Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1116
published 2 months, 1 week ago
Permalink CVE-2026-40090
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored package idrisPackages.hezarfen 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write

zarf
  • ==>= 0.23.0, < 0.74.2
NIXPKGS-2026-1115
published 2 months, 1 week ago
Permalink CVE-2026-34454
3.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored maintainer @Swarsel 2 months, 1 week ago maintainer.ignore
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

OAuth2 Proxy: Session cookie not cleared when rendering sign-in page

oauth2-proxy
  • ==>= 7.11.0, < 7.15.2
NIXPKGS-2026-1114
published 2 months, 1 week ago
Permalink CVE-2026-34457
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored maintainer @Swarsel 2 months, 1 week ago maintainer.ignore
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode

oauth2-proxy
  • ==< 7.15.2
NIXPKGS-2026-1113
published 2 months, 1 week ago
Permalink CVE-2026-35034
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    19 packages
    • jellyfin-rpc
    • jellyfin-tui
    • jellyfin-web
    • jellyfin-ffmpeg
    • mopidy-jellyfin
    • jellyfin-desktop
    • jellyfin-mpv-shim
    • jellyfin-media-player
    • kodiPackages.jellyfin
    • python312Packages.aiojellyfin
    • python313Packages.aiojellyfin
    • python314Packages.aiojellyfin
    • mopidyPackages.mopidy-jellyfin
    • home-assistant-component-tests.jellyfin
    • tests.home-assistant-components.jellyfin
    • python312Packages.jellyfin-apiclient-python
    • python313Packages.jellyfin-apiclient-python
    • python314Packages.jellyfin-apiclient-python
    • tests.home-assistant-component-tests.jellyfin
    2 months, 1 week ago
  • @LeSuisse ignored
    4 maintainers
    • @purcell
    • @nyanloutre
    • @jojosch
    • @minijackson
    2 months, 1 week ago maintainer.ignore
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

Jellyfin: Potential Application DoS from excessively large SyncPlay group names

jellyfin
  • ==< 10.11.7
NIXPKGS-2026-1112
published 2 months, 1 week ago
Permalink CVE-2026-35031
9.9 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    19 packages
    • jellyfin-rpc
    • jellyfin-tui
    • jellyfin-web
    • jellyfin-ffmpeg
    • mopidy-jellyfin
    • jellyfin-desktop
    • jellyfin-mpv-shim
    • jellyfin-media-player
    • kodiPackages.jellyfin
    • python312Packages.aiojellyfin
    • python313Packages.aiojellyfin
    • python314Packages.aiojellyfin
    • mopidyPackages.mopidy-jellyfin
    • home-assistant-component-tests.jellyfin
    • tests.home-assistant-components.jellyfin
    • python312Packages.jellyfin-apiclient-python
    • python313Packages.jellyfin-apiclient-python
    • python314Packages.jellyfin-apiclient-python
    • tests.home-assistant-component-tests.jellyfin
    2 months, 1 week ago
  • @LeSuisse ignored
    4 maintainers
    • @jojosch
    • @nyanloutre
    • @minijackson
    • @purcell
    2 months, 1 week ago maintainer.ignore
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain

jellyfin
  • ==< 10.11.7
NIXPKGS-2026-1111
published 2 months, 1 week ago
Permalink CVE-2026-35033
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    19 packages
    • jellyfin-rpc
    • jellyfin-tui
    • jellyfin-web
    • jellyfin-ffmpeg
    • mopidy-jellyfin
    • jellyfin-desktop
    • jellyfin-mpv-shim
    • jellyfin-media-player
    • kodiPackages.jellyfin
    • python312Packages.aiojellyfin
    • python313Packages.aiojellyfin
    • python314Packages.aiojellyfin
    • mopidyPackages.mopidy-jellyfin
    • home-assistant-component-tests.jellyfin
    • tests.home-assistant-components.jellyfin
    • python312Packages.jellyfin-apiclient-python
    • python313Packages.jellyfin-apiclient-python
    • python314Packages.jellyfin-apiclient-python
    • tests.home-assistant-component-tests.jellyfin
    2 months, 1 week ago
  • @LeSuisse ignored
    4 maintainers
    • @jojosch
    • @nyanloutre
    • @minijackson
    • @purcell
    2 months, 1 week ago maintainer.ignore
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection

jellyfin
  • ==< 10.11.7
NIXPKGS-2026-1110
published 2 months, 1 week ago
Permalink CVE-2026-35032
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    19 packages
    • jellyfin-rpc
    • jellyfin-tui
    • jellyfin-web
    • jellyfin-ffmpeg
    • mopidy-jellyfin
    • jellyfin-desktop
    • jellyfin-mpv-shim
    • jellyfin-media-player
    • kodiPackages.jellyfin
    • python312Packages.aiojellyfin
    • python313Packages.aiojellyfin
    • python314Packages.aiojellyfin
    • mopidyPackages.mopidy-jellyfin
    • home-assistant-component-tests.jellyfin
    • tests.home-assistant-components.jellyfin
    • python312Packages.jellyfin-apiclient-python
    • python313Packages.jellyfin-apiclient-python
    • python314Packages.jellyfin-apiclient-python
    • tests.home-assistant-component-tests.jellyfin
    2 months, 1 week ago
  • @LeSuisse ignored
    4 maintainers
    • @jojosch
    • @minijackson
    • @nyanloutre
    • @purcell
    2 months, 1 week ago maintainer.ignore
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner

jellyfin
  • ==< 10.11.7
NIXPKGS-2026-1108
published 2 months, 1 week ago
Permalink CVE-2026-39956
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    38 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • tests.fetchpatch.relative
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • tests.fetchNextcloudApp.simple-sha512
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • tests.fetchFromGitHub.submodule-leave-git
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure

jq
  • ==>= 69785bf77f86e2ea1b4a20ca86775916889e91c9, < fdf8ef0f0810e3d365cdd5160de43db46f57ed03
NIXPKGS-2026-1107
published 2 months, 1 week ago
Permalink CVE-2026-40164
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    38 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • tests.fetchpatch.relative
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • tests.fetchNextcloudApp.simple-sha512
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • tests.fetchFromGitHub.submodule-leave-git
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed

jq
  • ==< 0c7d133c3c7e37c00b6d46b658a02244fdd3c784
NIXPKGS-2026-1106
published 2 months, 1 week ago
Permalink CVE-2026-40310
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • graphicsmagick-imagemagick-compat
    • tests.pkg-config.defaultPkgConfigPackages.MagickWand
    • tests.pkg-config.defaultPkgConfigPackages.ImageMagick
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

ImageMagick: Heap out-of-bounds write in JP2 encoder

ImageMagick
  • ==< 6.9.13-44
  • ==< 7.1.2-19