Nixpkgs security tracker

Untriaged

Permalink CVE-2026-9038

8.6 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Physical (P)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): High (H)
Modified Attack Vector (MAV): Physical (P)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): High (H)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 2 days, 20 hours ago Activity log

Created suggestion 2 days, 20 hours ago

Stack-based buffer overflow in XCharge C6

A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges.

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 government-resource

Affected products

C6

<May_22_2026

Matching in nixpkgs

pkgs.cc65

C compiler for processors of 6502 family

nixos-unstable 2.19
- nixpkgs-unstable 2.19
- nixos-unstable-small 2.19
nixos-25.11 2.19
- nixos-25.11-small 2.19
- nixpkgs-25.11-darwin 2.19

pkgs.sc68

Atari ST and Amiga music player

nixos-unstable 2.2.1-unstable-2024-09-09
- nixpkgs-unstable 2.2.1-unstable-2024-09-09
- nixos-unstable-small 2.2.1-unstable-2024-09-09
nixos-25.11 2022-11-24
- nixos-25.11-small 2022-11-24
- nixpkgs-25.11-darwin 2022-11-24

pkgs.ndisc6

Small collection of useful tools for IPv6 networking

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-25.11 1.0.4
- nixos-25.11-small 1.0.4
- nixpkgs-25.11-darwin 1.0.4

pkgs.libiec61850

Open-source library for the IEC 61850 protocols

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.6.1
nixos-25.11 1.6.1
- nixos-25.11-small 1.6.1
- nixpkgs-25.11-darwin 1.6.1

pkgs.libiec61883

None

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.c64-debugger

Commodore 64, Atari XL/XE and NES code and memory debugger that works in real time

nixos-unstable 0.64.58.6
- nixpkgs-unstable 0.64.58.6
- nixos-unstable-small 0.64.58.6
nixos-25.11 0.64.58.6
- nixos-25.11-small 0.64.58.6
- nixpkgs-25.11-darwin 0.64.58.6

pkgs.crc64fast-nvme

SIMD accelerated carryless-multiplication CRC-64/NVME checksum computation (based on Intel's PCLMULQDQ paper)

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

pkgs.vimpager-latest

Use Vim as PAGER

nixos-unstable a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixpkgs-unstable a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixos-unstable-small a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
nixos-25.11 a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixos-25.11-small a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixpkgs-25.11-darwin a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5

pkgs.akkuPackages.oleg

Libraries written by Oleg ported to Chez Scheme

nixos-unstable 0.0.0-akku.2.c682687
- nixpkgs-unstable 0.0.0-akku.2.c682687
- nixos-unstable-small 0.0.0-akku.2.c682687
nixos-25.11 0.0.0-akku.2.c682687
- nixos-25.11-small 0.0.0-akku.2.c682687
- nixpkgs-25.11-darwin 0.0.0-akku.2.c682687

pkgs.ibus-engines.bamboo

Vietnamese IME for IBus

nixos-unstable 0.8.4-rc6
- nixpkgs-unstable 0.8.4-rc6
- nixos-unstable-small 0.8.4-rc6
nixos-25.11 0.8.4-rc6
- nixos-25.11-small 0.8.4-rc6
- nixpkgs-25.11-darwin 0.8.4-rc6

pkgs.sbclPackages.iterate

None

nixos-25.11 b0f9a9c6-git
- nixos-25.11-small b0f9a9c6-git
- nixpkgs-25.11-darwin b0f9a9c6-git

pkgs.coreboot-toolchain.ppc64

Coreboot toolchain for ppc64 targets

nixos-unstable ppc64-25.12
- nixpkgs-unstable ppc64-26.03
- nixos-unstable-small ppc64-26.03
nixos-25.11 ppc64-25.03
- nixos-25.11-small ppc64-25.03
- nixpkgs-25.11-darwin ppc64-25.03

pkgs.akkuPackages.chez-sockets

Full Blown, portable, and extensible sockets library for Chez Scheme

nixos-unstable 0.0.0-akku.13.c3fc663.1
- nixpkgs-unstable 0.0.0-akku.13.c3fc663.1
- nixos-unstable-small 0.0.0-akku.13.c3fc663.1
nixos-25.11 0.0.0-akku.13.c3fc663.1
- nixos-25.11-small 0.0.0-akku.13.c3fc663.1
- nixpkgs-25.11-darwin 0.0.0-akku.13.c3fc663.1

