
  • <2.3.8
  • <2.2.8
  • <3.3.0-alpha.7
openshift-service-mesh/istio-cni-rhel9
openshift-service-mesh/istio-pilot-rhel9
openshift-service-mesh/istio-proxyv2-rhel9
openshift-service-mesh/istio-rhel9-operator
openshift-service-mesh/istio-must-gather-rhel9
openshift-service-mesh/istio-sail-operator-bundle
openshift-service-mesh-tech-preview/istio-ztunnel-rhel9
openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9
NIXPKGS-2025-0020
published 6 months, 3 weeks ago
Permalink CVE-2025-54770
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
  • @LeSuisse deleted maintainer @SigmaSquadron maintainer.delete
  • @LeSuisse added
    2 maintainers
    • @hehongbo
    • @digitalrane
    maintainer.add
  • @LeSuisse deleted maintainer @hehongbo maintainer.delete
  • @LeSuisse added maintainer @CertainLach maintainer.add
  • @LeSuisse deleted
    2 maintainers
    • @digitalrane
    • @CertainLach
    maintainer.delete
  • @LeSuisse accepted
  • @LeSuisse published on GitHub

Grub2: use-after-free in net_set_vlan


grub2
  • =<2.14
rhcos