Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1239
published on
Permalink CVE-2026-6861
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
updated 5 days, 6 hours ago by @ADMIN Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse ignored
    25 packages
    • qemacs
    • uemacs
    • emacs30
    • chemacs2
    • emacs-gtk
    • emacs-nox
    • emacspeak
    • emacs-pgtk
    • emacs30-nox
    • emacs30-gtk3
    • emacs30-pgtk
    • emacs-macport
    • emacs-anywhere
    • pinentry-emacs
    • emacs30-macport
    • emacs-lsp-booster
    • parinfer-rust-emacs
    • emacsclient-commands
    • emacs-all-the-icons-fonts
    • haskellPackages.emacs-module
    • haskellPackages.yi-keymap-emacs
    • haskellPackages.yi-emacs-colours
    • vscode-extensions.tuttieee.emacs-mcx
    • gnomeExtensions.emacs-search-provider
    • vscode-extensions.jamesyang999.vscode-emacs-minimum
    6 days, 10 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
  • @ADMIN restored package emacs-macport 5 days, 6 hours ago
Emacs: emacs: memory corruption vulnerability when processing svg css

A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial of service (DoS) or potentially information disclosure.

References

Affected products

emacs

Matching in nixpkgs

pkgs.emacs

Extensible, customizable GNU text editor

  • nixos-unstable 30.2
    • nixpkgs-unstable 30.2
    • nixos-unstable-small 30.2
  • nixos-25.11 30.2
    • nixos-25.11-small 30.2
    • nixpkgs-25.11-darwin 30.2
Ignored packages (24)

pkgs.qemacs

Very small but powerful UNIX editor

pkgs.emacs30

Extensible, customizable GNU text editor

  • nixos-unstable 30.2
    • nixpkgs-unstable 30.2
    • nixos-unstable-small 30.2
  • nixos-25.11 30.2
    • nixos-25.11-small 30.2
    • nixpkgs-25.11-darwin 30.2

pkgs.emacs-nox

Extensible, customizable GNU text editor

  • nixos-unstable 30.2
    • nixpkgs-unstable 30.2
    • nixos-unstable-small 30.2
  • nixos-25.11 30.2
    • nixos-25.11-small 30.2
    • nixpkgs-25.11-darwin 30.2

pkgs.emacspeak

Emacs extension that provides spoken output

  • nixos-unstable 59.0
    • nixpkgs-unstable 59.0
    • nixos-unstable-small 59.0
  • nixos-25.11 59.0
    • nixos-25.11-small 59.0
    • nixpkgs-25.11-darwin 59.0

pkgs.emacs-pgtk

Extensible, customizable GNU text editor

  • nixos-unstable 30.2
    • nixpkgs-unstable 30.2
    • nixos-unstable-small 30.2
  • nixos-25.11 30.2
    • nixos-25.11-small 30.2
    • nixpkgs-25.11-darwin 30.2

pkgs.emacs30-nox

Extensible, customizable GNU text editor

  • nixos-unstable 30.2
    • nixpkgs-unstable 30.2
    • nixos-unstable-small 30.2
  • nixos-25.11 30.2
    • nixos-25.11-small 30.2
    • nixpkgs-25.11-darwin 30.2

pkgs.emacs30-pgtk

Extensible, customizable GNU text editor

  • nixos-unstable 30.2
    • nixpkgs-unstable 30.2
    • nixos-unstable-small 30.2
  • nixos-25.11 30.2
    • nixos-25.11-small 30.2
    • nixpkgs-25.11-darwin 30.2 
Patch: https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-30&id=8f535370b9efbc91673b20c6987a5cae4f6dc562
NIXPKGS-2026-1238
published on
Permalink CVE-2026-33259
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse ignored package rotp 6 days, 10 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
Concurrent modification of RPZ data can lead to denial of servce

Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.