pkgs.python312Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-25.11 rfc6555-0.1.0
- nixos-25.11-small rfc6555-0.1.0
- nixpkgs-25.11-darwin rfc6555-0.1.0

pkgs.python313Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-unstable rfc6555-0.1.0
- nixpkgs-unstable rfc6555-0.1.0
- nixos-unstable-small rfc6555-0.1.0
nixos-25.11 rfc6555-0.1.0
- nixos-25.11-small rfc6555-0.1.0
- nixpkgs-25.11-darwin rfc6555-0.1.0

pkgs.python314Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-unstable rfc6555-0.1.0
- nixpkgs-unstable rfc6555-0.1.0
- nixos-unstable-small rfc6555-0.1.0

pkgs.dhallPackages.dhall-kubernetes

None

nixos-unstable 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixpkgs-unstable 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixos-unstable-small 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
nixos-25.11 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixos-25.11-small 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixpkgs-25.11-darwin 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0

pkgs.python312Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-25.11 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-25.11-small 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-25.11-darwin 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.python313Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-unstable-small 26780de81b8c14d48fe8d757c642086f2af2a66b
nixos-25.11 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-25.11-small 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-25.11-darwin 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.python314Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-unstable-small 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.vimPlugins.nvim-treesitter-parsers.pod

Tree-sitter grammar for pod

nixos-unstable 0.0.0+rev=57c606a
- nixpkgs-unstable 0.0.0+rev=57c606a
- nixos-unstable-small 0.0.0+rev=57c606a

pkgs.vimPlugins.nvim-treesitter-parsers.vhs

Tree-sitter grammar for vhs

nixos-unstable 0.0.0+rev=0c6fae9
- nixpkgs-unstable 0.0.0+rev=0c6fae9
- nixos-unstable-small 0.0.0+rev=0c6fae9

pkgs.vimPlugins.nvim-treesitter-parsers.rasi

Tree-sitter grammar for rasi

nixos-unstable 0.0.0+rev=e735c68
- nixpkgs-unstable 0.0.0+rev=e735c68
- nixos-unstable-small 0.0.0+rev=e735c68

pkgs.vimPlugins.nvim-treesitter-parsers.scss

Tree-sitter grammar for scss

nixos-unstable 0.0.0+rev=c478c68
- nixpkgs-unstable 0.0.0+rev=c478c68
- nixos-unstable-small 0.0.0+rev=c478c68

pkgs.vimPlugins.nvim-treesitter-parsers.yuck

Tree-sitter grammar for yuck

nixos-unstable 0.0.0+rev=6c60112
- nixpkgs-unstable 0.0.0+rev=6c60112
- nixos-unstable-small 0.0.0+rev=6c60112

pkgs.vimPlugins.nvim-treesitter-parsers.templ

Tree-sitter grammar for templ

nixos-unstable 0.0.0+rev=1c6db04
- nixpkgs-unstable 0.0.0+rev=1c6db04
- nixos-unstable-small 0.0.0+rev=1c6db04

pkgs.vimPlugins.nvim-treesitter-parsers.scheme

Tree-sitter grammar for scheme

nixos-unstable 0.0.0+rev=c6cb7c7
- nixpkgs-unstable 0.0.0+rev=c6cb7c7
- nixos-unstable-small 0.0.0+rev=c6cb7c7

pkgs.androidenv.androidPkgs.all.packages.build-tools.v30_0_3

Android SDK tools, packaged in Nixpkgs

nixos-unstable tools_r30.0.3-macosx.zip
- nixpkgs-unstable tools_r30.0.3-macosx.zip
- nixos-unstable-small tools_r30.0.3-macosx.zip
nixos-25.11 tools_r30.0.3-macosx.zip
- nixos-25.11-small tools_r30.0.3-macosx.zip
- nixpkgs-25.11-darwin tools_r30.0.3-macosx.zip

pkgs.androidenv.androidPkgs.all.packages.build-tools.v32_0_0

Android SDK tools, packaged in Nixpkgs

nixos-unstable tools_r32-macosx.zip
- nixpkgs-unstable tools_r32-macosx.zip
- nixos-unstable-small tools_r32-macosx.zip
nixos-25.11 tools_r32-macosx.zip
- nixos-25.11-small tools_r32-macosx.zip
- nixpkgs-25.11-darwin tools_r32-macosx.zip

