NIXPKGS-2026-1126

GitHub issue published 2 months, 1 week ago

Permalink CVE-2025-54550

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

Apache Airflow: RCE by race condition in example_xcom dag

• https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1 vendor-advisory
• https://github.com/apache/airflow/pull/63200 patch
• http://www.openwall.com/lists/oss-security/2026/04/15/1

---

apache-airflow

• <3.2.0

NIXPKGS-2026-1125

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40193

8.2 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): Low (L)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): None (N)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored package libmaddy-markdown 2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

Maddy Mail Server: LDAP Filter Injection via Unsanitized Username

• https://github.com/foxcpp/maddy/security/advisories/GHSA-5835-4gvc-32pc x_refsource_CONFIRM
• https://github.com/foxcpp/maddy/commit/6a06337eb41fa87a35697366bcb71c3c962c44ba x_refsource_MISC
• https://github.com/foxcpp/maddy/releases/tag/v0.9.3 x_refsource_MISC

---

maddy

• ==< 0.9.3

NIXPKGS-2026-1124

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40192

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored
  17 packages

  • python312Packages.pillow-heif
  • python312Packages.pillow-jpls
  • python312Packages.pillowfight
  • python313Packages.pillow-heif
  • python313Packages.pillow-jpls
  • python313Packages.pillowfight
  • python314Packages.pillow-heif
  • python314Packages.pillow-jpls
  • python314Packages.pillowfight
  • python312Packages.types-pillow
  • python313Packages.types-pillow
  • python314Packages.types-pillow
  • python312Packages.pypillowfight
  • python313Packages.pypillowfight
  • python314Packages.pypillowfight
  • python312Packages.pillow-avif-plugin
  • python313Packages.pillow-avif-plugin
  2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse ignored maintainer @mweinelt 2 months, 1 week ago maintainer.ignore
• @LeSuisse published on GitHub 2 months, 1 week ago

Pillow is vulnerable to a FITS GZIP decompression bomb

• https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j x_refsource_CONFIRM
• https://github.com/python-pillow/Pillow/pull/9521 x_refsource_MISC
• https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 x_refsource_MISC
• https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb x_refsource_MISC

---

Pillow

• ==>= 10.3.0, < 12.2.0

NIXPKGS-2026-1123

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40091

6.0 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): High (H)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): High (H)
• Integrity (I): None (N)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): High (H)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): None (N)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored
  3 packages

  • tree-sitter-grammars.tree-sitter-spicedb
  • python314Packages.tree-sitter-grammars.tree-sitter-spicedb
  • python313Packages.tree-sitter-grammars.tree-sitter-spicedb
  2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

• https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58 x_refsource_CONFIRM
• https://github.com/authzed/spicedb/releases/tag/v1.51.1 x_refsource_MISC

---

spicedb

• ==>= 1.49.0, < 1.51.1

NIXPKGS-2026-1122

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40173

9.4 CRITICAL

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): Low (L)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): Low (L)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored
  5 packages

  • coqPackages.dpdgraph
  • perlPackages.GDGraph
  • perl5Packages.GDGraph
  • perl538Packages.GDGraph
  • perl540Packages.GDGraph
  2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

Dgraph: Unauthenticated pprof endpoint leaks admin auth token

• https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p x_refsource_CONFIRM
• https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2 x_refsource_MISC

---

dgraph

• ==< 25.3.2

NIXPKGS-2026-1121

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-25219

6.5 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): None (N)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): None (N)
• Modified Availability (MA): None (N)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access

• https://github.com/apache/airflow/pull/61580 patch
• https://github.com/apache/airflow/pull/61582 patch
• https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh vendor-advisory
• http://www.openwall.com/lists/oss-security/2026/04/15/3

---

apache-airflow

• <3.1.8

NIXPKGS-2026-1120

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40499

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()

• https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero exploittechnical-description
• https://github.com/radareorg/radare2/pull/25731 issue-tracking
• https://github.com/radareorg/radare2/issues/25752 issue-tracking
• https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeeb… patch
• https://github.com/radareorg/radare2/releases/tag/6.1.4 release-notes

