Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1076
published 2 months, 1 week ago
Permalink CVE-2026-40385
4.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago

In libexif through 0.6.25, an unsigned 32bit integer overflow in …

libexif
  • =<0.6.25 
No tier 1 or tier 2 support of 32 bits systems.
NIXPKGS-2026-1075
published 2 months, 2 weeks ago
Permalink CVE-2026-32146
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    6 packages
    • vscode-extensions.gleam.gleam
    • tree-sitter-grammars.tree-sitter-gleam
    • vimPlugins.nvim-treesitter-parsers.gleam
    • python312Packages.tree-sitter-grammars.tree-sitter-gleam
    • python313Packages.tree-sitter-grammars.tree-sitter-gleam
    • python314Packages.tree-sitter-grammars.tree-sitter-gleam
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification

gleam
  • *
gleam-lang/gleam
  • *
NIXPKGS-2026-1074
published 2 months, 2 weeks ago
Permalink CVE-2026-5774
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    2 packages
    • jujutsu
    • jujuutils
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

juju
  • <2.9.57
  • <4.0.6
  • <3.6.21
NIXPKGS-2026-1073
published 2 months, 2 weeks ago
Permalink CVE-2026-40188
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

goshs is Missing Write Protection for Parametric Data Values

goshs
  • ==>= 1.0.7, < 2.0.0-beta.4
NIXPKGS-2026-1072
published 2 months, 2 weeks ago
Permalink CVE-2026-6067
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • nasmfmt
    • tree-sitter-grammars.tree-sitter-nasm
    • vimPlugins.nvim-treesitter-parsers.nasm
    • python314Packages.tree-sitter-grammars.tree-sitter-nasm
    • python313Packages.tree-sitter-grammars.tree-sitter-nasm
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

CVE-2026-6067

NASM
  • ==nasm-3.02rc5
NIXPKGS-2026-1071
published 2 months, 2 weeks ago
Permalink CVE-2026-5477
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Prefix-substitution forgery via integer overflow in wolfCrypt CMAC

wolfSSL
  • =<5.9.0
NIXPKGS-2026-1070
published 2 months, 2 weeks ago
Permalink CVE-2026-5724
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    19 packages
    • temporal-cli
    • temporal_capi
    • temporal-ui-server
    • haskellPackages.temporal-music-notation-western
    • terraform-providers.temporalio_temporalcloud
    • haskellPackages.temporal-music-notation-demo
    • haskellPackages.temporal-music-notation
    • postgresql18Packages.temporal_tables
    • postgresql17Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • haskellPackages.temporal-api-protos
    • postgresqlPackages.temporal_tables
    • terraform-providers.temporalcloud
    • haskellPackages.temporal-media
    • python314Packages.temporalio
    • python313Packages.temporalio
    • python312Packages.temporalio
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Missing Authentication on Streaming gRPC Replication Endpoint

temporal
  • =<1.29.5
  • =<1.30.3
  • =<1.28.3
NIXPKGS-2026-1069
published 2 months, 2 weeks ago
Permalink CVE-2026-5479
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

wolfSSL EVP ChaCha20-Poly1305 AEAD authentication tag

wolfSSL
  • <5.9.1
NIXPKGS-2026-1068
published 2 months, 2 weeks ago
Permalink CVE-2026-40103
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package vikunja-desktop 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds

vikunja
  • ==< 2.3.0
NIXPKGS-2026-1067
published 2 months, 2 weeks ago
Permalink CVE-2026-35596
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package vikunja-desktop 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

vikunja
  • ==< 2.3.0