Package maintainers

@hadilq Hadi Lashkari Ghouchani <hadilq.dev@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@adrian-gierakowski Adrian Gierakowski <adrian.gierakowski@gmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@Detegr Antti Keränen <detegr@rbx.email>
@jmbaur Jared Baur <jaredbaur@fastmail.com>
@felixsinger Felix Singer <felixsinger@posteo.net>
@powwu powwu <hello@powwu.sh>
@stv0g Steffen Vogel <post@steffenvogel.de>
@PJungkamp Philipp Jungkamp <philipp@jungkamp.dev>
@weirdrock weirdrock <weirdrock@riseup.net>
@phryneas Lenz Weber <mail@lenzw.de>
@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@nagy Daniel Nagy <danielnagy@posteo.de>
@lukego Luke Gorrie <luke@snabb.co>
@Uthar Kasper Gałkowski <galkowskikasper@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@hraban Hraban Luyat <hraban@0brg.net>

Untriaged

Permalink CVE-2026-9039

8.6 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Physical (P)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): High (H)
Modified Attack Vector (MAV): Physical (P)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): High (H)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 2 days, 20 hours ago Activity log

Created suggestion 2 days, 20 hours ago

Initialization of a resource with an insecure default in XCharge C6

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 government-resource

Affected products

C6

<May_22_2026

Matching in nixpkgs

pkgs.cc65

C compiler for processors of 6502 family

nixos-unstable 2.19
- nixpkgs-unstable 2.19
- nixos-unstable-small 2.19
nixos-25.11 2.19
- nixos-25.11-small 2.19
- nixpkgs-25.11-darwin 2.19

pkgs.sc68

Atari ST and Amiga music player

nixos-unstable 2.2.1-unstable-2024-09-09
- nixpkgs-unstable 2.2.1-unstable-2024-09-09
- nixos-unstable-small 2.2.1-unstable-2024-09-09
nixos-25.11 2022-11-24
- nixos-25.11-small 2022-11-24
- nixpkgs-25.11-darwin 2022-11-24

pkgs.ndisc6

Small collection of useful tools for IPv6 networking

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-25.11 1.0.4
- nixos-25.11-small 1.0.4
- nixpkgs-25.11-darwin 1.0.4

pkgs.libiec61850

Open-source library for the IEC 61850 protocols

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.6.1
nixos-25.11 1.6.1
- nixos-25.11-small 1.6.1
- nixpkgs-25.11-darwin 1.6.1

pkgs.libiec61883

None

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.c64-debugger

Commodore 64, Atari XL/XE and NES code and memory debugger that works in real time

nixos-unstable 0.64.58.6
- nixpkgs-unstable 0.64.58.6
- nixos-unstable-small 0.64.58.6
nixos-25.11 0.64.58.6
- nixos-25.11-small 0.64.58.6
- nixpkgs-25.11-darwin 0.64.58.6

pkgs.crc64fast-nvme

SIMD accelerated carryless-multiplication CRC-64/NVME checksum computation (based on Intel's PCLMULQDQ paper)

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

pkgs.vimpager-latest

Use Vim as PAGER

nixos-unstable a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixpkgs-unstable a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixos-unstable-small a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
nixos-25.11 a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixos-25.11-small a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixpkgs-25.11-darwin a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5

pkgs.akkuPackages.oleg

Libraries written by Oleg ported to Chez Scheme

nixos-unstable 0.0.0-akku.2.c682687
- nixpkgs-unstable 0.0.0-akku.2.c682687
- nixos-unstable-small 0.0.0-akku.2.c682687
nixos-25.11 0.0.0-akku.2.c682687
- nixos-25.11-small 0.0.0-akku.2.c682687
- nixpkgs-25.11-darwin 0.0.0-akku.2.c682687

