Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: nnd

Found 3 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-40200
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 3 days, 23 hours ago
An issue was discovered in musl libc 0.7.10 through 1.2.6. …

An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).

Affected products

musl
  • =<1.2.6

Matching in nixpkgs

pkgs.musl

Efficient, small, quality libc implementation

pkgs.musl-fts

Implementation of fts(3) for musl-libc

pkgs.musl-obstack

Extraction of the obstack functions and macros from GNU libiberty for use with musl-libc

Untriaged
Permalink CVE-2026-26273
created 2 months ago
Known affected by Account Takeover via Password Reset Token Leakage

Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.

Affected products

known
  • ==< 1.6.3

Matching in nixpkgs

pkgs.nim

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

  • nixos-unstable -
    • nixpkgs-unstable 2.2.4
    • nixos-unstable-small 2.2.4
  • nixos-25.11 2.2.4
    • nixos-25.11-small 2.2.4
    • nixpkgs-25.11-darwin 2.2.4

pkgs.nim1

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim-1_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim-2_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim-2_2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

  • nixos-unstable -
    • nixpkgs-unstable 2.2.4
    • nixos-unstable-small 2.2.4
  • nixos-25.11 2.2.4
    • nixos-25.11-small 2.2.4
    • nixpkgs-25.11-darwin 2.2.4

Package maintainers

Untriaged
Permalink CVE-2021-47908
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months, 1 week ago
Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions.

Affected products

Unknown
  • ==4.4

Matching in nixpkgs

pkgs.nim1

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim-2_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

Package maintainers