Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-29085
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse removed
    22 packages
    • libsForQt5.phonon
    • kdePackages.phonon
    • kdePackages.phonon-vlc
    • plasma5Packages.phonon
    • typstPackages.phonokit
    • python312Packages.phonopy
    • python313Packages.phonopy
    • python314Packages.phonopy
    • typstPackages.phonokit_0_0_1
    • typstPackages.phonokit_0_2_0
    • typstPackages.phonokit_0_3_0
    • typstPackages.phonokit_0_3_5
    • typstPackages.phonokit_0_3_6
    • typstPackages.phonokit_0_3_7
    • typstPackages.phonokit_0_4_0
    • libsForQt5.phonon-backend-vlc
    • python312Packages.pythonocc-core
    • python313Packages.pythonocc-core
    • python314Packages.pythonocc-core
    • plasma5Packages.phonon-backend-vlc
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    2 weeks, 3 days ago
  • @LeSuisse dismissed 2 weeks, 3 days ago
Hono: SSE Control Field Injection via CR/LF in writeSSE()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.

References

Affected products

hono
  • ==< 4.12.4
Ignored packages (22) 
Not present in nixpkgs
Permalink CVE-2026-29045
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse removed
    22 packages
    • libsForQt5.phonon
    • kdePackages.phonon
    • kdePackages.phonon-vlc
    • plasma5Packages.phonon
    • typstPackages.phonokit
    • python312Packages.phonopy
    • python313Packages.phonopy
    • python314Packages.phonopy
    • typstPackages.phonokit_0_0_1
    • typstPackages.phonokit_0_2_0
    • typstPackages.phonokit_0_3_0
    • typstPackages.phonokit_0_3_5
    • typstPackages.phonokit_0_3_6
    • typstPackages.phonokit_0_3_7
    • typstPackages.phonokit_0_4_0
    • libsForQt5.phonon-backend-vlc
    • python312Packages.pythonocc-core
    • python313Packages.pythonocc-core
    • python314Packages.pythonocc-core
    • plasma5Packages.phonon-backend-vlc
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    2 weeks, 3 days ago
  • @LeSuisse dismissed 2 weeks, 3 days ago
Hono: Arbitrary file access via serveStatic vulnerability

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.

References

Affected products

hono
  • ==< 4.12.4
Ignored packages (22) 
Not present in nixpkgs
Permalink CVE-2026-29086
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse removed
    22 packages
    • libsForQt5.phonon
    • kdePackages.phonon
    • kdePackages.phonon-vlc
    • plasma5Packages.phonon
    • typstPackages.phonokit
    • python312Packages.phonopy
    • python313Packages.phonopy
    • python314Packages.phonopy
    • typstPackages.phonokit_0_0_1
    • typstPackages.phonokit_0_2_0
    • typstPackages.phonokit_0_3_0
    • typstPackages.phonokit_0_3_5
    • typstPackages.phonokit_0_3_6
    • typstPackages.phonokit_0_3_7
    • typstPackages.phonokit_0_4_0
    • libsForQt5.phonon-backend-vlc
    • python312Packages.pythonocc-core
    • python313Packages.pythonocc-core
    • python314Packages.pythonocc-core
    • plasma5Packages.phonon-backend-vlc
    • libsForQt5.phonon-backend-gstreamer
    • plasma5Packages.phonon-backend-gstreamer
    2 weeks, 3 days ago
  • @LeSuisse dismissed 2 weeks, 3 days ago
Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.

References

Affected products

hono
  • ==< 4.12.4
Ignored packages (22) 
Not present in Nixpkgs
Permalink CVE-2025-62879
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 4 days ago
  • @LeSuisse removed
    3 packages
    • rancher
    • terraform-providers.rancher2
    • terraform-providers.rancher_rancher2
    2 weeks, 3 days ago
  • @LeSuisse dismissed 2 weeks, 3 days ago
Rancher Backup Operator pod's logs leak S3 tokens

A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod's logs.

References

Affected products

github.com/rancher/backup-restore-operator
  • <9.0.1
  • <8.1.2
  • <6.0.3
  • <7.0.5
Ignored packages (3) 
Not present in nixpkgs
Permalink CVE-2026-3351
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 5 days ago
  • @LeSuisse removed
    9 packages
    • lxd-ui
    • lxd-lts
    • lxd-image-server
    • lxd-unwrapped-lts
    • python312Packages.pylxd
    • python313Packages.pylxd
    • python314Packages.pylxd
    • terraform-providers.lxd
    • terraform-providers.terraform-lxd_lxd
    2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 4 days ago
Authorization Bypass in LXD GET /1.0/certificates Endpoint

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

References

Affected products

lxd
  • ==6.6
Ignored packages (9)

pkgs.lxd-ui

Web user interface for LXD

pkgs.lxd-lts

Daemon based on liblxc offering a REST API to manage containers

pkgs.lxd-unwrapped-lts

Daemon based on liblxc offering a REST API to manage containers

Not present in nixpkgs
Permalink CVE-2026-21866
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 5 days ago
  • @LeSuisse removed
    4 packages
    • speedify
    • hiddify-app
    • gomodifytags
    • haskellPackages.swizzle-modify
    2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 4 days ago
Dify - Stored XSS in chat

