Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: python314Packages.jupyterhub-systemdspawner

Found 9 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-40864
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion 1 week, 3 days ago
JupyterHub: Cross-origin form POSTs bypass XSRF

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy.

Affected products

jupyterhub
  • ==>= 4.1.0, < 5.4.5

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-40225
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
In udev in systemd before 260, local root execution can …

In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.

Affected products

systemd
  • <260

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

pkgs.systemd

System and service manager for Linux

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

Package maintainers

Permalink CVE-2026-40226
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
In nspawn in systemd 233 through 259 before 260, an …

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Affected products

systemd
  • <260

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

pkgs.systemd

System and service manager for Linux

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

Package maintainers

Permalink CVE-2026-40227
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
In systemd 260 before 261, a local unprivileged user can …

In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.

Affected products

systemd
  • <261

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

pkgs.systemd

System and service manager for Linux

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

Package maintainers

Permalink CVE-2026-40224
6.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
In systemd 259 before 260, there is local privilege escalation …

In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.

Affected products

systemd
  • <260

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

pkgs.systemd

System and service manager for Linux

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

Package maintainers

Permalink CVE-2026-40228
2.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
In systemd 259, systemd-journald can send ANSI escape sequences to …

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

Affected products

systemd
  • ==259

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

pkgs.systemd

System and service manager for Linux

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

Package maintainers

Permalink CVE-2026-40223
4.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
In systemd 258 before 260, a local unprivileged user can …

In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.

Affected products

systemd
  • <260

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

pkgs.systemd

System and service manager for Linux

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

Package maintainers

Permalink CVE-2026-33709
created 1 month, 4 weeks ago Activity log
  • Created suggestion 1 month, 4 weeks ago
JupyterHub has an Open Redirect Vulnerability

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.

Affected products

jupyterhub
  • ==< 5.4.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-29111
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
systemd: Local unprivileged user can trigger an assert

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Affected products

systemd
  • ==>= 258, < 258.5
  • ==>= 259, < 259.2
  • ==>= 239, < 257.11

Matching in nixpkgs

pkgs.udev

System and service manager for Linux

  • nixos-unstable 259
    • nixpkgs-unstable 259
    • nixos-unstable-small 259.3
  • nixos-25.11 258.3
    • nixos-25.11-small 258.3
    • nixpkgs-25.11-darwin 258.3

pkgs.systemd

System and service manager for Linux

  • nixos-unstable 259
    • nixpkgs-unstable 259
    • nixos-unstable-small 259.3
  • nixos-25.11 258.3
    • nixos-25.11-small 258.3
    • nixpkgs-25.11-darwin 258.3

pkgs.systemdLibs

System and service manager for Linux

  • nixos-unstable 259
    • nixpkgs-unstable 259
    • nixos-unstable-small 259.3
  • nixos-25.11 258.3
    • nixos-25.11-small 258.3
    • nixpkgs-25.11-darwin 258.3

pkgs.systemdUkify

System and service manager for Linux

  • nixos-unstable 259
    • nixpkgs-unstable 259
    • nixos-unstable-small 259.3
  • nixos-25.11 258.3
    • nixos-25.11-small 258.3
    • nixpkgs-25.11-darwin 258.3

pkgs.systemd-netlogd

Forwards messages from the journal to other hosts over the network

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

  • nixos-unstable 235
    • nixpkgs-unstable 235
    • nixos-unstable-small 235
  • nixos-25.11 235
    • nixos-25.11-small 235
    • nixpkgs-25.11-darwin 235

pkgs.ocamlPackages.systemd

OCaml module for native access to the systemd facilities

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

pkgs.update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus

pkgs.python313Packages.systemdunitparser

SystemdUnitParser is an extension to Python's configparser.RawConfigParser to properly parse systemd unit files

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4