Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1426
published 1 month, 2 weeks ago
Permalink CVE-2026-23926
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    55 packages
    • zabbixctl
    • zabbix-cli
    • zabbix60.web
    • zabbix.agent
    • zabbix.web
    • zabbix.agent2
    • zabbix.server
    • zabbix60.agent
    • zabbix70.agent
    • zabbix72.agent
    • zabbix74.agent
    • zabbix60.agent2
    • zabbix60.server
    • zabbix70.agent2
    • zabbix70.server
    • zabbix72.agent2
    • zabbix72.proxy-pgsql
    • zabbix70.proxy-sqlite
    • zabbix70.server-mysql
    • zabbix70.server-pgsql
    • zabbix72.proxy-sqlite
    • zabbix72.server-mysql
    • zabbix72.server-pgsql
    • zabbix74.proxy-sqlite
    • zabbix74.server-mysql
    • zabbix74.server-pgsql
    • python312Packages.pyzabbix
    • python313Packages.pyzabbix
    • python314Packages.pyzabbix
    • python312Packages.py-zabbix
    • python313Packages.py-zabbix
    • python314Packages.py-zabbix
    • python312Packages.zabbix-utils
    • python313Packages.zabbix-utils
    • python314Packages.zabbix-utils
    • zabbix-agent2-plugin-postgresql
    • zabbix60.proxy-sqlite
    • zabbix60.server-mysql
    • zabbix60.server-pgsql
    • zabbix.proxy-sqlite
    • zabbix.server-mysql
    • zabbix.server-pgsql
    • zabbix60.proxy-mysql
    • zabbix60.proxy-pgsql
    • zabbix70.proxy-mysql
    • zabbix70.proxy-pgsql
    • zabbix72.proxy-mysql
    • zabbix74.proxy-mysql
    • zabbix74.proxy-pgsql
    • zabbix.proxy-mysql
    • zabbix74.server
    • zabbix72.server
    • zabbix74.agent2
    • zabbix.proxy-pgsql
    • zabbix74.web
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Stored XSS vulnerability in Host navigator widget maintenance tooltip

Zabbix
  • =<7.0.23
  • =<7.4.7
NIXPKGS-2026-1425
published 1 month, 2 weeks ago
Permalink CVE-2026-44405
3.4 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    2 packages
    • python313Packages.types-paramiko
    • python314Packages.types-paramiko
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 …

Paramiko
  • <a4489456b6f65281e172380cc4826cee5e851dbb
NIXPKGS-2026-1424
published 1 month, 2 weeks ago
Permalink CVE-2026-40243
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • incus-ui-canonical
    • terraform-providers.incus
    • terraform-providers.lxc_incus
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Incus OVN TLS verification accepts peer-supplied roots and permits endpoint impersonation

incus
  • ==< 7.0.0
NIXPKGS-2026-1423
published 1 month, 2 weeks ago
Permalink CVE-2026-40171
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    29 packages
    • rednotebook
    • wolfram-notebook
    • python312Packages.notebook-shim
    • python313Packages.notebook-shim
    • python314Packages.notebook-shim
    • python312Packages.jupyterlab-vim
    • python312Packages.jupyterlab-lsp
    • python312Packages.jupyterlab-git
    • python313Packages.jupyterlab-git
    • python313Packages.jupyterlab-lsp
    • python313Packages.jupyterlab-vim
    • python314Packages.jupyterlab-git
    • python314Packages.jupyterlab-lsp
    • python314Packages.jupyterlab-vim
    • python312Packages.pytest-notebook
    • python313Packages.pytest-notebook
    • python314Packages.pytest-notebook
    • python312Packages.jupyterlab-server
    • python313Packages.jupyterlab-server
    • python314Packages.jupyterlab-server
    • python312Packages.jupyterlab-widgets
    • python313Packages.jupyterlab-widgets
    • python314Packages.jupyterlab-widgets
    • python312Packages.jupyterlab-pygments
    • python313Packages.jupyterlab-pygments
    • python314Packages.jupyterlab-pygments
    • python312Packages.jupyterlab-execute-time
    • python313Packages.jupyterlab-execute-time
    • python314Packages.jupyterlab-execute-time
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker

