Nixpkgs security tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-35473
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WeGIA - Open Redirect - IentradaControle - listarId() - Unvalidated $_GET['nextPage']

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9.

Affected products

WeGIA
  • ==< 3.6.9

Matching in nixpkgs

Permalink CVE-2026-35399
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WeGIA has Stored XSS in backup file names

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing actions on behalf of the user. This vulnerability is fixed in 3.6.9.

Affected products

WeGIA
  • ==< 3.6.9

Matching in nixpkgs

Permalink CVE-2026-34589
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

Affected products

openexr
  • ==>= 3.4.0, < 3.4.9
  • ==>= 3.2.0, < 3.2.7
  • ==>= 3.3.0, < 3.3.9

Matching in nixpkgs

pkgs.openexr

High dynamic-range (HDR) image file format

Package maintainers

Permalink CVE-2026-34779
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

Affected products

electron
  • ==>= 40.0.0-alpha.1, < 40.8.0
  • ==>= 41.0.0-alpha.1, < 41.0.0-beta.8
  • ==>= 39.0.0-alpha.1, < 39.8.1
  • ==< 38.8.6

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail

Permalink CVE-2026-5659
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
pytries datrie trie File datrie.pyx Trie.__setstate__ deserialization

A vulnerability was found in pytries datrie up to 0.8.3. The affected element is the function Trie.load/Trie.read/Trie.__setstate__ of the file src/datrie.pyx of the component trie File Handler. The manipulation results in deserialization. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

datrie
  • ==0.8.2
  • ==0.8.3
  • ==0.8.0
  • ==0.8.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-35389
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Bulwark Webmail S/MIME signature verification accepted self-signed certificates

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: false). Any email signed with a self-signed or untrusted certificate was displayed as having a valid signature. This vulnerability is fixed in 1.4.11.

Affected products

webmail
  • ==< 1.4.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-26027
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
GLPI has an Unauthenticated Stored XSS via inventory

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Permalink CVE-2026-35166
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Hugo does not properly escape some Markdown links

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.

Affected products

hugo
  • ==>= 0.60.0, < 0.159.2

Matching in nixpkgs

Permalink CVE-2026-35459
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
pyLoad has SSRF fix bypass via HTTP redirect

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.

Affected products

pyload
  • ==<= 0.5.0b3.dev96

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-35474
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WeGIA - Open Redirect - atualizacao redirection - Unvalidated $_GET['redirect']

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirect has been found in WeGIA webapp. The redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This vulnerability is fixed in 3.6.9.

Affected products

WeGIA
  • ==< 3.6.9

Matching in nixpkgs