pkgs.ibus-engines.bamboo

Vietnamese IME for IBus

nixos-unstable 0.8.4-rc6
- nixpkgs-unstable 0.8.4-rc6
- nixos-unstable-small 0.8.4-rc6
nixos-25.11 0.8.4-rc6
- nixos-25.11-small 0.8.4-rc6
- nixpkgs-25.11-darwin 0.8.4-rc6

pkgs.sbclPackages.iterate

None

nixos-25.11 b0f9a9c6-git
- nixos-25.11-small b0f9a9c6-git
- nixpkgs-25.11-darwin b0f9a9c6-git

pkgs.coreboot-toolchain.ppc64

Coreboot toolchain for ppc64 targets

nixos-unstable ppc64-25.12
- nixpkgs-unstable ppc64-26.03
- nixos-unstable-small ppc64-26.03
nixos-25.11 ppc64-25.03
- nixos-25.11-small ppc64-25.03
- nixpkgs-25.11-darwin ppc64-25.03

pkgs.akkuPackages.chez-sockets

Full Blown, portable, and extensible sockets library for Chez Scheme

nixos-unstable 0.0.0-akku.13.c3fc663.1
- nixpkgs-unstable 0.0.0-akku.13.c3fc663.1
- nixos-unstable-small 0.0.0-akku.13.c3fc663.1
nixos-25.11 0.0.0-akku.13.c3fc663.1
- nixos-25.11-small 0.0.0-akku.13.c3fc663.1
- nixpkgs-25.11-darwin 0.0.0-akku.13.c3fc663.1

pkgs.python312Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-25.11 rfc6555-0.1.0
- nixos-25.11-small rfc6555-0.1.0
- nixpkgs-25.11-darwin rfc6555-0.1.0

pkgs.python313Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-unstable rfc6555-0.1.0
- nixpkgs-unstable rfc6555-0.1.0
- nixos-unstable-small rfc6555-0.1.0
nixos-25.11 rfc6555-0.1.0
- nixos-25.11-small rfc6555-0.1.0
- nixpkgs-25.11-darwin rfc6555-0.1.0

pkgs.python314Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-unstable rfc6555-0.1.0
- nixpkgs-unstable rfc6555-0.1.0
- nixos-unstable-small rfc6555-0.1.0

pkgs.dhallPackages.dhall-kubernetes

None

nixos-unstable 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixpkgs-unstable 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixos-unstable-small 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
nixos-25.11 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixos-25.11-small 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixpkgs-25.11-darwin 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0

pkgs.python312Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-25.11 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-25.11-small 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-25.11-darwin 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.python313Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-unstable-small 26780de81b8c14d48fe8d757c642086f2af2a66b
nixos-25.11 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-25.11-small 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-25.11-darwin 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.python314Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-unstable-small 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.vimPlugins.nvim-treesitter-parsers.pod

Tree-sitter grammar for pod

nixos-unstable 0.0.0+rev=57c606a
- nixpkgs-unstable 0.0.0+rev=57c606a
- nixos-unstable-small 0.0.0+rev=57c606a

pkgs.vimPlugins.nvim-treesitter-parsers.vhs

Tree-sitter grammar for vhs

nixos-unstable 0.0.0+rev=0c6fae9
- nixpkgs-unstable 0.0.0+rev=0c6fae9
- nixos-unstable-small 0.0.0+rev=0c6fae9

pkgs.vimPlugins.nvim-treesitter-parsers.rasi

Tree-sitter grammar for rasi

nixos-unstable 0.0.0+rev=e735c68
- nixpkgs-unstable 0.0.0+rev=e735c68
- nixos-unstable-small 0.0.0+rev=e735c68

pkgs.vimPlugins.nvim-treesitter-parsers.scss

Tree-sitter grammar for scss

nixos-unstable 0.0.0+rev=c478c68
- nixpkgs-unstable 0.0.0+rev=c478c68
- nixos-unstable-small 0.0.0+rev=c478c68

pkgs.vimPlugins.nvim-treesitter-parsers.yuck

Tree-sitter grammar for yuck

nixos-unstable 0.0.0+rev=6c60112
- nixpkgs-unstable 0.0.0+rev=6c60112
- nixos-unstable-small 0.0.0+rev=6c60112

