Nixpkgs security tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-52648
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
HCL AION is affected by a vulnerability where offering images …

HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks such as integrity compromise or unintended behavior in the system

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2578
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

References

Affected products

Mattermost
  • =<11.3.0
  • ==11.4.0
  • ==11.3.1

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2025-15587
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Credentials exposure in tinycontrol devices

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

Affected products

LK4
  • <1.38
LK3.9
  • <1.75
tcPDU
  • <1.36
Lan Kontroler v3.5
  • <1.67

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-24692
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Guest users can bypass read permissions via search API

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

References

Affected products

Mattermost
  • =<10.11.10
  • =<11.3.0
  • =<11.2.2
  • ==11.4.0
  • ==11.3.1
  • ==11.2.3
  • ==10.11.11

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-21386
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Private channel enumeration via /mute slash command

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

References

Affected products

Mattermost
  • =<10.11.10
  • =<11.3.0
  • =<11.2.2
  • ==11.4.0
  • ==11.3.1
  • ==11.2.3
  • ==10.11.11

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-2456
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Denial of Service via Unbounded Memory Allocation in Integration Actions

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571

References

Affected products

Mattermost
  • =<10.11.10
  • =<11.3.0
  • =<11.2.2
  • ==11.4.0
  • ==11.3.1
  • ==11.2.3
  • ==10.11.11

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-24458
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
DoS attack via login attempts with multi-megabyte passwords

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

References

Affected products

Mattermost
  • =<10.11.10
  • =<11.3.0
  • =<11.2.2
  • ==11.4.0
  • ==11.3.1
  • ==11.2.3
  • ==10.11.11

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-4254
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Affected products

AC8
  • ==16.03.50.10
  • ==16.03.50.0
  • ==16.03.50.9
  • ==16.03.50.5
  • ==16.03.50.2
  • ==16.03.50.1
  • ==16.03.50.8
  • ==16.03.50.11
  • ==16.03.50.7
  • ==16.03.50.4
  • ==16.03.50.6
  • ==16.03.50.3

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2476
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
MS Teams plugin sensitive config values not properly masked in support packets

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

References

Affected products

Mattermost
  • ==2.3.1.0
  • =<2.0.3

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-2461
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Missing authorization check allows unauthorized modification of other users' comments on a board

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

References

Affected products

Mattermost
  • =<11.0.3
  • =<11.2.2
  • ==11.4.0
  • ==11.3.1
  • ==11.2.3
  • =<10.10.11
  • ==10.11.11

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers