Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1086
published 2 months, 1 week ago
Permalink CVE-2026-33948
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    38 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • tests.fetchpatch.relative
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • tests.fetchNextcloudApp.simple-sha512
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • tests.fetchFromGitHub.submodule-leave-git
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input

jq
  • ==< 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b
NIXPKGS-2026-1085
published 2 months, 1 week ago
Permalink CVE-2026-33947
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    38 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • tests.fetchpatch.relative
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • tests.fetchNextcloudApp.simple-sha512
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • tests.fetchFromGitHub.submodule-leave-git
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()

jq
  • ==< fb59f1491058d58bdc3e8dd28f1773d1ac690a1f
NIXPKGS-2026-1084
published 2 months, 1 week ago
Permalink CVE-2026-39979
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    38 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • tests.fetchpatch.relative
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • tests.fetchNextcloudApp.simple-sha512
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • tests.fetchFromGitHub.submodule-leave-git
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

jq
  • ==< 2f09060afab23fe9390cce7cb860b10416e1bf5f
NIXPKGS-2026-1083
published 2 months, 1 week ago
Permalink CVE-2026-5053
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

NoMachine External Control of File Path Arbitrary File Deletion Vulnerability

NoMachine
  • ==9.3.7 
https://kb.nomachine.com/SU03X00271
NIXPKGS-2026-1082
published 2 months, 1 week ago
Permalink CVE-2026-4150
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    18 packages
    • zigimports
    • gimpPlugins.gimp
    • gimpPlugins.gmic
    • gimp-with-plugins
    • gimp2Plugins.bimp
    • gimp2Plugins.gimp
    • gimp2Plugins.gmic
    • gimp2-with-plugins
    • gimp3-with-plugins
    • gimp2Plugins.fourier
    • gimp2Plugins.farbfeld
    • gimpPlugins.lightning
    • gimp2Plugins.lightning
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.texturize
    • gimp2Plugins.gimplensfun
    • gimpPlugins.resynthesizer
    • gimp2Plugins.waveletSharpen
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability

GIMP
  • ==3.0.8
NIXPKGS-2026-1081
published 2 months, 1 week ago
Permalink CVE-2026-5055
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

NoMachine
  • ==9.2.18_1 
https://kb.nomachine.com/SU03X00271
NIXPKGS-2026-1080
published 2 months, 1 week ago
Permalink CVE-2026-2728
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site …

librenms
  • <26.3.0
NIXPKGS-2026-1079
published 2 months, 1 week ago
Permalink CVE-2026-33858
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API

apache-airflow
  • <3.2.0
NIXPKGS-2026-1078
published 2 months, 1 week ago
Permalink CVE-2026-4158
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • keepassxc-go
    • git-credential-keepassxc
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

KeePassXC
  • ==2.7.11
NIXPKGS-2026-1077
published 2 months, 1 week ago
Permalink CVE-2026-40386
4.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

In libexif through 0.6.25, an integer underflow in size checking …

libexif
  • =<0.6.25