Nixpkgs Security Tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0031
published on 18 Jan 2026
Permalink CVE-2025-14017
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    11 packages
    • wcurl
    • curlie
    • curlpp
    • phpExtensions.curl
    • curl-impersonate
    • curlWithGnuTls
    • curlMinimal
    • guile-curl
    • curlftpfs
    • curlHTTP3
    • grpcurl
    1 month ago
  • @LeSuisse added package curlMinimal 1 month ago
  • @LeSuisse removed
    33 packages
    • curl-impersonate-ff
    • ocamlPackages.curly
    • ocamlPackages.ocurl
    • tclPackages.tclcurl
    • haskellPackages.curl
    • luaPackages.lua-curl
    • perlPackages.WWWCurl
    • php81Extensions.curl
    • php82Extensions.curl
    • php83Extensions.curl
    • haskellPackages.curlhs
    • php84Extensions.curl
    • lua51Packages.lua-curl
    • lua52Packages.lua-curl
    • lua53Packages.lua-curl
    • lua54Packages.lua-curl
    • curl-impersonate-chrome
    • luajitPackages.lua-curl
    • perl538Packages.WWWCurl
    • perl540Packages.WWWCurl
    • haskellPackages.hxt-curl
    • python312Packages.pycurl
    • python313Packages.pycurl
    • python312Packages.curlify
    • python313Packages.curlify
    • tests.pkg-config.defaultPkgConfigPackages.libcurl
    • haskellPackages.recurly-client
    • haskellPackages.curly-expander
    • haskellPackages.curl-cookiejar
    • haskellPackages.download-curl
    • python313Packages.curl-cffi
    • python312Packages.curl-cffi
    • typstPackages.curli_0_1_0
    1 month ago
  • @LeSuisse removed
    2 maintainers
    • @Scrumplex
    • @lovek323
    1 month ago
  • @LeSuisse added
    14 maintainers
    • @GGG-KILLER
    • @deliciouslytyped
    • @Ma27
    • @CrazedProgrammer
    • @knl
    • @ethancedwards8
    • @piotrkwiecinski
    • @aanderse
    • @talyz
    • @chuangzhu
    • @fgaz
    • @bennofs
    • @D4ndellion
    • @sternenseemann
    1 month ago
  • @LeSuisse removed
    14 maintainers
    • @GGG-KILLER
    • @deliciouslytyped
    • @Ma27
    • @CrazedProgrammer
    • @knl
    • @ethancedwards8
    • @piotrkwiecinski
    • @aanderse
    • @talyz
    • @chuangzhu
    • @fgaz
    • @bennofs
    • @D4ndellion
    • @sternenseemann
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
broken TLS options for threaded LDAPS

