Nixpkgs security tracker

Permalink CVE-2026-57435

1.7 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day, 1 hour ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57434

1.7 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day, 1 hour ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2 x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57437

1.7 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Provider Urgency (U): Clear (Clear)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7 x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57236

1.7 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57235

6.3 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57436

1.7 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57234

2.6 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2 x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Permalink CVE-2026-57438

2.2 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 17 hours ago by @LeSuisse Activity log

Created suggestion 1 day ago
@LeSuisse accepted 17 hours ago
@LeSuisse published on GitHub 17 hours ago

Nokogiri: Possible Use-After-Free in XInclude Processing

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69 x_refsource_CONFIRM

Affected products

nokogiri

==< 1.19.4

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_3.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_3_4.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

pkgs.rubyPackages_4_0.nokogiri

None

nixos-unstable 1.18.10
- nixpkgs-unstable 1.18.10
- nixos-unstable-small 1.18.10
nixos-26.05 1.18.10
- nixos-26.05-small 1.18.10
- nixpkgs-26.05-darwin 1.18.10

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri

References

Affected products

Matching in nixpkgs

pkgs.rubyPackages.nokogiri

pkgs.rubyPackages_3_3.nokogiri

pkgs.rubyPackages_3_4.nokogiri

pkgs.rubyPackages_4_0.nokogiri