Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: quickjs

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-3979
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.quickjs
    • python313Packages.quickjs
    • python314Packages.quickjs
    • haskellPackages.mquickjs-hs
    • python312Packages.llm-tools-quickjs
    • python313Packages.llm-tools-quickjs
    • python314Packages.llm-tools-quickjs
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago
quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.

Affected products

quickjs
  • ==0.12.1
  • ==0.12.0

Matching in nixpkgs

Ignored packages (7) 
Upstream issue: https://github.com/quickjs-ng/quickjs/issues/1368
Upstream patch: https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92def4cd
Published
Permalink CVE-2026-1144
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.quickjs
    • python313Packages.quickjs
    • python312Packages.llm-tools-quickjs
    • python313Packages.llm-tools-quickjs
    5 months ago
  • @LeSuisse accepted 5 months ago
  • @LeSuisse published on GitHub 5 months ago
quickjs-ng quickjs Atomics Ops quickjs.c use after free

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Affected products

quickjs
  • ==0.9
  • ==0.10
  • ==0.11.0
  • ==0.1
  • ==0.4
  • ==0.3
  • ==0.6
  • ==0.7
  • ==0.5
  • ==0.8
  • ==0.2

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Quickjs-ng patch: https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
Pending PR for quickjs: https://github.com/bellard/quickjs/pull/483
Published
Permalink CVE-2026-1145
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.quickjs
    • python313Packages.quickjs
    • python312Packages.llm-tools-quickjs
    • python313Packages.llm-tools-quickjs
    5 months ago
  • @LeSuisse accepted 5 months ago
  • @LeSuisse published on GitHub 5 months ago
quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

Affected products

quickjs
  • ==0.9
  • ==0.10
  • ==0.11.0
  • ==0.1
  • ==0.4
  • ==0.3
  • ==0.6
  • ==0.7
  • ==0.5
  • ==0.8
  • ==0.2

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Merged patch for quickjs-ng: https://github.com/quickjs-ng/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4
Pending PR for quickjs: https://github.com/bellard/quickjs/pull/483