Nixpkgs Security Tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0052
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
SiYuan vulnerable to arbitrary file read

SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue.

Affected products

siyuan
  • ==< 3.5.4

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

Package maintainers

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw
Upstream patches:
* https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd
* https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad
NIXPKGS-2026-0057
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FreeRDP has heap-buffer-overflow in clear_decompress_bands_data

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Affected products

FreeRDP
  • ==< 3.21.0

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599
NIXPKGS-2026-0049
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API

Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue.

Affected products

mailpit
  • ==< 1.28.3

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j
Upstream patch: https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe
NIXPKGS-2026-0053
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

Affected products

siyuan
  • ==< 3.5.4

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

Package maintainers

Upstream patch: https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv
NIXPKGS-2026-0046
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FreeRDP has heap-buffer-overflow in clear_decompress

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Affected products

FreeRDP
  • ==< 3.21.0

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5
NIXPKGS-2026-0061
published on 20 Jan 2026
updated 1 month ago by @mweinelt Activity log
  • Created automatic suggestion
  • @mweinelt removed
    5 packages
    • raylib-games
    • ocamlPackages.raylib
    • haskellPackages.h-raylib
    • python312Packages.raylib-python-cffi
    • python313Packages.raylib-python-cffi
  • @mweinelt removed maintainer @Sigmanificient
  • @mweinelt added maintainer @ehmry
  • @mweinelt removed maintainer @ehmry
  • @mweinelt accepted
  • @mweinelt published on GitHub
raysan5 raylib rtext.c GenImageFontAtlas heap-based overflow

A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue.

Affected products

raylib
  • ==909f040

Matching in nixpkgs

pkgs.raylib

Simple and easy-to-use library to enjoy videogames programming

Package maintainers

NIXPKGS-2026-0058
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    9 packages
    • python312Packages.aioesphomeapi
    • python312Packages.bleak-esphome
    • python313Packages.aioesphomeapi
    • python313Packages.bleak-esphome
    • python312Packages.esphome-glyphsets
    • python313Packages.esphome-glyphsets
    • home-assistant-component-tests.esphome
    • python312Packages.esphome-dashboard-api
    • python313Packages.esphome-dashboard-api
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices.

Affected products

esphome
  • ==>= 2025.9.0, < 2025.12.7

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx
Upstream patch: https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6
NIXPKGS-2026-0055
published on 20 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Affected products

FreeRDP
  • ==< 3.21.0

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr
NIXPKGS-2026-0044
published on 19 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

Affected products

kimai
  • ==< 2.46.0

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg
Upstream fix: https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f
NIXPKGS-2026-0045
published on 19 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Mailpit has SMTP Header Injection via Regex Bypass

Mailpit is an email testing tool and API for developers. Prior to version 1.28. Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Affected products

mailpit
  • ==< 1.28.3

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c
Upstream fix: https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534