notebook
  • ==>=7.0.0, <= 7.5.5
jupyterlab
  • ==<= 4.5.6
help-extension
  • ==>=7.0.0,<= 7.5.5
  • ==<=4.5.6
NIXPKGS-2026-1422
published 1 month, 2 weeks ago
Permalink CVE-2026-23928
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    52 packages
    • zabbixctl
    • zabbix-cli
    • zabbix.agent
    • zabbix.agent2
    • zabbix.server
    • zabbix60.agent
    • zabbix70.agent
    • zabbix72.agent
    • zabbix74.agent
    • zabbix60.agent2
    • zabbix60.server
    • zabbix70.agent2
    • zabbix70.server
    • zabbix72.agent2
    • zabbix72.server
    • zabbix74.agent2
    • zabbix74.server
    • zabbix.proxy-mysql
    • zabbix.proxy-pgsql
    • zabbix.proxy-sqlite
    • zabbix.server-mysql
    • zabbix.server-pgsql
    • zabbix60.proxy-mysql
    • zabbix60.proxy-pgsql
    • zabbix70.proxy-mysql
    • zabbix70.proxy-pgsql
    • zabbix72.proxy-mysql
    • zabbix72.proxy-pgsql
    • zabbix74.proxy-mysql
    • zabbix74.proxy-pgsql
    • zabbix60.proxy-sqlite
    • zabbix60.server-mysql
    • zabbix60.server-pgsql
    • zabbix70.proxy-sqlite
    • zabbix70.server-mysql
    • zabbix70.server-pgsql
    • zabbix72.proxy-sqlite
    • zabbix72.server-mysql
    • zabbix72.server-pgsql
    • zabbix74.proxy-sqlite
    • zabbix74.server-mysql
    • zabbix74.server-pgsql
    • python312Packages.pyzabbix
    • python313Packages.pyzabbix
    • python314Packages.pyzabbix
    • python312Packages.py-zabbix
    • python313Packages.py-zabbix
    • python314Packages.py-zabbix
    • python312Packages.zabbix-utils
    • python313Packages.zabbix-utils
    • python314Packages.zabbix-utils
    • zabbix-agent2-plugin-postgresql
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Stored XSS vulnerability in the Item history/Plain text widget

Zabbix
  • =<7.0.23
  • =<6.0.44
  • =<7.4.7
NIXPKGS-2026-1421
published 1 month, 2 weeks ago
Permalink CVE-2026-29090
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database

rucio
  • ==>= 35.9.0, < 38.5.5
  • ==>= 38.6.0, < 39.4.2
  • ==>= 1.30.0, < 35.8.5
  • ==>= 40.0.0, < 40.1.1
NIXPKGS-2026-1420
published 1 month, 2 weeks ago
Permalink CVE-2026-23927
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    53 packages
    • zabbixctl
    • zabbix-cli
    • zabbix.web
    • zabbix.agent
    • zabbix60.web
    • zabbix70.web
    • zabbix72.web
    • zabbix74.web
    • zabbix.agent2
    • zabbix.server
    • zabbix60.agent
    • zabbix70.agent
    • zabbix72.agent
    • zabbix74.agent
    • zabbix60.server
    • zabbix70.server
    • zabbix72.server
    • zabbix74.server
    • zabbix.proxy-mysql
    • zabbix.proxy-pgsql
    • zabbix.proxy-sqlite
    • zabbix.server-mysql
    • zabbix.server-pgsql
    • zabbix60.proxy-mysql
    • zabbix60.proxy-pgsql
    • zabbix70.proxy-mysql
    • zabbix70.proxy-pgsql
    • zabbix72.proxy-mysql
    • zabbix72.proxy-pgsql
    • zabbix74.proxy-mysql
    • zabbix74.proxy-pgsql
    • zabbix60.proxy-sqlite
    • zabbix60.server-mysql
    • zabbix60.server-pgsql
    • zabbix70.proxy-sqlite
    • zabbix70.server-mysql
    • zabbix70.server-pgsql
    • zabbix72.proxy-sqlite
    • zabbix72.server-mysql
    • zabbix72.server-pgsql
    • zabbix74.proxy-sqlite
    • zabbix74.server-mysql
    • zabbix74.server-pgsql
    • python312Packages.pyzabbix
    • python313Packages.pyzabbix
    • python314Packages.pyzabbix
    • python312Packages.py-zabbix
    • python313Packages.py-zabbix
    • python314Packages.py-zabbix
    • python312Packages.zabbix-utils
    • python313Packages.zabbix-utils
    • python314Packages.zabbix-utils
    • zabbix-agent2-plugin-postgresql
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Agent 2 Oracle plugin TNS connection string injection via the 'service' parameter

Zabbix
  • =<7.0.23
  • =<6.0.44
  • =<7.4.7
NIXPKGS-2026-1418
published 1 month, 3 weeks ago
Permalink CVE-2026-35579
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago

CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports

coredns
  • ==< 1.14.3
NIXPKGS-2026-1419
published 1 month, 3 weeks ago
Permalink CVE-2026-39849
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    5 packages
    • swiftlint
    • python312Packages.softlayer
    • python313Packages.softlayer
    • python314Packages.softlayer
    • chickenPackages_5.chickenEggs.ftl
    1 month, 3 weeks ago
  • @LeSuisse ignored reference https://g… 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago

Pi-hole FTL remote code execution via newline injection in dns.interface configuration

FTL
  • ==< 6.6.1
NIXPKGS-2026-1417
published 1 month, 3 weeks ago
Permalink CVE-2026-33190
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored reference https://g… 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago

CoreDNS TSIG authentication bypass on encrypted DNS transports

coredns
  • ==< 1.14.3