Nixpkgs security tracker

Permalink CVE-2026-10188

7.4 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 hours ago Activity log

Created suggestion 2 hours ago

Tenda W12 httpd cgistaKickOff stack-based overflow

A flaw has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.

References

VDB-367469 | Tenda W12 httpd cgistaKickOff stack-based overflow technical-descriptionvdb-entry
VDB-367469 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
CVE-2026-10188 | CVE Analysis and Report third-party-advisory
Submit #820018 | Tenda W12 V3.0.0.7(4763) Stack-based Buffer Overflow third-party-advisory
http://cdn2.v50to.cc/Tenda%20W12%20cgistaKickOff%20overflow.zip exploit
https://www.tenda.com.cn/ product

Affected products

W12

==3.0.0.7(4763)

Matching in nixpkgs

pkgs.python312Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python313Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2
nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python314Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2

Package maintainers

@JamieMagee Jamie Magee <jamie.magee@gmail.com>

Permalink CVE-2026-10189

7.4 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 hours ago Activity log

Created suggestion 2 hours ago

Tenda W12 httpd cgiSysTimeInfoSet stack-based overflow

A vulnerability has been found in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References

VDB-367470 | Tenda W12 httpd cgiSysTimeInfoSet stack-based overflow technical-descriptionvdb-entry
VDB-367470 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
CVE-2026-10189 | CVE Analysis and Report third-party-advisory
Submit #820021 | Tenda W12 V3.0.0.7(4763) stack third-party-advisory
http://cdn2.v50to.cc/cgiSysTimeInfoSet_overflow.zip exploit
https://www.tenda.com.cn/ product

Affected products

W12

==3.0.0.7(4763)

Matching in nixpkgs

pkgs.python312Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python313Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2
nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python314Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2

Package maintainers

@JamieMagee Jamie Magee <jamie.magee@gmail.com>

Permalink CVE-2026-10190

5.7 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 hours ago Activity log

Created suggestion 2 hours ago

Tenda W12 Web Management httpd cgiSysWebTimeoutSet denial of service

A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the argument web_over_time results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used.

References

VDB-367471 | Tenda W12 Web Management httpd cgiSysWebTimeoutSet denial of service technical-descriptionvdb-entry
VDB-367471 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
CVE-2026-10190 | CVE Analysis and Report third-party-advisory
Submit #820022 | Tenda W12 V3.0.0.7(4763) Denial of Service third-party-advisory
http://cdn2.v50to.cc/cgiSysWebTimeoutSet_dos.zip exploit
https://www.tenda.com.cn/ product

Affected products

W12

==3.0.0.7(4763)

Matching in nixpkgs

pkgs.python312Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python313Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2
nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python314Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2

Package maintainers

@JamieMagee Jamie Magee <jamie.magee@gmail.com>

Permalink CVE-2026-10191

7.4 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 hours ago Activity log

Created suggestion 2 hours ago

Tenda W12 httpd cgiWifiMacFilterSet stack-based overflow

A vulnerability was determined in Tenda W12 3.0.0.7(4763). Impacted is the function cgiWifiMacFilterSet of the file /bin/httpd. This manipulation of the argument wifiMacFilterSet.macList.mac causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

References

VDB-367472 | Tenda W12 httpd cgiWifiMacFilterSet stack-based overflow technical-descriptionvdb-entry
VDB-367472 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
CVE-2026-10191 | CVE Analysis and Report third-party-advisory
Submit #820023 | Tenda W12 V3.0.0.7(4763) Stack-based Buffer Overflow third-party-advisory
http://cdn2.v50to.cc/cgiWifiMacFilterSet_overflow.zip exploit
https://www.tenda.com.cn/ product

Affected products

W12

==3.0.0.7(4763)

Matching in nixpkgs

pkgs.python312Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python313Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2
nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python314Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2

Package maintainers

@JamieMagee Jamie Magee <jamie.magee@gmail.com>

Permalink CVE-2026-10192

7.4 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 hours ago Activity log

Created suggestion 2 hours ago

Tenda W12 httpd set_local_time_0 stack-based overflow

A vulnerability was identified in Tenda W12 3.0.0.7(4763). The affected element is the function set_local_time_0 of the file /bin/httpd. Such manipulation of the argument Time leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.

References

VDB-367473 | Tenda W12 httpd set_local_time_0 stack-based overflow technical-descriptionvdb-entry
VDB-367473 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
CVE-2026-10192 | CVE Analysis and Report third-party-advisory
Submit #820024 | Tenda W12 V3.0.0.7(4763) Stack-based Buffer Overflow third-party-advisory
http://cdn2.v50to.cc/set_local_time_0_overflow.zip exploit
https://www.tenda.com.cn/ product

Affected products

W12

==3.0.0.7(4763)

Matching in nixpkgs

pkgs.python312Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python313Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2
nixos-25.11 lw12-0.9.2
- nixos-25.11-small lw12-0.9.2
- nixpkgs-25.11-darwin lw12-0.9.2

pkgs.python314Packages.lw12

Library to control the Lagute LW-12 WiFi LED controller

nixos-unstable lw12-0.9.2
- nixpkgs-unstable lw12-0.9.2
- nixos-unstable-small lw12-0.9.2

Package maintainers

@JamieMagee Jamie Magee <jamie.magee@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.lw12

pkgs.python313Packages.lw12

pkgs.python314Packages.lw12

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.lw12

pkgs.python313Packages.lw12

pkgs.python314Packages.lw12

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.lw12

pkgs.python313Packages.lw12

pkgs.python314Packages.lw12

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.lw12

pkgs.python313Packages.lw12

pkgs.python314Packages.lw12

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.lw12

pkgs.python313Packages.lw12

pkgs.python314Packages.lw12

Package maintainers