Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1036
published 2 months, 2 weeks ago
Permalink CVE-2026-3029
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    6 packages
    • python312Packages.pymupdf4llm
    • python313Packages.pymupdf4llm
    • python314Packages.pymupdf4llm
    • python312Packages.pymupdf-fonts
    • python313Packages.pymupdf-fonts
    • python314Packages.pymupdf-fonts
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

CVE-2026-3029

PyMuPDF
  • <1.26.7
NIXPKGS-2026-1035
published 2 months, 2 weeks ago
Permalink CVE-2026-39863
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Kamailio Core: TCP Data Processing Vulnerability

kamailio
  • ==< 5.8.8
  • ==>= 6.0.0, < 6.0.6
  • ==>= 6.1.0, < 6.1.1
NIXPKGS-2026-1034
published 2 months, 2 weeks ago
Permalink CVE-2026-39864
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Kamailio Auth: Processing Vulnerability For Additional Authenticated User Identity Checks

kamailio
  • ==>= 6.0.0, < 6.0.5
  • ==< 5.8.7
NIXPKGS-2026-1033
published 2 months, 2 weeks ago
Permalink CVE-2026-34723
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.zammad-py
    • python313Packages.zammad-py
    • python314Packages.zammad-py
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Zammad has incorrect access control in getting_started_controller

zammad
  • ==>= 7.0.0-alpha, < 7.0.1
  • ==< 6.5.4
NIXPKGS-2026-1032
published 2 months, 2 weeks ago
Permalink CVE-2026-34248
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.zammad-py
    • python313Packages.zammad-py
    • python314Packages.zammad-py
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Zammad has an information disclosure in ticket detail view of customers in shared organizations

zammad
  • ==>= 7.0.0, < 7.0.1
NIXPKGS-2026-1031
published 2 months, 2 weeks ago
Permalink CVE-2026-34722
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.zammad-py
    • python313Packages.zammad-py
    • python314Packages.zammad-py
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Zammad is missing authorization in ticket create endpoint

zammad
  • ==>= 7.0.0-alpha, < 7.0.1
  • ==< 6.5.4
NIXPKGS-2026-1030
published 2 months, 2 weeks ago
Permalink CVE-2026-34724
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.zammad-py
    • python313Packages.zammad-py
    • python314Packages.zammad-py
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Zammad has a server-side template injection leading to RCE via AI Agent

zammad
  • ==>= 7.0.0, < 7.0.1
NIXPKGS-2026-1029
published 2 months, 2 weeks ago
Permalink CVE-2026-34721
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.zammad-py
    • python313Packages.zammad-py
    • python314Packages.zammad-py
    2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints

zammad
  • ==>= 7.0.0-alpha, < 7.0.1
  • ==< 6.5.4
NIXPKGS-2026-1028
published 2 months, 2 weeks ago
Permalink CVE-2026-40026
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago

Sleuth Kit ISO9660 SUSP Extension Reference Out-of-Bounds Read

sleuthkit
  • ==a95b0ac21733b059a517aaefa667a17e1bcbdee1
  • =<4.14.0
NIXPKGS-2026-1027
published 2 months, 2 weeks ago
Permalink CVE-2026-39844
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 2 weeks ago
  • @LeSuisse published on GitHub 2 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.nicegui-highcharts
    • python313Packages.nicegui-highcharts
    • python314Packages.nicegui-highcharts
    2 months, 2 weeks ago

NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization

nicegui
  • ==< 3.10.0