Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-46383

5.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 1 week, 2 days ago by @LeSuisse Activity log

Created suggestion 1 week, 3 days ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 2 days ago

Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0.

References

https://github.com/microsoft/apm/security/advisories/GHSA-mq5j-pw29-jcv3 x_refsource_CONFIRMexploit

Affected products

apm

==< 0.13.0

Matching in nixpkgs

pkgs.wapm

Package manager for WebAssembly modules

nixos-unstable 0.5.9
- nixpkgs-unstable 0.5.9
- nixos-unstable-small 0.5.9
nixos-25.11 0.5.9
- nixos-25.11-small 0.5.9
- nixpkgs-25.11-darwin 0.5.9

pkgs.apmplanner2

Ground station software for autonomous vehicles

nixos-25.11 2.0.28
- nixos-25.11-small 2.0.28
- nixpkgs-25.11-darwin 2.0.28

pkgs.ldapmonitor

Tool to monitor creation, deletion and changes to LDAP objects

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.4
- nixos-25.11-small 1.4
- nixpkgs-25.11-darwin 1.4

pkgs.xf86videoapm

Alliance Promotion video driver for the Xorg X server

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0

pkgs.xf86-video-apm

None

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.snapmaker-luban

Snapmaker Luban is an easy-to-use 3-in-1 software tailor-made for Snapmaker machines

nixos-unstable 4.15.0
- nixpkgs-unstable 4.15.0
- nixos-unstable-small 4.15.0
nixos-25.11 4.15.0
- nixos-25.11-small 4.15.0
- nixpkgs-25.11-darwin 4.15.0

pkgs.xorg.xf86videoapm

None

nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.kdePackages.kapman

Kapman is a clone of the well known game Pac-Man

nixos-unstable 26.04.1
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3