Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1256
published 1 month, 4 weeks ago
Permalink CVE-2026-41079
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    72 packages
    • apcupsd
    • cups-bjnp
    • cups-dymo
    • carps-cups
    • cups-zj-58
    • cups-browsed
    • cups-filters
    • cups-kyocera
    • cups-printers
    • gutenprintBin
    • cups-kyodialog
    • cups-pk-helper
    • gutenprint-bin
    • libcupsfilters
    • canon-cups-ufr2
    • cups-idprt-tspl
    • cups-pdf-to-pdf
    • cups-idprt-mt888
    • cups-idprt-mt890
    • cups-idprt-sp900
    • cups-idprt-barcode
    • brgenml1cupswrapper
    • mfc465cncupswrapper
    • cups-brother-dcpt310
    • cups-toshiba-estudio
    • dcp375cw-cupswrapper
    • magicard-cups-driver
    • cups-kyocera-ecosys-m2x35-40-p2x35-40dnw
    • tests.home-assistant-components.apcupsd
    • home-assistant-component-tests.apcupsd
    • cups-brother-hll3230cdw.x86_64-linux
    • home-assistant-component-tests.cups
    • cups-brother-hll2340dw.x86_64-linux
    • cups-brother-hl3140cw.x86_64-linux
    • cups-brother-hl2260d.x86_64-linux
    • cups-brother-hl1210w.x86_64-linux
    • cups-brother-hl1110.x86_64-linux
    • cups-kyocera-ecosys-m552x-p502x
    • mfcj470dwlpr.x86_64-linux
    • python313Packages.pycups
    • cups-brother-dcpl3550cdw
    • cups-brother-dcp1610wlpr
    • perl540Packages.NetCUPS
    • dcp9020cdw-cupswrapper
    • mfcj6510dw-cupswrapper
    • mfcl3770cdwcupswrapper
    • mfcl8690cdwcupswrapper
    • cups-brother-dcpl2550dw
    • cups-brother-mfcl2710dw
    • cups-brother-mfcl2750dw
    • cups-brother-mfcl2800dw
    • perl538Packages.NetCUPS
    • python312Packages.pycups
    • python314Packages.pycups
    • prometheus-apcupsd-exporter
    • gnomeExtensions.apcups-monitor
    • mfc5890cncupswrapper
    • mfcj880dwcupswrapper
    • perlPackages.NetCUPS
    • dcpj785dw-cupswrapper
    • mfc9140cdncupswrapper
    • mfcj470dw-cupswrapper
    • mfcl2700dncupswrapper
    • mfcl2720dwcupswrapper
    • mfcl2740dwcupswrapper
    • perl5Packages.NetCUPS
    • cups-brother-dcpt720dw
    • cups-brother-dcpt725dw
    • cups-brother-hl3170cdw
    • cups-brother-hll2350dw
    • cups-brother-hll2375dw
    • cups-kyocera-3500-4500
    1 month, 4 weeks ago
  • @LeSuisse accepted 1 month, 4 weeks ago
  • @LeSuisse published on GitHub 1 month, 4 weeks ago

OpenPrinting CUPS: Heap out-of-bounds read in SNMP supply-level polling leaks stack memory to authenticated users

cups
  • ==< 2.4.17
NIXPKGS-2026-1255
published 2 months ago
Permalink CVE-2026-40517
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names

radare2
  • <6.1.4
NIXPKGS-2026-1254
published 2 months ago
Permalink CVE-2026-33609
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

LDAP DN injection

pdns
  • <4.9.14
  • <5.0.4 
https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1252
published 2 months ago
Permalink CVE-2026-33611
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

Insufficient validation of HTTPS and SVCB records

pdns
  • <4.9.14
  • <5.0.4 
https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1251
published 2 months ago
Permalink CVE-2026-33260
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    7 packages
    • rotp
    • pdnsd
    • dnsdist
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse restored
    2 packages
    • dnsdist
    • pdns-recursor
    2 months ago
  • @LeSuisse published on GitHub 2 months ago

Insufficient input validation of internal webserver

pdns
  • <4.9.14
  • <5.0.4
dnsdist
  • <2.0.4
  • <1.9.13
pdns-recursor
  • <5.2.9
  • <5.4.1
  • <5.3.6 
https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1253
published 2 months ago
Permalink CVE-2026-33608
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

Incomplete domain name sanitization during

pdns
  • <4.9.14
  • <5.0.4 
https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1250
published 2 months ago
Permalink CVE-2026-33257
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • rotp
    • pdnsgrep
    • pdnsd
    • tests.home-assistant-components.namecheapdns
    • home-assistant-component-tests.namecheapdns
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

Insufficient input validation of internal webserver

pdns
  • <4.9.14
  • <5.0.4
dnsdist
  • <2.0.4
  • <1.9.13
pdns-recursor
  • <5.2.9
  • <5.4.1
  • <5.3.6 
https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1249
published 2 months ago
Permalink CVE-2026-33610
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • pdnsd
    • pdnsgrep
    • pdns-recursor
    • home-assistant-component-tests.namecheapdns
    • tests.home-assistant-components.namecheapdns
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

Possible file descriptor exhaustion in forward-dnsupdate

pdns
  • <4.9.14
  • <5.0.4 
https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server
NIXPKGS-2026-1248
published 2 months ago
Permalink CVE-2026-41313
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    10 packages
    • capypdf
    • python312Packages.pypdf2
    • python312Packages.pypdf3
    • python313Packages.pypdf2
    • python313Packages.pypdf3
    • python314Packages.pypdf2
    • python314Packages.pypdf3
    • python312Packages.pypdfium2
    • python314Packages.pypdfium2
    • python313Packages.pypdfium2
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

pypdf: Possible long runtimes for wrong size values in incremental mode

pypdf
  • ==< 6.10.2
NIXPKGS-2026-1247
published 2 months ago
Permalink CVE-2026-33595
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago

DoQ/DoH3 excessive memory allocation

dnsdist
  • <2.0.4
  • <1.9.13