Nixpkgs security tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-31937
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
Suricata dcerpc: quadratic complexity in dcerpc buffering

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

Affected products

suricata
  • ==< 7.0.15

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

Package maintainers

Permalink CVE-2026-34833
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
Bulwark Webmail: Information Exposure: password returned in /api/auth/session

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network proxie. This issue has been patched in version 1.4.10.

Affected products

webmail
  • ==< 1.4.10

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-34581
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
goshs has Auth Bypass via Share Token

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.

Affected products

goshs
  • ==>= 1.1.0, < 2.0.0-beta.2

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

Package maintainers

Permalink CVE-2026-34598
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"

YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.

Affected products

yeswiki
  • ==< 4.6.0

Matching in nixpkgs

Permalink CVE-2026-32871
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.

Affected products

fastmcp
  • ==< 3.2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-5318
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
LibRaw JPEG DHT losslessjpeg.cpp initval out-of-bounds write

A weakness has been identified in LibRaw up to 0.22.0. This impacts the function HuffTable::initval of the file src/decompressors/losslessjpeg.cpp of the component JPEG DHT Parser. This manipulation of the argument bits[] causes out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 0.22.1 will fix this issue. Patch name: a6734e867b19d75367c05f872ac26322464e3995. It is advisable to upgrade the affected component.

Affected products

LibRaw
  • ==0.6
  • ==0.9
  • ==0.16
  • ==0.2
  • ==0.22.1
  • ==0.4
  • ==0.22.0
  • ==0.15
  • ==0.19
  • ==0.7
  • ==0.17
  • ==0.11
  • ==0.10
  • ==0.21
  • ==0.1
  • ==0.13
  • ==0.3
  • ==0.8
  • ==0.12
  • ==0.18
  • ==0.20
  • ==0.14
  • ==0.5

Matching in nixpkgs

pkgs.libraw

Library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others)

pkgs.libraw1394

Library providing direct access to the IEEE 1394 bus through the Linux 1394 subsystem's raw1394 user space interface

Permalink CVE-2026-34522
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into character_name. This issue has been patched in version 1.17.0.

Affected products

SillyTavern
  • ==< 1.17.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-34743
updated 1 month, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @pyrox0 ignored
    22 packages
    • tests.pkg-config.defaultPkgConfigPackages.liblzma
    • home-assistant-custom-components.localtuya
    • tests.prefer-remote-fetch.fetchFromGitHub
    • typstPackages.exzellenz-tum-thesis_0_2_0
    • typstPackages.exzellenz-tum-thesis_0_1_0
    • tests.fetchNextcloudApp.simple-sha512
    • tests.fetchgit.dumb-http-signed-tag
    • typstPackages.exzellenz-tum-thesis
    • tests.fetchPypiLegacy.fetchSimple
    • tests.fetchpatch.fileWithSpace
    • tests.fetchDebianPatch.simple
    • python314Packages.python-xz
    • python313Packages.python-xz
    • python312Packages.python-xz
    • tests.fetchgit.simple-tag
    • python314Packages.txzmq
    • python313Packages.txzmq
    • python312Packages.txzmq
    • plymouth-proxzima-theme
    • matrix-zulip-bridge
    • xzoom
    • xzgv
    1 month, 2 weeks ago
XZ Utils: Buffer overflow in lzma_index_append()

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Affected products

xz
  • ==< 5.8.3

Matching in nixpkgs

pkgs.xz

General-purpose data compression software, successor of LZMA

pkgs.pixz

Parallel compressor/decompressor for xz format

Ignored packages (22)

pkgs.xzgv

Picture viewer for X with a thumbnail-based selector

pkgs.xzoom

X11 screen zoom tool

  • nixos-unstable 0.3
    • nixpkgs-unstable 0.3
    • nixos-unstable-small 0.3
  • nixos-25.11 0.3
    • nixos-25.11-small 0.3
    • nixpkgs-25.11-darwin 0.3
Permalink CVE-2026-34848
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
hoppscotch: Stored XSS in team member overflow tooltip via display name

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0.

Affected products

hoppscotch
  • ==< 2026.3.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-34828
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
listmonk: Active sessions remain valid after password reset and password change

listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.

Affected products

listmonk
  • ==>= 4.1.0, < 6.1.0

Matching in nixpkgs

pkgs.listmonk

High performance, self-hosted, newsletter and mailing list manager with a modern dashboard

Package maintainers