Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1264
published 1 month, 4 weeks ago
Permalink CVE-2026-41492
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • coqPackages.dpdgraph
    • perlPackages.GDGraph
    • perl5Packages.GDGraph
    • perl538Packages.GDGraph
    • perl540Packages.GDGraph
    1 month, 4 weeks ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph

dgraph
  • ==< 25.3.3
NIXPKGS-2026-1266
published 1 month, 4 weeks ago
Permalink CVE-2026-40690
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

apache-airflow
  • <3.2.1
NIXPKGS-2026-1262
published 1 month, 4 weeks ago
Permalink CVE-2026-41481
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass

langchain-text-splitters
  • ==< 1.1.2
NIXPKGS-2026-1265
published 1 month, 4 weeks ago
Permalink CVE-2026-25660
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

Authentication bypass for certain API calls

CodeChecker
  • =<6.27.3
NIXPKGS-2026-1261
published 1 month, 4 weeks ago
Permalink CVE-2026-41894
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint

siyuan
  • ==< 3.6.5
NIXPKGS-2026-1263
published 1 month, 4 weeks ago
Permalink CVE-2026-38743
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

apache-airflow
  • <3.2.1
NIXPKGS-2026-1260
published 1 month, 4 weeks ago
Permalink CVE-2026-42095
4.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

bookserver in KDE Arianna before 26.04.1 allows attackers to read …

Arianna
  • <26.04.1
NIXPKGS-2026-1259
published 1 month, 4 weeks ago
Permalink CVE-2026-41327
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • coqPackages.dpdgraph
    • perlPackages.GDGraph
    • perl5Packages.GDGraph
    • perl538Packages.GDGraph
    • perl540Packages.GDGraph
    1 month, 4 weeks ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field

dgraph
  • ==< 25.3.3
NIXPKGS-2026-1258
published 1 month, 4 weeks ago
Permalink CVE-2026-41305
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    2 packages
    • nodePackages.postcss
    • nodePackages_latest.postcss
    1 month, 4 weeks ago
  • @LeSuisse restored
    2 packages
    • nodePackages.postcss
    • nodePackages_latest.postcss
    1 month, 4 weeks ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

postcss
  • ==< 8.5.10
NIXPKGS-2026-1257
published 1 month, 4 weeks ago
Permalink CVE-2026-41476
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

Deskflow: clipboard deserialization global-buffer-overflow

deskflow
  • ==< 1.26.0.138