pkgs.vimPlugins.nvim-treesitter-parsers.templ

Tree-sitter grammar for templ

nixos-unstable 0.0.0+rev=1c6db04
- nixpkgs-unstable 0.0.0+rev=1c6db04
- nixos-unstable-small 0.0.0+rev=1c6db04

pkgs.vimPlugins.nvim-treesitter-parsers.scheme

Tree-sitter grammar for scheme

nixos-unstable 0.0.0+rev=c6cb7c7
- nixpkgs-unstable 0.0.0+rev=c6cb7c7
- nixos-unstable-small 0.0.0+rev=c6cb7c7

pkgs.androidenv.androidPkgs.all.packages.build-tools.v30_0_3

Android SDK tools, packaged in Nixpkgs

nixos-unstable tools_r30.0.3-macosx.zip
- nixpkgs-unstable tools_r30.0.3-macosx.zip
- nixos-unstable-small tools_r30.0.3-macosx.zip
nixos-25.11 tools_r30.0.3-macosx.zip
- nixos-25.11-small tools_r30.0.3-macosx.zip
- nixpkgs-25.11-darwin tools_r30.0.3-macosx.zip

pkgs.androidenv.androidPkgs.all.packages.build-tools.v32_0_0

Android SDK tools, packaged in Nixpkgs

nixos-unstable tools_r32-macosx.zip
- nixpkgs-unstable tools_r32-macosx.zip
- nixos-unstable-small tools_r32-macosx.zip
nixos-25.11 tools_r32-macosx.zip
- nixos-25.11-small tools_r32-macosx.zip
- nixpkgs-25.11-darwin tools_r32-macosx.zip

Package maintainers

@hadilq Hadi Lashkari Ghouchani <hadilq.dev@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@adrian-gierakowski Adrian Gierakowski <adrian.gierakowski@gmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@Detegr Antti Keränen <detegr@rbx.email>
@jmbaur Jared Baur <jaredbaur@fastmail.com>
@felixsinger Felix Singer <felixsinger@posteo.net>
@powwu powwu <hello@powwu.sh>
@stv0g Steffen Vogel <post@steffenvogel.de>
@PJungkamp Philipp Jungkamp <philipp@jungkamp.dev>
@weirdrock weirdrock <weirdrock@riseup.net>
@phryneas Lenz Weber <mail@lenzw.de>
@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@nagy Daniel Nagy <danielnagy@posteo.de>
@lukego Luke Gorrie <luke@snabb.co>
@Uthar Kasper Gałkowski <galkowskikasper@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@hraban Hraban Luyat <hraban@0brg.net>

Untriaged

Permalink CVE-2026-9037

9.3 CRITICAL

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 2 days, 20 hours ago Activity log

Created suggestion 2 days, 20 hours ago

Download of code without integrity check in XCharge C6

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 government-resource

Affected products

C6

<May_22_2026

Matching in nixpkgs

pkgs.cc65

C compiler for processors of 6502 family

nixos-unstable 2.19
- nixpkgs-unstable 2.19
- nixos-unstable-small 2.19
nixos-25.11 2.19
- nixos-25.11-small 2.19
- nixpkgs-25.11-darwin 2.19

pkgs.sc68

Atari ST and Amiga music player

nixos-unstable 2.2.1-unstable-2024-09-09
- nixpkgs-unstable 2.2.1-unstable-2024-09-09
- nixos-unstable-small 2.2.1-unstable-2024-09-09
nixos-25.11 2022-11-24
- nixos-25.11-small 2022-11-24
- nixpkgs-25.11-darwin 2022-11-24

pkgs.ndisc6

Small collection of useful tools for IPv6 networking

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-25.11 1.0.4
- nixos-25.11-small 1.0.4
- nixpkgs-25.11-darwin 1.0.4

pkgs.libiec61850

Open-source library for the IEC 61850 protocols

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.6.1
nixos-25.11 1.6.1
- nixos-25.11-small 1.6.1
- nixpkgs-25.11-darwin 1.6.1

pkgs.libiec61883

None

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.c64-debugger

Commodore 64, Atari XL/XE and NES code and memory debugger that works in real time

nixos-unstable 0.64.58.6
- nixpkgs-unstable 0.64.58.6
- nixos-unstable-small 0.64.58.6
nixos-25.11 0.64.58.6
- nixos-25.11-small 0.64.58.6
- nixpkgs-25.11-darwin 0.64.58.6

pkgs.crc64fast-nvme

SIMD accelerated carryless-multiplication CRC-64/NVME checksum computation (based on Intel's PCLMULQDQ paper)

