Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-44641

7.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 1 week, 2 days ago by @LeSuisse Activity log

Created suggestion 1 week, 3 days ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 2 days ago

Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12.

References

https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr x_refsource_CONFIRMexploit

Affected products

apm

==< 0.8.12

Matching in nixpkgs

pkgs.wapm

Package manager for WebAssembly modules

nixos-unstable 0.5.9
- nixpkgs-unstable 0.5.9
- nixos-unstable-small 0.5.9
nixos-25.11 0.5.9
- nixos-25.11-small 0.5.9
- nixpkgs-25.11-darwin 0.5.9

pkgs.apmplanner2

Ground station software for autonomous vehicles

nixos-25.11 2.0.28
- nixos-25.11-small 2.0.28
- nixpkgs-25.11-darwin 2.0.28

pkgs.ldapmonitor

Tool to monitor creation, deletion and changes to LDAP objects

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.4
- nixos-25.11-small 1.4
- nixpkgs-25.11-darwin 1.4

pkgs.xf86videoapm

Alliance Promotion video driver for the Xorg X server

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0

pkgs.xf86-video-apm

None

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.snapmaker-luban

Snapmaker Luban is an easy-to-use 3-in-1 software tailor-made for Snapmaker machines

nixos-unstable 4.15.0
- nixpkgs-unstable 4.15.0
- nixos-unstable-small 4.15.0
nixos-25.11 4.15.0
- nixos-25.11-small 4.15.0
- nixpkgs-25.11-darwin 4.15.0

pkgs.xorg.xf86videoapm

None

nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.kdePackages.kapman

Kapman is a clone of the well known game Pac-Man

nixos-unstable 26.04.1
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3