NIXPKGS-2026-1212

GitHub issue published 2 months ago

Permalink CVE-2026-40244

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse ignored
  3 packages

  • openexrid-unstable
  • haskellPackages.openexr-write
  • openexr_2
  2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)

• https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx x_refsource_CONFIRM
• https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8 x_refsource_MISC
• https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10 x_refsource_MISC
• https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10 x_refsource_MISC

---

openexr

• ==>= 3.3.0, < 3.3.10
• ==>= 3.4.0, < 3.4.10
• ==>= 3.2.0, < 3.2.8

NIXPKGS-2026-1214

GitHub issue published 2 months ago

Permalink CVE-2026-40876

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

SFTP root escape via prefix-based path validation in goshs

• https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824 x_refsource_CONFIRM

---

goshs

• ==< 2.0.0-beta.6

NIXPKGS-2026-1213

GitHub issue published 2 months ago

Permalink CVE-2026-40594

4.8 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): None (N)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): Low (L)

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse ignored
  5 packages

  • python312Packages.pyloadapi
  • python313Packages.pyloadapi
  • python314Packages.pyloadapi
  • home-assistant-component-tests.pyload
  • tests.home-assistant-components.pyload
  2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

• https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v x_refsource_CONFIRMexploit

---

pyload

• ==< 0.5.0b3.dev98

NIXPKGS-2026-1211

GitHub issue published 2 months ago

Permalink CVE-2026-39378

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): None (N)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): None (N)

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

• https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9 x_refsource_CONFIRM

Ignored references (1)

• https://github.com/jupyter/nbconvert/releases/tag/v7.17.1 x_refsource_MISC

---

nbconvert

• ==>= 6.5, < 7.17.1

NIXPKGS-2026-1216

GitHub issue published 2 months ago

Permalink CVE-2026-41133

8.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse ignored
  5 packages

  • python312Packages.pyloadapi
  • python313Packages.pyloadapi
  • python314Packages.pyloadapi
  • home-assistant-component-tests.pyload
  • tests.home-assistant-components.pyload
  2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

• https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332 x_refsource_CONFIRM
• https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 x_refsource_MISC

---

pyload

• ==<= 0.5.0b3.dev97

NIXPKGS-2026-1210

GitHub issue published 2 months ago

Permalink CVE-2026-5789

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

Search path without quotes in CivetWeb

• https://www.incibe.es/en/incibe-cert/notices/aviso/search-path-without-quotes-c… patch

---

CivetWeb

• ==1.16

NIXPKGS-2026-1215

GitHub issue published 2 months ago

Permalink CVE-2026-39388

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

• https://github.com/openbao/openbao/security/advisories/GHSA-7ccv-rp6m-rffr x_refsource_CONFIRM

---

openbao

• ==< 2.5.3

NIXPKGS-2026-1209

GitHub issue published 2 months ago

Permalink CVE-2026-41527

6.9 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): Low (L)

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

KDE Kleopatra before 26.08.0 on Windows allows local users to …

• https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79
• https://kde.org/info/security/advisory-20260408-1.txt

Ignored references (1)

• https://github.com/KDE/kleopatra/releases

---

Kleopatra

• <26.08.0

NIXPKGS-2026-1208

GitHub issue published 2 months ago

Permalink CVE-2026-40279

3.7 LOW

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): None (N)
• Integrity (I): None (N)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): Low (L)

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`

• https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv x_refsource_CONFIRMexploit

---

bacnet-stack

• ==< 1.4.3

NIXPKGS-2026-1207

GitHub issue published 2 months ago

Permalink CVE-2026-41131

5.0 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): Low (L)
• Integrity (I): Low (L)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): Low (L)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): Low (L)

updated 2 months ago by @LeSuisse Activity log

• Created suggestion 2 months ago
• @LeSuisse ignored
  4 packages

  • openfga-cli
  • python312Packages.openfga-sdk
  • python313Packages.openfga-sdk
  • python314Packages.openfga-sdk
  2 months ago
• @LeSuisse accepted 2 months ago
• @LeSuisse published on GitHub 2 months ago

OpenFGA has Improper Policy Enforcement

• https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6 x_refsource_CONFIRM

Ignored references (1)

• https://github.com/openfga/openfga/releases/tag/v1.14.1 x_refsource_MISC

---

openfga

• ==< 1.14.1