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

pkgs.vimpager-latest

Use Vim as PAGER

nixos-unstable a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixpkgs-unstable a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixos-unstable-small a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
nixos-25.11 a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixos-25.11-small a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5
- nixpkgs-25.11-darwin a4da4dfac44d1bbc6986c5c76fea45a60ebdd8e5

pkgs.akkuPackages.oleg

Libraries written by Oleg ported to Chez Scheme

nixos-unstable 0.0.0-akku.2.c682687
- nixpkgs-unstable 0.0.0-akku.2.c682687
- nixos-unstable-small 0.0.0-akku.2.c682687
nixos-25.11 0.0.0-akku.2.c682687
- nixos-25.11-small 0.0.0-akku.2.c682687
- nixpkgs-25.11-darwin 0.0.0-akku.2.c682687

pkgs.ibus-engines.bamboo

Vietnamese IME for IBus

nixos-unstable 0.8.4-rc6
- nixpkgs-unstable 0.8.4-rc6
- nixos-unstable-small 0.8.4-rc6
nixos-25.11 0.8.4-rc6
- nixos-25.11-small 0.8.4-rc6
- nixpkgs-25.11-darwin 0.8.4-rc6

pkgs.sbclPackages.iterate

None

nixos-25.11 b0f9a9c6-git
- nixos-25.11-small b0f9a9c6-git
- nixpkgs-25.11-darwin b0f9a9c6-git

pkgs.coreboot-toolchain.ppc64

Coreboot toolchain for ppc64 targets

nixos-unstable ppc64-25.12
- nixpkgs-unstable ppc64-26.03
- nixos-unstable-small ppc64-26.03
nixos-25.11 ppc64-25.03
- nixos-25.11-small ppc64-25.03
- nixpkgs-25.11-darwin ppc64-25.03

pkgs.akkuPackages.chez-sockets

Full Blown, portable, and extensible sockets library for Chez Scheme

nixos-unstable 0.0.0-akku.13.c3fc663.1
- nixpkgs-unstable 0.0.0-akku.13.c3fc663.1
- nixos-unstable-small 0.0.0-akku.13.c3fc663.1
nixos-25.11 0.0.0-akku.13.c3fc663.1
- nixos-25.11-small 0.0.0-akku.13.c3fc663.1
- nixpkgs-25.11-darwin 0.0.0-akku.13.c3fc663.1

pkgs.python312Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-25.11 rfc6555-0.1.0
- nixos-25.11-small rfc6555-0.1.0
- nixpkgs-25.11-darwin rfc6555-0.1.0

pkgs.python313Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-unstable rfc6555-0.1.0
- nixpkgs-unstable rfc6555-0.1.0
- nixos-unstable-small rfc6555-0.1.0
nixos-25.11 rfc6555-0.1.0
- nixos-25.11-small rfc6555-0.1.0
- nixpkgs-25.11-darwin rfc6555-0.1.0

pkgs.python314Packages.rfc6555

Python implementation of the Happy Eyeballs Algorithm

nixos-unstable rfc6555-0.1.0
- nixpkgs-unstable rfc6555-0.1.0
- nixos-unstable-small rfc6555-0.1.0

pkgs.dhallPackages.dhall-kubernetes

None

nixos-unstable 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixpkgs-unstable 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixos-unstable-small 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
nixos-25.11 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixos-25.11-small 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0
- nixpkgs-25.11-darwin 3.0.0-3c6d09a9409977cdde58a091d76a6d20509ca4b0

pkgs.python312Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-25.11 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-25.11-small 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-25.11-darwin 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.python313Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-unstable-small 26780de81b8c14d48fe8d757c642086f2af2a66b
nixos-25.11 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-25.11-small 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-25.11-darwin 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.python314Packages.steamworkspy