Affected products

pdns-recursor
  • <5.3.6
  • <5.4.1
  • <5.2.9

Matching in nixpkgs

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-25.11 1.04
    • nixos-25.11-small 1.04
    • nixpkgs-25.11-darwin 1.04

Package maintainers

NIXPKGS-2026-1237
published on
Permalink CVE-2026-33598
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
Out-of-bounds read in cache inspection via Lua

A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.

Affected products

dnsdist
  • <1.9.13
  • <2.0.4

Matching in nixpkgs

Package maintainers

NIXPKGS-2026-1236
published on
Permalink CVE-2026-33594
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
Outgoing DoH excessive memory allocation

A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

Affected products

dnsdist
  • <1.9.13
  • <2.0.4

Matching in nixpkgs

Package maintainers

NIXPKGS-2026-1234
published on
Permalink CVE-2026-41314
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse ignored
    10 packages
    • capypdf
    • python312Packages.pypdf2
    • python312Packages.pypdf3
    • python313Packages.pypdf2
    • python313Packages.pypdf3
    • python314Packages.pypdf2
    • python314Packages.pypdf3
    • python312Packages.pypdfium2
    • python313Packages.pypdfium2
    • python314Packages.pypdfium2
    6 days, 10 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

Affected products

pypdf
  • ==< 6.10.2

Matching in nixpkgs

pkgs.python312Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

pkgs.python314Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

Ignored packages (10)

Package maintainers

NIXPKGS-2026-1235
published on
Permalink CVE-2026-41168
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse ignored
    10 packages
    • capypdf
    • python312Packages.pypdf2
    • python312Packages.pypdf3
    • python313Packages.pypdf2
    • python313Packages.pypdf3
    • python314Packages.pypdf2
    • python314Packages.pypdf3
    • python312Packages.pypdfium2
    • python313Packages.pypdfium2
    • python314Packages.pypdfium2
    6 days, 10 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
pypdf has possible long runtimes for wrong size values in cross-reference and object streams

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values. This has been fixed in pypdf 6.10.1. As a workaround, one may apply the changes from the patch manually.

Affected products

pypdf
  • ==< 6.10.1

Matching in nixpkgs

pkgs.python312Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

pkgs.python314Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

Ignored packages (10)

Package maintainers

NIXPKGS-2026-1233
published on
Permalink CVE-2026-33597
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
PRSD detection denial of service

PRSD detection denial of service

Affected products

dnsdist
  • <1.9.13
  • <2.0.4

Matching in nixpkgs

Package maintainers

NIXPKGS-2026-1232
published on
Permalink CVE-2026-33262
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse ignored package rotp 6 days, 10 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
Insufficient validation of cookie reply

An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.

Affected products

pdns-recursor
  • <5.3.6
  • <5.4.1
  • <5.2.9

Matching in nixpkgs

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-25.11 1.04
    • nixos-25.11-small 1.04
    • nixpkgs-25.11-darwin 1.04

Package maintainers

NIXPKGS-2026-1231
published on
Permalink CVE-2026-32885
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse ignored
    5 packages
    • vdrPlugins.softhddevice
    • python312Packages.sounddevice
    • python313Packages.sounddevice
    • python314Packages.sounddevice
    • haskellPackages.gogol-androiddeviceprovisioning
    6 days, 10 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.

References

Ignored references (1)

Affected products

ddev
  • ==< 1.25.2

Matching in nixpkgs

pkgs.ddev

Docker-based local PHP+Node.js web development environments

Ignored packages (5)

Package maintainers

NIXPKGS-2026-1230
published on
Permalink CVE-2026-33596
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 6 days, 10 hours ago by @LeSuisse Activity log
  • Created suggestion 6 days, 16 hours ago
  • @LeSuisse accepted 6 days, 10 hours ago
  • @LeSuisse published on GitHub 6 days, 10 hours ago
TCP backend stream ID overflow

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.

Affected products

dnsdist
  • <1.9.13
  • <2.0.4

Matching in nixpkgs

Package maintainers