Nixpkgs security tracker

Untriaged

Permalink CVE-2026-44693

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 2 weeks, 1 day ago Activity log

Created suggestion 2 weeks, 1 day ago

Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.

References

https://github.com/pi-hole/FTL/security/advisories/GHSA-9ff5-f3v5-2xc7 x_refsource_CONFIRM
https://github.com/pi-hole/FTL/releases/tag/v6.6.1 x_refsource_MISC

Affected products

FTL

==< 6.6.1

Matching in nixpkgs

pkgs.swiftlint

Tool to enforce Swift style and conventions

nixos-unstable 0.63.2
- nixpkgs-unstable 0.63.2
- nixos-unstable-small 0.63.2
nixos-26.05 0.63.2
- nixos-26.05-small 0.63.2
- nixpkgs-26.05-darwin 0.63.2

pkgs.pihole-ftl

Pi-hole FTL engine

nixos-unstable 6.6.1
- nixpkgs-unstable 6.6.2
- nixos-unstable-small 6.6.2
nixos-26.05 6.6.2
- nixos-26.05-small 6.6.2
- nixpkgs-26.05-darwin 6.6.2

pkgs.python313Packages.softlayer

Python libraries that assist in calling the SoftLayer API

nixos-unstable 6.2.7
- nixpkgs-unstable 6.2.7
- nixos-unstable-small 6.2.7
nixos-26.05 6.2.7
- nixos-26.05-small 6.2.7
- nixpkgs-26.05-darwin 6.2.7

pkgs.python314Packages.softlayer

Python libraries that assist in calling the SoftLayer API

nixos-unstable 6.2.7
- nixpkgs-unstable 6.2.7
- nixos-unstable-small 6.2.7
nixos-26.05 6.2.7
- nixos-26.05-small 6.2.7
- nixpkgs-26.05-darwin 6.2.7

pkgs.chickenPackages_5.chickenEggs.ftl

Interface based sequence library

nixos-unstable 0.9
- nixpkgs-unstable 0.9
- nixos-unstable-small 0.9
nixos-26.05 0.9
- nixos-26.05-small 0.9
- nixpkgs-26.05-darwin 0.9

Package maintainers

@averyvigolo Avery Vigolo <nixpkgs@averyv.me>
@onny Jonas Heinrich <onny@project-insanity.org>
@matteo-pacini Matteo Pacini <m@matteopacini.me>
@DimitarNestorov Dimitar Nestorov <nix@dimitarnestorov.com>

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-49017

7.1 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Low (L)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 4 weeks ago by @LeSuisse Activity log

Created suggestion 4 weeks, 1 day ago
@LeSuisse dismissed (not in Nixpkgs) 4 weeks ago

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters …

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0.