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

References

Affected products

dify
  • ==< 1.11.2
Ignored packages (4)

pkgs.hiddify-app

Multi-platform auto-proxy client, supporting Sing-box, X-ray, TUIC, Hysteria, Reality, Trojan, SSH etc

Not present in nixpkgs
Permalink CVE-2026-3266
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 5 days ago
  • @LeSuisse removed
    6 packages
    • typstPackages.efilrst
    • typstPackages.efilrst_0_1_0
    • typstPackages.efilrst_0_2_0
    • typstPackages.efilrst_0_3_0
    • typstPackages.efilrst_0_3_1
    • typstPackages.efilrst_0_3_2
    2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 4 days ago
Improper access control vulnerability has been discovered in OpenText™ Filr.

Missing Authorization vulnerability in OpenText™ Filr allows Authentication Bypass. The vulnerability could allow unauthenticated users to get XSRF token and do RPC with carefully crafted programs. This issue affects Filr: through 25.1.2.

References

Affected products

Filr
  • =<25.1.2
Ignored packages (6) 
Not present in nixpkgs
Permalink CVE-2026-0869
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 5 days ago
  • @LeSuisse removed
    4 packages
    • perlPackages.HTTPRequestAsCGI
    • perl5Packages.HTTPRequestAsCGI
    • perl538Packages.HTTPRequestAsCGI
    • perl540Packages.HTTPRequestAsCGI
    2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 4 days ago
Application User custom defined accounts are not properly password protected in Brocade ASCG 3.4.0

Authentication bypass in Brocade ASCG 3.4.0 Could allow an unauthorized user to perform ASCG operations related to Brocade Support Link(BSL) and streaming configuration. and could even disable the ASCG application or disable use of BSL data collection on Brocade switches within the fabric.

References

Affected products

ASCG
  • ==3.4.0
Ignored packages (4) 
Not present in nixpkgs
Permalink CVE-2026-25906
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 5 days ago
  • @LeSuisse removed
    9 packages
    • pngoptimizer
    • meshoptimizer
    • openorbitaloptimizer
    • haskellPackages.amazonka-compute-optimizer
    • python312Packages.mypy-boto3-compute-optimizer
    • python313Packages.mypy-boto3-compute-optimizer
    • python314Packages.mypy-boto3-compute-optimizer
    • python312Packages.types-aiobotocore-compute-optimizer
    • python313Packages.types-aiobotocore-compute-optimizer
    2 weeks, 4 days ago
  • @LeSuisse dismissed 2 weeks, 4 days ago
Dell Optimizer, versions prior to 6.3.1, contain an Improper Link …

Dell Optimizer, versions prior to 6.3.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

References

Affected products

Optimizer
  • <6.3.1.0
Ignored packages (9) 
Not present in nixpkgs
Permalink CVE-2026-2800
updated 2 weeks, 4 days ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 3 days ago
  • @mweinelt removed
    39 packages
    • firefoxpwa
    • faust2firefox
    • firefox_decrypt
    • pkgsRocm.firefox
    • firefox-unwrapped
    • firefox-gnome-theme
    • firefox-sync-client
    • pkgsRocm.firefoxpwa
    • pkgsRocm.thunderbird
    • firefox-esr-unwrapped
    • pkgsRocm.firefox-beta
    • thunderbird-unwrapped
    • firefox-beta-unwrapped
    • pkgsRocm.firefox-mobile
    • firefox-esr-140-unwrapped
    • thunderbird-128-unwrapped
    • thunderbird-140-unwrapped
    • thunderbird-esr-unwrapped
    • pkgsRocm.firefox-unwrapped
    • pkgsRocm.firefox-devedition
    • pkgsRocm.thunderbird-latest
    • firefox-devedition-unwrapped
    • thunderbird-latest-unwrapped
    • pkgsRocm.thunderbird-unwrapped
    • pkgsRocm.firefox-beta-unwrapped
    • thunderbirdPackages.thunderbird
    • gnomeExtensions.firefox-profiles
    • roundcubePlugins.thunderbird_labels
    • thunderbirdPackages.thunderbird-128
    • thunderbirdPackages.thunderbird-140
    • thunderbirdPackages.thunderbird-esr
    • pkgsRocm.firefox-devedition-unwrapped
    • pkgsRocm.thunderbird-latest-unwrapped
    • thunderbirdPackages.thunderbird-latest
    • pkgsRocm.thunderbirdPackages.thunderbird
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • pkgsRocm.thunderbirdPackages.thunderbird-latest
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
    2 weeks, 4 days ago
  • @mweinelt dismissed 2 weeks, 4 days ago
Spoofing issue in the WebAuthn component in Firefox for Android

Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 148 and Thunderbird < 148.

References

Affected products

Firefox
  • <148
Thunderbird
  • <148
Ignored packages (39) 
Android only