NIXPKGS-2026-1296

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-5405

7.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse ignored
  2 maintainers

  • @bjornfor
  • @fpletz
  1 month, 3 weeks ago maintainer.ignore
• @LeSuisse published on GitHub 1 month, 3 weeks ago

Heap-based Buffer Overflow in Wireshark

• https://www.wireshark.org/security/wnpa-sec-2026-17.html
• GitLab Issue #21105 issue-trackingpermissions-required

---

Wireshark

• <4.4.15
• <4.6.5

NIXPKGS-2026-1295

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-42248

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse ignored reference https://o… 1 month, 3 weeks ago
• @LeSuisse ignored
  21 packages

  • gollama
  • nextjs-ollama-llm-ui
  • python312Packages.ollama
  • python313Packages.ollama
  • python314Packages.ollama
  • python312Packages.llm-ollama
  • python313Packages.llm-ollama
  • python314Packages.llm-ollama
  • haskellPackages.ollama-haskell
  • gnomeExtensions.ollama-indicator
  • python312Packages.langchain-ollama
  • python313Packages.langchain-ollama
  • python314Packages.langchain-ollama
  • home-assistant-component-tests.ollama
  • tests.home-assistant-components.ollama
  • python312Packages.llama-index-llms-ollama
  • python313Packages.llama-index-llms-ollama
  • python312Packages.llama-index-embeddings-ollama
  • python313Packages.llama-index-embeddings-ollama
  • pkgsRocm.python3Packages.llama-index-llms-ollama
  • pkgsRocm.python3Packages.llama-index-embeddings-ollama
  1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse published on GitHub 1 month, 3 weeks ago

Missing Signature Verification for Updates in Ollama

• https://cert.pl/en/posts/2026/04/CVE-2026-42248/ third-party-advisory

Ignored references (1)

• https://ollama.com/ product

---

Ollama

• =<0.17.5

NIXPKGS-2026-1294

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-42615

7.2 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): Low (L)
• Integrity (I): Low (L)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): None (N)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse ignored reference https://g… 1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse published on GitHub 1 month, 3 weeks ago

GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, …

• https://github.com/gchq/CyberChef/issues/2344
• https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c…
• https://github.com/gchq/CyberChef/pull/2346

Ignored references (1)

• https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0

---

CyberChef

• <11.0.0

NIXPKGS-2026-1293

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-1858

4.8 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): Low (L)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): None (N)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse published on GitHub 1 month, 3 weeks ago

wget2 Improper Certificate Validation

• https://www.tenable.com/security/research/tra-2026-37

---

wget2

• =<2.2.1

Patch: https://gitlab.com/gnuwget/wget2/-/commit/f4854d7fbc0a85c1d9873f5980707c0b80df212a

NIXPKGS-2026-1292

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-42249

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse ignored
  21 packages

  • gollama
  • nextjs-ollama-llm-ui
  • python312Packages.ollama
  • python313Packages.ollama
  • python314Packages.ollama
  • python312Packages.llm-ollama
  • python313Packages.llm-ollama
  • python314Packages.llm-ollama
  • haskellPackages.ollama-haskell
  • gnomeExtensions.ollama-indicator
  • python312Packages.langchain-ollama
  • python313Packages.langchain-ollama
  • python314Packages.langchain-ollama
  • home-assistant-component-tests.ollama
  • tests.home-assistant-components.ollama
  • python312Packages.llama-index-llms-ollama
  • python313Packages.llama-index-llms-ollama
  • python312Packages.llama-index-embeddings-ollama
  • python313Packages.llama-index-embeddings-ollama
  • pkgsRocm.python3Packages.llama-index-llms-ollama
  • pkgsRocm.python3Packages.llama-index-embeddings-ollama
  1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse ignored reference https://o… 1 month, 3 weeks ago
• @LeSuisse published on GitHub 1 month, 3 weeks ago

Remote Code Execution in Ollama via Update Mechanism

• https://cert.pl/en/posts/2026/04/CVE-2026-42248/ third-party-advisory

Ignored references (1)

