Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42032

6.7 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 1 week, 3 days ago by @LeSuisse Activity log

Created suggestion 1 week, 5 days ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 3 days ago

CKAN: Unauthenticated Authorization Bypass in `datastore_search_sql`

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.

References

https://github.com/ckan/ckan/security/advisories/GHSA-cg4x-64p3-x59h x_refsource_CONFIRM

Affected products

ckan

==< 2.10.10
==>= 2.11.0, < 2.11.5

Matching in nixpkgs

pkgs.ckan

Mod manager for Kerbal Space Program

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.0
- nixos-25.11-small 1.36.0
- nixpkgs-25.11-darwin 1.36.0

Package maintainers

@Baughn Svein Ove Aas <sveina@gmail.com>
@nullcubee NullCube <nullcub3@gmail.com>

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-41132

6.6 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 1 week, 3 days ago by @LeSuisse Activity log

Created suggestion 1 week, 5 days ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 3 days ago

CKAN: No certificate validation on STMP connection

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in 2.10.10 and 2.11.5.

References

https://github.com/ckan/ckan/security/advisories/GHSA-mpfm-fpgx-647q x_refsource_CONFIRM

Affected products

ckan

==< 2.10.10
==>= 2.11.0, < 2.11.5

Matching in nixpkgs

pkgs.ckan

Mod manager for Kerbal Space Program

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.0
- nixos-25.11-small 1.36.0
- nixpkgs-25.11-darwin 1.36.0

Package maintainers

@Baughn Svein Ove Aas <sveina@gmail.com>
@nullcubee NullCube <nullcub3@gmail.com>

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-42031

8.3 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 week, 3 days ago by @LeSuisse Activity log

Created suggestion 1 week, 5 days ago
@LeSuisse dismissed (not in Nixpkgs) 1 week, 3 days ago

CKAN: Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.

References

https://github.com/ckan/ckan/security/advisories/GHSA-h7j7-3rx6-xvcg x_refsource_CONFIRM

Affected products

ckan

==< 2.10.10
==>= 2.11.0, < 2.11.5

Matching in nixpkgs

pkgs.ckan

Mod manager for Kerbal Space Program

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.0
- nixos-25.11-small 1.36.0
- nixpkgs-25.11-darwin 1.36.0

Package maintainers

@Baughn Svein Ove Aas <sveina@gmail.com>
@nullcubee NullCube <nullcub3@gmail.com>

Untriaged

Permalink CVE-2026-41255

6.1 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 week, 5 days ago Activity log

Created suggestion 1 week, 5 days ago

CKAN: CSRF exemption primed by anonymous requests

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. This API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This vulnerability is fixed in 2.10.10 and 2.11.5.

References

https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73 x_refsource_CONFIRM
https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255 x_refsource_MISC

Affected products

ckan

==< 2.10.10
==>= 2.11.0, < 2.11.5

Matching in nixpkgs

pkgs.ckan

Mod manager for Kerbal Space Program

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.0
- nixos-25.11-small 1.36.0
- nixpkgs-25.11-darwin 1.36.0

Package maintainers

@Baughn Svein Ove Aas <sveina@gmail.com>
@nullcubee NullCube <nullcub3@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.ckan

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ckan

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ckan

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.ckan

Package maintainers