Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: nomad-driver-podman

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-7474
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 4 days ago Activity log
  • Created suggestion 2 weeks, 4 days ago
Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

Affected products

Nomad
  • <2.0.1
Nomad Enterprise
  • <2.0.1

Matching in nixpkgs

pkgs.nomad

Distributed, Highly Available, Datacenter-Aware Scheduler

pkgs.git-nomad

Synchronize work-in-progress git branches in a light weight fashion

pkgs.nomad_1_9

Distributed, Highly Available, Datacenter-Aware Scheduler

pkgs.nomad-pack

Nomad Pack is a templating and packaging tool used with HashiCorp Nomad

pkgs.nomad_1_11

Distributed, Highly Available, Datacenter-Aware Scheduler

Package maintainers

Permalink CVE-2026-6959
6.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 2 weeks, 4 days ago Activity log
  • Created suggestion 2 weeks, 4 days ago
Nomad vulnerable to arbitrary file read/write on client host through symlink attack

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

Affected products

Nomad
  • <2.0.1
Nomad Enterprise
  • <2.0.1

Matching in nixpkgs

pkgs.nomad

Distributed, Highly Available, Datacenter-Aware Scheduler

pkgs.git-nomad

Synchronize work-in-progress git branches in a light weight fashion

pkgs.nomad_1_9

Distributed, Highly Available, Datacenter-Aware Scheduler

pkgs.nomad-pack

Nomad Pack is a templating and packaging tool used with HashiCorp Nomad

pkgs.nomad_1_11

Distributed, Highly Available, Datacenter-Aware Scheduler

Package maintainers

Permalink CVE-2026-33414
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
PowerShell Command Injection in Podman HyperV Machine

Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.

Affected products

podman
  • ==>= 4.8.0, < 5.8.2

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

pkgs.cockpit-podman

Cockpit UI for podman containers

  • nixos-unstable 124
    • nixpkgs-unstable 124
    • nixos-unstable-small 124

Package maintainers