Nixpkgs security tracker

Published

Permalink CVE-2026-33609

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
5 packages
- pdnsd
- pdnsgrep
- pdns-recursor
- home-assistant-component-tests.namecheapdns
- tests.home-assistant-components.namecheapdns
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse published on GitHub 6 hours ago

LDAP DN injection

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.

References

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-p…

Affected products

pdns

<5.0.4
<4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

Ignored packages (5)

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Published

Permalink CVE-2026-33608

7.4 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
5 packages
- pdnsd
- pdnsgrep
- pdns-recursor
- home-assistant-component-tests.namecheapdns
- tests.home-assistant-components.namecheapdns
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse ignored reference https://d… 9 hours ago
@LeSuisse published on GitHub 6 hours ago

Incomplete domain name sanitization during

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

References

Ignored references (1)

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-p…

Affected products

pdns

<5.0.4
<4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

Ignored packages (5)

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Published

Permalink CVE-2026-33611

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
5 packages
- pdnsd
- pdnsgrep
- pdns-recursor
- home-assistant-component-tests.namecheapdns
- tests.home-assistant-components.namecheapdns
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse published on GitHub 6 hours ago

Insufficient validation of HTTPS and SVCB records

An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.

References

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-p…

Affected products

pdns

<5.0.4
<4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

Ignored packages (5)

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Published

Permalink CVE-2026-33260

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
7 packages
- rotp
- pdnsd
- dnsdist
- pdnsgrep
- pdns-recursor
- home-assistant-component-tests.namecheapdns
- tests.home-assistant-components.namecheapdns
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse restored
2 packages
- dnsdist
- pdns-recursor
9 hours ago
@LeSuisse published on GitHub 6 hours ago

Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

References

Affected products

pdns

<5.0.4
<4.9.14

dnsdist

<1.9.13
<2.0.4

pdns-recursor

<5.3.6
<5.4.1
<5.2.9

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

pkgs.dnsdist

DNS Loadbalancer

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 1.9.12
- nixos-25.11-small 1.9.12
- nixpkgs-25.11-darwin 1.9.12

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (5)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>
@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Published

Permalink CVE-2026-33257

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored package rotp 9 hours ago
@LeSuisse ignored reference https://d… 9 hours ago
@LeSuisse ignored
4 packages
- pdnsgrep
- pdnsd
- tests.home-assistant-components.namecheapdns
- home-assistant-component-tests.namecheapdns
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse published on GitHub 6 hours ago

Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

References

Ignored references (1)

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns

<5.0.4
<4.9.14

dnsdist

<1.9.13
<2.0.4

pdns-recursor

<5.3.6
<5.4.1
<5.2.9

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

pkgs.dnsdist

DNS Loadbalancer

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 1.9.12
- nixos-25.11-small 1.9.12
- nixpkgs-25.11-darwin 1.9.12

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (5)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>
@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Published

Permalink CVE-2026-33610

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
5 packages
- pdnsd
- pdnsgrep
- pdns-recursor
- home-assistant-component-tests.namecheapdns
- tests.home-assistant-components.namecheapdns
8 hours ago
@LeSuisse ignored reference https://d… 8 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 6 hours ago

Possible file descriptor exhaustion in forward-dnsupdate

A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.

References

Ignored references (1)

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-p…

Affected products

pdns

<5.0.4
<4.9.14

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

Ignored packages (5)

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.pdns-recursor

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.pdns-recursor

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.pdns-recursor

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.dnsdist

pkgs.pdns-recursor

pkgs.rotp

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.dnsdist

pkgs.pdns-recursor

pkgs.rotp

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.pdns-recursor

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers