Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1376
published 1 month, 2 weeks ago
Permalink CVE-2026-43860
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    12 packages
    • mutter
    • neomutt
    • mutt-ics
    • mutter46
    • mutter48
    • mutt-wizard
    • fontmuttmisc
    • notmuch-mutt
    • font-mutt-misc
    • pantheon.mutter
    • xorg.fontmuttmisc
    • vimPlugins.nvim-treesitter-parsers.muttrc
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

mutt before 2.3.2 sometimes truncates the hash_passwd by one byte …

mutt
  • <2.3.2 
https://www.openwall.com/lists/oss-security/2026/05/04/3
NIXPKGS-2026-1375
published 1 month, 2 weeks ago
Permalink CVE-2026-40068
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    6 packages
    • claude-code-acp
    • claude-code-router
    • gnomeExtensions.claude-code-usage
    • gnomeExtensions.claude-code-switcher
    • vscode-extensions.anthropic.claude-code
    • gnomeExtensions.claude-code-usage-indicator
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago

Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

claude-code
  • ==>= 2.1.63, < 2.1.84
NIXPKGS-2026-1374
published 1 month, 3 weeks ago
Permalink CVE-2026-40561
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored reference https://d… 1 month, 3 weeks ago
  • @LeSuisse ignored
    20 packages
    • xmlstarlet
    • python312Packages.starlette
    • python313Packages.starlette
    • python314Packages.starlette
    • python312Packages.sse-starlette
    • python312Packages.starlette-wtf
    • python313Packages.sse-starlette
    • python313Packages.starlette-wtf
    • python314Packages.sse-starlette
    • python314Packages.starlette-wtf
    • python312Packages.starlette-admin
    • python313Packages.starlette-admin
    • python314Packages.starlette-admin
    • python312Packages.starlette-context
    • python313Packages.starlette-context
    • python314Packages.starlette-context
    • perl538Packages.Starlet
    • python314Packages.starlette-compress
    • python313Packages.starlette-compress
    • python312Packages.starlette-compress
    1 month, 3 weeks ago
  • @LeSuisse restored package perl538Packages.Starlet 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Starlet
  • =<0.31
NIXPKGS-2026-1373
published 1 month, 3 weeks ago
Permalink CVE-2026-7706
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @LeSuisse Activity log

Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service

Open5GS
  • ==2.7.1
  • ==2.7.4
  • ==2.7.7
  • ==2.7.0
  • ==2.7.3
  • ==2.7.5
  • ==2.7.6
  • ==2.7.2
NIXPKGS-2026-1372
published 1 month, 3 weeks ago
Permalink CVE-2026-7707
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @LeSuisse Activity log

Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_context denial of service

Open5GS
  • ==2.7.1
  • ==2.7.4
  • ==2.7.7
  • ==2.7.0
  • ==2.7.3
  • ==2.7.5
  • ==2.7.6
  • ==2.7.2
NIXPKGS-2026-1371
published 1 month, 3 weeks ago
Permalink CVE-2026-7708
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @LeSuisse Activity log

Open5GS UDR subscription.c ogs_dbi_subscription_data denial of service

Open5GS
  • ==2.7.1
  • ==2.7.4
  • ==2.7.7
  • ==2.7.0
  • ==2.7.3
  • ==2.7.5
  • ==2.7.6
  • ==2.7.2
NIXPKGS-2026-1370
published 1 month, 3 weeks ago
Permalink CVE-2026-7702
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    2 references
    1 month, 3 weeks ago
  • @LeSuisse ignored
    11 packages
    • python312Packages.affine
    • python313Packages.affine
    • python314Packages.affine
    • python312Packages.affinegap
    • python313Packages.affinegap
    • python314Packages.affinegap
    • python312Packages.affine-gaps
    • python313Packages.affine-gaps
    • python314Packages.affine-gaps
    • haskellPackages.affinely-extended
    • haskellPackages.simple-affine-space
    1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago

toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization

AFFiNE
  • ==0.26.2
  • ==0.26.0
  • ==0.26.3
  • ==0.26.1
NIXPKGS-2026-1369
published 1 month, 3 weeks ago
Permalink CVE-2026-7709
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @LeSuisse Activity log

janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization

Calibre-Web
  • ==0.6.11
  • ==0.6.9
  • ==0.6.23
  • ==0.6.4
  • ==0.6.17
  • ==0.6.12
  • ==0.6.1
  • ==0.6.14
  • ==0.6.6
  • ==0.6.2
  • ==0.6.5
  • ==0.6.21
  • ==0.6.20
  • ==0.6.10
  • ==0.6.25
  • ==0.6.13
  • ==0.6.3
  • ==0.6.19
  • ==0.6.15
  • ==0.6.18
  • ==0.6.0
  • ==0.6.7
  • ==0.6.8
  • ==0.6.22
  • ==0.6.26
  • ==0.6.24
  • ==0.6.16
NIXPKGS-2026-1368
published 1 month, 3 weeks ago
Permalink CVE-2026-6525
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse ignored
    2 maintainers
    • @fpletz
    • @bjornfor
    1 month, 3 weeks ago maintainer.ignore
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago

NULL Pointer Dereference in Wireshark

Wireshark
  • <4.6.5
NIXPKGS-2026-1367
published 1 month, 3 weeks ago
Permalink CVE-2026-7536
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @LeSuisse Activity log

Open5GS BSF pcfBindings bsf_sess_add_by_ip_address denial of service

Open5GS
  • ==2.7.1
  • ==2.7.4
  • ==2.7.7
  • ==2.7.0
  • ==2.7.3
  • ==2.7.5
  • ==2.7.6
  • ==2.7.2