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Affected products

curl
  • =<7.49.1
  • =<8.12.0
  • =<7.50.2
  • =<7.75.0
  • =<7.18.1
  • =<8.1.1
  • =<7.55.1
  • =<7.37.0
  • =<7.46.0
  • =<7.28.0
  • =<7.21.0
  • =<8.14.1
  • =<7.64.0
  • =<7.64.1
  • =<7.24.0
  • =<7.65.2
  • =<7.27.0
  • =<7.21.4
  • =<7.33.0
  • =<7.37.1
  • =<7.23.0
  • =<8.2.0
  • =<7.22.0
  • =<7.47.0
  • =<7.62.0
  • =<7.21.1
  • =<7.19.5
  • =<7.77.0
  • =<7.40.0
  • =<7.26.0
  • =<8.11.0
  • =<7.72.0
  • =<8.8.0
  • =<8.12.1
  • =<7.18.0
  • =<7.36.0
  • =<7.66.0
  • =<7.38.0
  • =<7.88.1
  • =<7.30.0
  • =<7.65.0
  • =<7.81.0
  • =<8.9.0
  • =<7.79.1
  • =<8.6.0
  • =<8.7.1
  • =<7.63.0
  • =<7.70.0
  • =<7.21.2
  • =<7.67.0
  • =<7.56.1
  • =<7.65.3
  • =<7.54.1
  • =<8.13.0
  • =<7.56.0
  • =<7.54.0
  • =<7.55.0
  • =<7.84.0
  • =<7.19.3
  • =<7.88.0
  • =<7.19.2
  • =<7.76.1
  • =<7.50.0
  • =<7.47.1
  • =<7.39.0
  • =<7.19.0
  • =<7.42.0
  • =<7.28.1
  • =<8.4.0
  • =<7.71.0
  • =<7.17.0
  • =<7.19.1
  • =<7.17.1
  • =<7.31.0
  • =<7.19.6
  • =<7.73.0
  • =<8.14.0
  • =<7.82.0
  • =<7.52.0
  • =<7.42.1
  • =<8.2.1
  • =<8.0.1
  • =<7.86.0
  • =<7.68.0
  • =<8.1.0
  • =<7.50.3
  • =<8.5.0
  • =<7.52.1
  • =<7.21.3
  • =<8.10.0
  • =<7.69.1
  • =<7.45.0
  • =<7.59.0
  • =<7.34.0
  • =<7.20.0
  • =<7.35.0
  • =<7.21.6
  • =<7.48.0
  • =<8.10.1
  • =<7.49.0
  • =<7.65.1
  • =<7.78.0
  • =<7.18.2
  • =<7.58.0
  • =<7.21.7
  • =<7.79.0
  • =<8.16.0
  • =<7.43.0
  • =<7.20.1
  • =<7.71.1
  • =<7.61.0
  • =<7.23.1
  • =<8.15.0
  • =<7.83.0
  • =<7.51.0
  • =<7.19.4
  • =<8.11.1
  • =<7.80.0
  • =<7.25.0
  • =<7.87.0
  • =<7.29.0
  • =<7.60.0
  • =<8.0.0
  • =<7.21.5
  • =<7.61.1
  • =<7.44.0
  • =<7.53.1
  • =<7.50.1
  • =<7.57.0
  • =<7.19.7
  • =<7.74.0
  • =<8.7.0
  • =<7.76.0
  • =<7.85.0
  • =<8.9.1
  • =<8.17.0
  • =<7.32.0
  • =<8.3.0
  • =<7.83.1
  • =<7.69.0
  • =<7.53.0
  • =<8.1.2
  • =<7.41.0

Matching in nixpkgs

pkgs.curl

Command line tool for transferring files with URL syntax

Package maintainers

Ignored maintainers (2)
NIXPKGS-2026-0029
published on 18 Jan 2026
Permalink CVE-2026-0990
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    8 packages
    • tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
    • perl540Packages.AlienLibxml2
    • perl538Packages.AlienLibxml2
    • python313Packages.libxml2
    • python312Packages.libxml2
    • perlPackages.AlienLibxml2
    • sbclPackages.cl-libxml2
    • libxml2Python
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Affected products

rhcos
libxml2

Matching in nixpkgs

Package maintainers

Upstream issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
Upstream patch: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982
NIXPKGS-2026-0043
published on 18 Jan 2026
Permalink CVE-2025-62396
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed maintainer @freezeboy 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: router (r.php) could expose application directories

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

Affected products

moodle
  • <4.5.7
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0042
published on 18 Jan 2026
Permalink CVE-2025-62398
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed maintainer @freezeboy 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: possible to bypass mfa

A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

Affected products

moodle
  • <4.5.7
  • <4.4.11
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0041
published on 18 Jan 2026
Permalink CVE-2025-62399
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed maintainer @freezeboy 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: password brute force risk when mobile/web services enabled

Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

Affected products

moodle
  • <4.1.21
  • <4.5.7
  • <4.4.11
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0040
published on 18 Jan 2026
Permalink CVE-2025-62397
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed
    2 maintainers
    • @kmein
    • @freezeboy
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: router produces json instead of 404 error for invalid course id

The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.

Affected products

moodle
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0039
published on 18 Jan 2026
Permalink CVE-2025-62393
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed maintainer @freezeboy 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: course access permissions not properly checked in course_output_fragment_course_overview

A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

Affected products

moodle
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0038
published on 18 Jan 2026
Permalink CVE-2025-62400
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed
    2 maintainers
    • @kmein
    • @freezeboy
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: hidden group names visible to event creators

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

Affected products

moodle
  • <4.1.21
  • <4.5.7
  • <4.4.11
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0028
published on 18 Jan 2026
Permalink CVE-2026-22854
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed maintainer @peterhoeg 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
FreeRDP has a heap-buffer-overflow in drive_process_irp_read

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0037
published on 18 Jan 2026
Permalink CVE-2025-62394
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months ago
  • @LeSuisse removed package moodle-dl 1 month ago
  • @LeSuisse removed maintainer @freezeboy 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Moodle: quiz notifications sent to suspended participants

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

Affected products

moodle
  • <4.5.7
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)