Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1386
published 1 month, 2 weeks ago
Permalink CVE-2026-7722
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log

PrefectHQ prefect Health Check API health endswith improper authentication

prefect
  • ==3.6.13
  • ==3.6.15
  • ==3.6.21
  • ==3.6.17
  • ==3.6.10
  • ==3.6.11
  • ==3.6.4
  • ==3.6.1
  • ==3.6.12
  • ==3.6.19
  • ==3.6.6
  • ==3.6.14
  • ==3.6.9
  • ==3.6.8
  • ==3.6.3
  • ==3.6.5
  • ==3.6.0
  • ==3.6.7
  • ==3.6.18
  • ==3.6.2
  • ==3.6.16
  • ==3.6.22
  • ==3.6.20
NIXPKGS-2026-1385
published 1 month, 2 weeks ago
Permalink CVE-2026-42236
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • n8n-nodes-carbonejs
    • n8n-nodes-evolution-api
    • n8n-task-runner-launcher
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

n8n: Unauthenticated Denial of Service via MCP Client Registration

n8n
  • ==>= 2.17.0, < 2.17.4
  • ==< 1.123.32
  • ==>= 2.18.0, < 2.18.1
NIXPKGS-2026-1384
published 1 month, 2 weeks ago
Permalink CVE-2026-42146
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored reference https://g… 1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp

CImg
  • ==< c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3
NIXPKGS-2026-1383
published 1 month, 2 weeks ago
Permalink CVE-2026-42052
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.beets-audible
    • python312Packages.beets-minimal
    • python313Packages.beets-audible
    • python313Packages.beets-minimal
    • python314Packages.beets-audible
    • python312Packages.beets-alternatives
    • python314Packages.beets-alternatives
    • python313Packages.beets-alternatives
    • pkgsRocm.python3Packages.beets-audible
    1 month, 2 weeks ago
  • @LeSuisse restored
    2 packages
    • python312Packages.beets-minimal
    • python313Packages.beets-minimal
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

beets is Vulnerable to XSS

beets
  • ==< 2.10.0
NIXPKGS-2026-1382
published 1 month, 2 weeks ago
Permalink CVE-2026-43863
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • mutter
    • neomutt
    • mutt-ics
    • mutter46
    • mutter48
    • mutt-wizard
    • fontmuttmisc
    • notmuch-mutt
    • font-mutt-misc
    • pantheon.mutter
    • xorg.fontmuttmisc
    • vimPlugins.nvim-treesitter-parsers.muttrc
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

mutt before 2.3.2 has an infinite loop in data_object_to_stream in …

mutt
  • <2.3.2
NIXPKGS-2026-1381
published 1 month, 2 weeks ago
Permalink CVE-2026-43864
2.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • mutter
    • neomutt
    • mutt-ics
    • mutter46
    • mutter48
    • mutt-wizard
    • fontmuttmisc
    • notmuch-mutt
    • font-mutt-misc
    • pantheon.mutter
    • xorg.fontmuttmisc
    • vimPlugins.nvim-treesitter-parsers.muttrc
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.

mutt
  • <2.3.2
NIXPKGS-2026-1380
published 1 month, 2 weeks ago
Permalink CVE-2026-43861
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • mutter
    • neomutt
    • mutt-ics
    • mutter46
    • mutter48
    • mutt-wizard
    • fontmuttmisc
    • notmuch-mutt
    • font-mutt-misc
    • pantheon.mutter
    • xorg.fontmuttmisc
    • vimPlugins.nvim-treesitter-parsers.muttrc
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

mutt before 2.3.2 does not check for '\0' in url_pct_decode.

mutt
  • <2.3.2
NIXPKGS-2026-1379
published 1 month, 2 weeks ago
Permalink CVE-2026-43859
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • mutter
    • neomutt
    • mutt-ics
    • mutter46
    • mutter48
    • mutt-wizard
    • fontmuttmisc
    • notmuch-mutt
    • font-mutt-misc
    • pantheon.mutter
    • xorg.fontmuttmisc
    • vimPlugins.nvim-treesitter-parsers.muttrc
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for …

mutt
  • <2.3.2
NIXPKGS-2026-1378
published 1 month, 2 weeks ago
Permalink CVE-2026-33846
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    4 packages
    • guile-gnutls
    • python312Packages.python3-gnutls
    • python313Packages.python3-gnutls
    • python314Packages.python3-gnutls
    1 month, 2 weeks ago
  • @LeSuisse ignored maintainer @vcunat 1 month, 2 weeks ago maintainer.ignore
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly

rhcos
gnutls
gnutls-main
  • *
NIXPKGS-2026-1377
published 1 month, 2 weeks ago
Permalink CVE-2026-43862
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • mutter
    • neomutt
    • mutt-ics
    • mutter46
    • mutter48
    • mutt-wizard
    • fontmuttmisc
    • notmuch-mutt
    • font-mutt-misc
    • pantheon.mutter
    • xorg.fontmuttmisc
    • vimPlugins.nvim-treesitter-parsers.muttrc
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

In mutt before 2.3.2, the imap_auth_gss security level is mishandled.

mutt
  • <2.3.2 
https://www.openwall.com/lists/oss-security/2026/05/04/3