Nixpkgs security tracker
9.2 CRITICAL
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): High (H)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): High (H)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
Path Traversal in Diagram
Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf. This issue was fixed in version 1.1.1.
References
-
https://cert.pl/en/posts/2026/05/CVE-2026-7182 third-party-advisory
-
https://docs.dhtmlx.com/diagram/whats_new/#version-612 release-notes
Affected products
- <1.1.1
Matching in nixpkgs
pkgs.diagrams-as-code
Declarative configurations using YAML for drawing cloud system architectures
pkgs.diagrams-builder
hint-based build service for the diagrams graphics EDSL
pkgs.pandoc-ext-diagram
Generate diagrams from embedded code; supports Mermaid, Dot/GraphViz, PlantUML, Asymptote, D2, CeTZ, and TikZ
pkgs.libsForQt5.kdiagram
Libraries for creating business diagrams
pkgs.kdePackages.kdiagram
Powerful libraries (KChart, KGantt) for creating business diagrams
pkgs.typstPackages.modiagram
Draw molecular orbital and energy pathway diagrams
pkgs.haskellPackages.diagrams
Embedded domain-specific language for declarative vector graphics
pkgs.plasma5Packages.kdiagram
Libraries for creating business diagrams
pkgs.python312Packages.diagrams
Diagram as Code
pkgs.python313Packages.diagrams
Diagram as Code
pkgs.python314Packages.diagrams
Diagram as Code
pkgs.haskellPackages.diagrams-gtk
Backend for rendering diagrams directly to GTK windows
pkgs.haskellPackages.diagrams-lib
Embedded domain-specific language for declarative graphics
pkgs.haskellPackages.diagrams-pgf
PGF backend for diagrams drawing EDSL
pkgs.haskellPackages.diagrams-svg
SVG backend for diagrams drawing EDSL
pkgs.haskellPackages.diagrams-core
Core libraries for diagrams EDSL
pkgs.python312Packages.osc-diagram
Build Outscale cloud diagrams
-
nixos-25.11 2023-08-07
- nixos-25.11-small 2023-08-07
- nixpkgs-25.11-darwin 2023-08-07
pkgs.python313Packages.osc-diagram
Build Outscale cloud diagrams
-
nixos-unstable 2023-08-07
- nixpkgs-unstable 2023-08-07
- nixos-unstable-small 2023-08-07
-
nixos-25.11 2023-08-07
- nixos-25.11-small 2023-08-07
- nixpkgs-25.11-darwin 2023-08-07
pkgs.python314Packages.osc-diagram
Build Outscale cloud diagrams
-
nixos-unstable 2023-08-07
- nixpkgs-unstable 2023-08-07
- nixos-unstable-small 2023-08-07
pkgs.typstPackages.modiagram_0_1_0
Draw molecular orbital and energy pathway diagrams
pkgs.typstPackages.modiagram_0_1_1
Draw molecular orbital and energy pathway diagrams
pkgs.haskellPackages.Chart-diagrams
Diagrams backend for Charts
pkgs.haskellPackages.diagrams-cairo
Cairo backend for diagrams drawing EDSL
pkgs.haskellPackages.diagrams-input
Parse raster and SVG files for diagrams
pkgs.haskellPackages.diagrams-solve
Pure Haskell solver routines used by diagrams
pkgs.haskellPackages.diagrams-canvas
HTML5 canvas backend for diagrams drawing EDSL
pkgs.haskellPackages.diagrams-pandoc
A Pandoc filter to express diagrams inline using the Haskell EDSL _Diagrams_
pkgs.haskellPackages.hakyll-diagrams
A Hakyll plugin for rendering diagrams figures from embedded Haskell code
pkgs.haskellPackages.diagrams-braille
Braille diagrams with plain text
pkgs.haskellPackages.diagrams-builder
hint-based build service for the diagrams graphics EDSL
pkgs.haskellPackages.diagrams-contrib
Collection of user contributions to diagrams EDSL
pkgs.haskellPackages.diagrams-gi-cairo
Cairo backend for diagrams drawing EDSL
pkgs.haskellPackages.diagrams-graphviz
Graph layout and drawing with GraphViz and diagrams
pkgs.haskellPackages.ihaskell-diagrams
IHaskell display instances for diagram types
pkgs.haskellPackages.diagrams-postscript
Postscript backend for diagrams drawing EDSL
pkgs.haskellPackages.diagrams-rasterific
Rasterific backend for diagrams
pkgs.python312Packages.railroad-diagrams
Module to generate SVG railroad syntax diagrams
pkgs.python313Packages.railroad-diagrams
Module to generate SVG railroad syntax diagrams
pkgs.python314Packages.railroad-diagrams
Module to generate SVG railroad syntax diagrams
Package maintainers
-
@Sigmanificient Yohann Boniface <sigmanificient@gmail.com>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@mjm Matt Moriarity <matt@mattmoriarity.com>
-
@K900 Ilya K. <me@0upti.me>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@peterhoeg Peter Hoeg <peter@hoeg.com>
-
@FRidh Frederik Rietdijk <fridh@fridh.nl>
-
@nyanloutre Paul Trehiou <paul@nyanlout.re>
-
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
-
@bkchr Bastian Köcher <nixos@kchr.de>
-
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
-
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@drupol Pol Dellaiera <pol.dellaiera@protonmail.com>
-
@addict3d Nick Bathum <nickbathum@gmail.com>
-
@nicolas-goudry Nicolas Goudry <goudry.nicolas@gmail.com>
-
@RossSmyth Ross Smyth
-
@cherrypiejam Gongqi Huang