Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1406
published 1 month, 2 weeks ago
Permalink CVE-2026-33489
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored reference https://g… 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison

coredns
  • ==< 1.14.3
NIXPKGS-2026-1405
published 1 month, 2 weeks ago
Permalink CVE-2026-27693
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.pytraccar
    • python313Packages.pytraccar
    • python314Packages.pytraccar
    • home-assistant-component-tests.traccar
    • tests.home-assistant-components.traccar
    • home-assistant-component-tests.traccar_server
    • tests.home-assistant-components.traccar_server
    1 month, 3 weeks ago
  • @LeSuisse ignored reference https://g… 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

traccar allows XML injection in KML and GPX exports

traccar
  • ==>= 6.11.1, < 6.13.0
NIXPKGS-2026-1404
published 1 month, 2 weeks ago
Permalink CVE-2026-32934
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored reference https://g… 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service

coredns
  • ==< 1.14.3
NIXPKGS-2026-1403
published 1 month, 2 weeks ago
Permalink CVE-2026-27694
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.pytraccar
    • python313Packages.pytraccar
    • python314Packages.pytraccar
    • home-assistant-component-tests.traccar
    • tests.home-assistant-components.traccar
    • home-assistant-component-tests.traccar_server
    • tests.home-assistant-components.traccar_server
    1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

traccar allows stored HTML injection in notification emails

traccar
  • ==>= 6.11.1, < 6.13.0
NIXPKGS-2026-1401
published 1 month, 2 weeks ago
Permalink CVE-2026-42227
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==< 1.123.32
  • ==>= 2.18.0, < 2.18.1
NIXPKGS-2026-1402
published 1 month, 2 weeks ago
Permalink CVE-2026-42228
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Hijacking of Unauthenticated Chat Execution

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==>= 2.18.0, < 2.18.1
  • ==< 1.123.32
NIXPKGS-2026-1399
published 1 month, 2 weeks ago
Permalink CVE-2026-42226
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

n8n
  • ==< 1.123.33
  • ==>= 2.17.0, < 2.17.5
NIXPKGS-2026-1400
published 1 month, 2 weeks ago
Permalink CVE-2026-43964
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • postfixadmin
    • postfix-tlspol
    • prometheus-postfix-exporter
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 …

Postfix
  • <3.8.16
  • <3.10.9
  • <3.9.10
NIXPKGS-2026-1397
published 1 month, 2 weeks ago
Permalink CVE-2026-42232
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: XML Node Prototype Pollution to RCE

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==>= 2.18.0, < 2.18.1
  • ==< 1.123.32
NIXPKGS-2026-1398
published 1 month, 2 weeks ago
Permalink CVE-2026-42231
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==< 1.123.32
  • ==>= 2.18.0, < 2.18.1