• https://ollama.com/ product

---

Ollama

• =<0.17.5

NIXPKGS-2026-1291

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-7381

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse ignored
  52 packages

  • perlPackages.TaskPlack
  • perl5Packages.TaskPlack
  • perl538Packages.TaskPlack
  • perl540Packages.TaskPlack
  • perlPackages.PlackAppProxy
  • perl5Packages.PlackAppProxy
  • perl538Packages.PlackAppProxy
  • perl540Packages.PlackAppProxy
  • perlPackages.PlackMiddlewareDebug
  • perl5Packages.PlackMiddlewareDebug
  • perlPackages.PlackMiddlewareHeader
  • perl5Packages.PlackMiddlewareHeader
  • perlPackages.PlackMiddlewareSession
  • perl538Packages.PlackMiddlewareDebug
  • perl540Packages.PlackMiddlewareDebug
  • perl5Packages.PlackMiddlewareSession
  • perlPackages.PlackMiddlewareDeflater
  • perlPackages.PlackTestExternalServer
  • perl538Packages.PlackMiddlewareHeader
  • perl540Packages.PlackMiddlewareHeader
  • perl5Packages.PlackMiddlewareDeflater
  • perl5Packages.PlackTestExternalServer
  • perl538Packages.PlackMiddlewareSession
  • perl540Packages.PlackMiddlewareSession
  • perlPackages.PlackMiddlewareAuthDigest
  • perl538Packages.PlackMiddlewareDeflater
  • perl538Packages.PlackTestExternalServer
  • perl540Packages.PlackMiddlewareDeflater
  • perl540Packages.PlackTestExternalServer
  • perl5Packages.PlackMiddlewareAuthDigest
  • perlPackages.PlackMiddlewareReverseProxy
  • perl538Packages.PlackMiddlewareAuthDigest
  • perl540Packages.PlackMiddlewareAuthDigest
  • perl5Packages.PlackMiddlewareReverseProxy
  • perlPackages.PlackMiddlewareConsoleLogger
  • perl5Packages.PlackMiddlewareConsoleLogger
  • perlPackages.PlackMiddlewareMethodOverride
  • perl538Packages.PlackMiddlewareReverseProxy
  • perl540Packages.PlackMiddlewareReverseProxy
  • perl5Packages.PlackMiddlewareMethodOverride
  • perl538Packages.PlackMiddlewareConsoleLogger
  • perl540Packages.PlackMiddlewareConsoleLogger
  • perl538Packages.PlackMiddlewareMethodOverride
  • perl540Packages.PlackMiddlewareMethodOverride
  • perlPackages.PlackMiddlewareRemoveRedundantBody
  • perl5Packages.PlackMiddlewareRemoveRedundantBody
  • perl538Packages.PlackMiddlewareRemoveRedundantBody
  • perl540Packages.PlackMiddlewareRemoveRedundantBody
  • perlPackages.PlackMiddlewareFixMissingBodyInRedirect
  • perl5Packages.PlackMiddlewareFixMissingBodyInRedirect
  • perl538Packages.PlackMiddlewareFixMissingBodyInRedirect
  • perl540Packages.PlackMiddlewareFixMissingBodyInRedirect
  1 month, 3 weeks ago
• @LeSuisse ignored reference https://n… 1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse published on GitHub 1 month, 3 weeks ago

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting

• https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes release-notes
• https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XS… technical-description

Ignored references (1)

• https://nvd.nist.gov/vuln/detail/CVE-2025-61780 related

---

Plack

• =<1.0053

NIXPKGS-2026-1290

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-7111

8.4 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 3 weeks ago
• @LeSuisse accepted 1 month, 3 weeks ago
• @LeSuisse published on GitHub 1 month, 3 weeks ago

Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption

• https://github.com/cpan-authors/Text-CSV_XS/commit/c17f31a5f2bf36674748eb4b6e25… patch
• https://metacpan.org/release/HMBRAND/Text-CSV_XS-1.62/changes release-notes
• http://www.openwall.com/lists/oss-security/2026/04/29/17

---

Text-CSV_XS

• <1.62

NIXPKGS-2026-1289

GitHub issue published 1 month, 4 weeks ago

Permalink CVE-2026-41526

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): Low (L)

updated 1 month, 4 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 4 weeks ago
• @LeSuisse ignored
  3 references

  • https://invent.kde.org/frameworks/kcore…
  • https://github.com/KDE/kcoreaddons/rele…
  • https://github.com/KDE/kcoreaddons/blob…
  1 month, 4 weeks ago
• @LeSuisse accepted 1 month, 4 weeks ago
• @LeSuisse published on GitHub 1 month, 4 weeks ago

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely …

• https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea…
• https://kde.org/info/security/advisory-20260427-1.txt

Ignored references (3)

• https://invent.kde.org/frameworks/kcoreaddons/
• https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea…
• https://github.com/KDE/kcoreaddons/releases/tag/v6.25.0

---

KCoreAddons

• <6.25

NIXPKGS-2026-1287

GitHub issue published 1 month, 4 weeks ago

Permalink CVE-2026-5435

7.3 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): Low (L)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): Low (L)

updated 1 month, 4 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 4 weeks ago
• @LeSuisse ignored
  28 packages

  • libc
  • iconv
  • getent
  • locale
  • mtrace
  • getconf
  • libiconv
  • glibcInfo
  • glibc_multi
  • glibcLocales
  • glibc_memusage
  • glibcLocalesUtf8
  • unixtools.getent
  • unixtools.locale
  • unixtools.getconf
  • minimal-bootstrap.glibc
  • tests.hardeningFlags.glibcxxassertionsStdenvUnsupp
  • tests.hardeningFlags.glibcxxassertionsExplicitEnabled
  • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
  • tests.hardeningFlags.glibcxxassertionsExplicitDisabled
  • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
  • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
  • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
  • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
  • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
  • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
  • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
  • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
  1 month, 4 weeks ago
• @LeSuisse accepted 1 month, 4 weeks ago
• @LeSuisse published on GitHub 1 month, 4 weeks ago

Potential buffer overflow in ns_sprintrrf TSIG handling path

• https://sourceware.org/bugzilla/show_bug.cgi?id=34033 issue-tracking
• https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91… mailing-list

---

glibc

• =<*

NIXPKGS-2026-1288

GitHub issue published 1 month, 4 weeks ago

Permalink CVE-2026-41525

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): Low (L)

updated 1 month, 4 weeks ago by @LeSuisse Activity log

• Created suggestion 1 month, 4 weeks ago
• @LeSuisse ignored
  2 references

  • https://invent.kde.org/system/dolphin/
  • https://github.com/KDE/dolphin/releases…
  1 month, 4 weeks ago
• @LeSuisse ignored
  5 packages

  • dolphin-emu
  • libretro.dolphin
  • dolphin-emu-primehack
  • kdePackages.dolphin-plugins
  • opencloud-desktop-shell-integration-dolphin
  1 month, 4 weeks ago
• @LeSuisse accepted 1 month, 4 weeks ago
• @LeSuisse published on GitHub 1 month, 4 weeks ago

KDE Dolphin before 25.12.3 allows applications in a Flatpak (or …

• https://kde.org/info/security/advisory-20260427-2.txt

Ignored references (2)

• https://invent.kde.org/system/dolphin/
• https://github.com/KDE/dolphin/releases/tag/v25.12.3

---

Dolphin

• <25.12.3