Ignored references (1)

• https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-p… third-party-advisory

---

radare2

• <6.1.4
• ==5590c87deeb7eb2a106fd7aab9ca88bfeebb7397

NIXPKGS-2026-1119

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40176

7.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored
  13 packages

  • subtitlecomposer
  • composer-require-checker
  • haskellPackages.gogol-composer
  • phpPackages.cyclonedx-php-composer
  • php82Packages.cyclonedx-php-composer
  • php83Packages.cyclonedx-php-composer
  • php84Packages.cyclonedx-php-composer
  • php85Packages.cyclonedx-php-composer
  • phpPackages.composer-local-repo-plugin
  • php82Packages.composer-local-repo-plugin
  • php83Packages.composer-local-repo-plugin
  • php84Packages.composer-local-repo-plugin
  • php85Packages.composer-local-repo-plugin
  2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse ignored
  4 maintainers

  • @Ma27
  • @piotrkwiecinski
  • @aanderse
  • @talyz
  2 months, 1 week ago maintainer.ignore
• @LeSuisse published on GitHub 2 months, 1 week ago

Composer is vulnerable to Command Injection via Malicious Perforce Repository

• https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p x_refsource_CONFIRM
• https://github.com/composer/composer/releases/tag/2.9.6 x_refsource_MISC

---

composer

• ==>= 2.3, < 2.9.6
• ==>= 1.0, < 2.2.27

NIXPKGS-2026-1118

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-40261

8.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): Required (R)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored
  13 packages

  • subtitlecomposer
  • composer-require-checker
  • haskellPackages.gogol-composer
  • phpPackages.cyclonedx-php-composer
  • php82Packages.cyclonedx-php-composer
  • php83Packages.cyclonedx-php-composer
  • php84Packages.cyclonedx-php-composer
  • php85Packages.cyclonedx-php-composer
  • phpPackages.composer-local-repo-plugin
  • php82Packages.composer-local-repo-plugin
  • php83Packages.composer-local-repo-plugin
  • php84Packages.composer-local-repo-plugin
  • php85Packages.composer-local-repo-plugin
  2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse ignored
  4 maintainers

  • @Ma27
  • @aanderse
  • @piotrkwiecinski
  • @talyz
  2 months, 1 week ago maintainer.ignore
• @LeSuisse published on GitHub 2 months, 1 week ago

Composer has Command Injection via Malicious Perforce Reference

• https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q x_refsource_CONFIRM
• https://github.com/composer/composer/releases/tag/2.9.6 x_refsource_MISC

---

composer

• ==>= 1.0.0, < 2.2.27
• ==>= 2.3.0, < 2.9.6

NIXPKGS-2026-1117

GitHub issue published 2 months, 1 week ago

Permalink CVE-2026-33555

4.0 MEDIUM

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Changed (C)
• Confidentiality (C): None (N)
• Integrity (I): Low (L)
• Availability (A): None (N)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): None (N)
• Modified Scope (MS): Changed (C)
• Modified Integrity (MI): Low (L)
• Modified Availability (MA): None (N)

updated 2 months, 1 week ago by @LeSuisse Activity log

• Created suggestion 2 months, 1 week ago
• @LeSuisse ignored
  2 packages

  • prometheus-haproxy-exporter
  • haskellPackages.io-streams-haproxy
  2 months, 1 week ago
• @LeSuisse accepted 2 months, 1 week ago
• @LeSuisse published on GitHub 2 months, 1 week ago

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 …

• https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756…
• https://www.mail-archive.com/haproxy@formilux.org/msg46752.html

Ignored references (2)

• https://www.haproxy.org
• https://www.haproxy.com/documentation/haproxy-aloha/changelog/

---

HAProxy

• <3.3.6

Fix for 3.2.x in 3.2.15

https://git.haproxy.org/?p=haproxy-3.2.git;a=commit;h=7ab4ae974c434e62896b3c68b7b485b9dceb7a25