Nixpkgs Security Tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0036
published on 18 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed package moodle-dl
  • @LeSuisse removed maintainer @freezeboy
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Moodle: possible to bypass timer in timed assignments

An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

Affected products

moodle
  • <4.1.21
  • <4.5.7
  • <4.4.11
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0035
published on 18 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    2 packages
    • python312Packages.libxslt
    • python313Packages.libxslt
  • @LeSuisse removed maintainer @jtojnar
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Libxslt: type confusion in exsltfuncresultcompfunction of libxslt

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Affected products

rhcos
libxslt
  • <1.1.44

Matching in nixpkgs

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0034
published on 18 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    2 packages
    • tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"
    • libsoup_2_4
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Libsoup: heap use-after-free in libsoup message queue handling during http/2 read completion

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.

Affected products

libsoup
  • =<3.6.5
libsoup3
  • *

Matching in nixpkgs

Package maintainers

Upstream fix: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9ba1243a24e442fa5ec44684617a4480027da960
NIXPKGS-2026-0033
published on 18 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Apache Airflow: proxy credentials for various providers might leak in task logs

In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Affected products

apache-airflow
  • <3.1.6

Matching in nixpkgs

Package maintainers

Upstream advisory: https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
NIXPKGS-2026-0030
published on 18 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed package moodle-dl
  • @LeSuisse removed maintainer @freezeboy
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Moodle: external cohort search service leaks system cohort data

A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.

Affected products

moodle
  • <4.1.21
  • <4.5.7
  • <4.4.11
  • <5.0.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers

Ignored maintainers (1)
NIXPKGS-2026-0032
published on 18 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    16 packages
    • github-distributed-owners
    • haskellPackages.distributed-fork
    • haskellPackages.aivika-distributed
    • haskellPackages.distributed-static
    • haskellPackages.distributed-closure
    • haskellPackages.distributed-process
    • haskellPackages.powerqueue-distributed
    • haskellPackages.distributed-process-ekg
    • haskellPackages.distributed-process-async
    • haskellPackages.distributed-process-tests
    • haskellPackages.distributed-process-extras
    • haskellPackages.distributed-process-systest
    • haskellPackages.distributed-process-execution
    • haskellPackages.distributed-process-supervisor
    • haskellPackages.distributed-process-client-server
    • haskellPackages.distributed-process-monad-control
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Dask distributed Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.

Affected products

distributed
  • ==< 2026.1.0

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
Upstream fix: https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa
NIXPKGS-2026-0020
published on 17 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FreeRDP has a heap-buffer-overflow in audin_process_formats

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
NIXPKGS-2026-0023
published on 17 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FreeRDP has a heap-use-after-free in irp_thread_func

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
NIXPKGS-2026-0022
published on 17 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FreeRDP has a heap-buffer-overflow in ndr_read_uint8Array

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.

Affected products

FreeRDP
  • ==< 3.20.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
NIXPKGS-2026-0021
published on 17 Jan 2026
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    4 packages
    • python312Packages.pysnmp-pyasn1
    • python313Packages.pysnmp-pyasn1
    • python312Packages.pyasn1-modules
    • python313Packages.pyasn1-modules
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pyasn1 has a DoS vulnerability in decoder

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Affected products

pyasn1
  • ==< 0.6.2

Matching in nixpkgs

Upstream advisory: https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
Upstream fix: https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970