Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2026-10124
7.4 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 16 hours ago Activity log
  • Created suggestion 16 hours ago
Shibby Tomato Zserv ripd rip_zebra_read_ipv4 stack-based overflow

A vulnerability was determined in Shibby Tomato up to 1.28. Affected is the function rip_zebra_read_ipv4 of the file /usr/sbin/ripd of the component Zserv Handler. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

Affected products

Tomato
  • ==1.3
  • ==1.13
  • ==1.16
  • ==1.4
  • ==1.22
  • ==1.14
  • ==1.6
  • ==1.19
  • ==1.7
  • ==1.24
  • ==1.15
  • ==1.26
  • ==1.23
  • ==1.12
  • ==1.8
  • ==1.20
  • ==1.5
  • ==1.27
  • ==1.17
  • ==1.18
  • ==1.2
  • ==1.9
  • ==1.1
  • ==1.10
  • ==1.21
  • ==1.28
  • ==1.25
  • ==1.0
  • ==1.11

Matching in nixpkgs

pkgs.cryptomator-cli

Command line program to access encrypted Cryptomator vaults

pkgs.haskellPackages.automaton

Effectful streams and automata in coalgebraic encoding

  • nixos-unstable 1.5
    • nixpkgs-unstable 1.5
    • nixos-unstable-small 1.5
  • nixos-25.11 1.5
    • nixos-25.11-small 1.5
    • nixpkgs-25.11-darwin 1.5

Package maintainers