Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1710
published 2 weeks, 5 days ago
Permalink CVE-2026-9504
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 2 weeks, 5 days ago by @LeSuisse Activity log

GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds

LibreDWG
  • ==0.9
  • ==0.10
  • ==0.1
  • ==0.14
  • ==0.13
  • ==0.4
  • ==0.3
  • ==0.11
  • ==0.7
  • ==0.6
  • ==0.5
  • ==0.8
  • ==0.12
  • ==0.2
NIXPKGS-2026-1709
published 2 weeks, 5 days ago
Permalink CVE-2026-9503
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 2 weeks, 5 days ago by @LeSuisse Activity log

GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference

LibreDWG
  • ==0.9
  • ==0.10
  • ==0.1
  • ==0.14
  • ==0.13
  • ==0.4
  • ==0.3
  • ==0.11
  • ==0.6
  • ==0.7
  • ==0.5
  • ==0.8
  • ==0.12
  • ==0.2
NIXPKGS-2026-1708
published 2 weeks, 5 days ago
Permalink CVE-2026-9502
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 2 weeks, 5 days ago by @LeSuisse Activity log

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow

LibreDWG
  • ==0.9
  • ==0.10
  • ==0.1
  • ==0.14
  • ==0.13
  • ==0.4
  • ==0.3
  • ==0.11
  • ==0.6
  • ==0.7
  • ==0.5
  • ==0.8
  • ==0.12
  • ==0.2
NIXPKGS-2026-1707
published 2 weeks, 5 days ago
Permalink CVE-2026-48851
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 weeks, 5 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 5 days ago
  • @LeSuisse accepted 2 weeks, 5 days ago
  • @LeSuisse published on GitHub 2 weeks, 5 days ago

PuTTY 0.77 before 0.84 uses a copy of the PuTTY …

PuTTY
  • <0.84
NIXPKGS-2026-1706
published 3 weeks, 3 days ago
Permalink CVE-2026-9150
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 3 days ago
  • @LeSuisse accepted 3 weeks, 3 days ago
  • @LeSuisse published on GitHub 3 weeks, 3 days ago

Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha384/sha512 checksums

rhcos
libsolv
satellite-capsule:el8/libsolv
Fixed in 0.7.37.

https://github.com/openSUSE/libsolv/commit/0de68ee047a69a5aae5186f8939bd1d31113aa2a
NIXPKGS-2026-1705
published 3 weeks, 3 days ago
Permalink CVE-2026-24188
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 3 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 3 days ago
  • @LeSuisse ignored
    4 packages
    • cudaPackages.tensorrt-samples
    • python314Packages.tensorrt
    • python313Packages.tensorrt
    • python312Packages.tensorrt
    3 weeks, 3 days ago
  • @LeSuisse accepted 3 weeks, 3 days ago
  • @LeSuisse published on GitHub 3 weeks, 3 days ago

NVIDIA TensorRT contains a vulnerability where an attacker could cause …

TensorRT
  • <v10.16.1
NIXPKGS-2026-1704
published 3 weeks, 3 days ago
Permalink CVE-2026-9064
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 3 days ago
  • @LeSuisse accepted 3 weeks, 3 days ago
  • @LeSuisse published on GitHub 3 weeks, 3 days ago

389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos)

389-ds-base
389-ds:1.4/389-ds-base
redhat-ds:11/389-ds-base
redhat-ds:12/389-ds-base
NIXPKGS-2026-1703
published 3 weeks, 3 days ago
Permalink CVE-2026-40165
8.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 3 days ago
  • @LeSuisse ignored
    3 packages
    • authentik-outposts.ldap
    • authentik-outposts.proxy
    • authentik-outposts.radius
    3 weeks, 3 days ago
  • @LeSuisse accepted 3 weeks, 3 days ago
  • @LeSuisse published on GitHub 3 weeks, 3 days ago

authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation

authentik
  • ==< 2025.12.5
  • ==>= 2026.2.0-rc1, < 2026.2.3
NIXPKGS-2026-1702
published 3 weeks, 3 days ago
Permalink CVE-2026-26028
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 3 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 3 days ago
  • @LeSuisse accepted 3 weeks, 3 days ago
  • @LeSuisse published on GitHub 3 weeks, 3 days ago

CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS

cryptpad
  • ==< 2026.2.0
NIXPKGS-2026-1701
published 3 weeks, 3 days ago
Permalink CVE-2026-9149
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 weeks, 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 3 days ago
  • @LeSuisse accepted 3 weeks, 3 days ago
  • @LeSuisse published on GitHub 3 weeks, 3 days ago

Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file

rhcos
libsolv
satellite-capsule:el8/libsolv
Patch: https://github.com/openSUSE/libsolv/commit/210386037c892a720972ad35a3d8f7073b4d763b