Python API system for Valve's Steamworks

nixos-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixpkgs-unstable 26780de81b8c14d48fe8d757c642086f2af2a66b
- nixos-unstable-small 26780de81b8c14d48fe8d757c642086f2af2a66b

pkgs.vimPlugins.nvim-treesitter-parsers.pod

Tree-sitter grammar for pod

nixos-unstable 0.0.0+rev=57c606a
- nixpkgs-unstable 0.0.0+rev=57c606a
- nixos-unstable-small 0.0.0+rev=57c606a

pkgs.vimPlugins.nvim-treesitter-parsers.vhs

Tree-sitter grammar for vhs

nixos-unstable 0.0.0+rev=0c6fae9
- nixpkgs-unstable 0.0.0+rev=0c6fae9
- nixos-unstable-small 0.0.0+rev=0c6fae9

pkgs.vimPlugins.nvim-treesitter-parsers.rasi

Tree-sitter grammar for rasi

nixos-unstable 0.0.0+rev=e735c68
- nixpkgs-unstable 0.0.0+rev=e735c68
- nixos-unstable-small 0.0.0+rev=e735c68

pkgs.vimPlugins.nvim-treesitter-parsers.scss

Tree-sitter grammar for scss

nixos-unstable 0.0.0+rev=c478c68
- nixpkgs-unstable 0.0.0+rev=c478c68
- nixos-unstable-small 0.0.0+rev=c478c68

pkgs.vimPlugins.nvim-treesitter-parsers.yuck

Tree-sitter grammar for yuck

nixos-unstable 0.0.0+rev=6c60112
- nixpkgs-unstable 0.0.0+rev=6c60112
- nixos-unstable-small 0.0.0+rev=6c60112

pkgs.vimPlugins.nvim-treesitter-parsers.templ

Tree-sitter grammar for templ

nixos-unstable 0.0.0+rev=1c6db04
- nixpkgs-unstable 0.0.0+rev=1c6db04
- nixos-unstable-small 0.0.0+rev=1c6db04

pkgs.vimPlugins.nvim-treesitter-parsers.scheme

Tree-sitter grammar for scheme

nixos-unstable 0.0.0+rev=c6cb7c7
- nixpkgs-unstable 0.0.0+rev=c6cb7c7
- nixos-unstable-small 0.0.0+rev=c6cb7c7

pkgs.androidenv.androidPkgs.all.packages.build-tools.v30_0_3

Android SDK tools, packaged in Nixpkgs

nixos-unstable tools_r30.0.3-macosx.zip
- nixpkgs-unstable tools_r30.0.3-macosx.zip
- nixos-unstable-small tools_r30.0.3-macosx.zip
nixos-25.11 tools_r30.0.3-macosx.zip
- nixos-25.11-small tools_r30.0.3-macosx.zip
- nixpkgs-25.11-darwin tools_r30.0.3-macosx.zip

pkgs.androidenv.androidPkgs.all.packages.build-tools.v32_0_0

Android SDK tools, packaged in Nixpkgs

nixos-unstable tools_r32-macosx.zip
- nixpkgs-unstable tools_r32-macosx.zip
- nixos-unstable-small tools_r32-macosx.zip
nixos-25.11 tools_r32-macosx.zip
- nixos-25.11-small tools_r32-macosx.zip
- nixpkgs-25.11-darwin tools_r32-macosx.zip

Package maintainers

@hadilq Hadi Lashkari Ghouchani <hadilq.dev@gmail.com>
@RossComputerGuy Tristan Ross <tristan.ross@midstall.com>
@adrian-gierakowski Adrian Gierakowski <adrian.gierakowski@gmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@numinit Morgan Jones <me+nixpkgs@numin.it>
@Detegr Antti Keränen <detegr@rbx.email>
@jmbaur Jared Baur <jaredbaur@fastmail.com>
@felixsinger Felix Singer <felixsinger@posteo.net>
@powwu powwu <hello@powwu.sh>
@stv0g Steffen Vogel <post@steffenvogel.de>
@PJungkamp Philipp Jungkamp <philipp@jungkamp.dev>
@weirdrock weirdrock <weirdrock@riseup.net>
@phryneas Lenz Weber <mail@lenzw.de>
@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@nagy Daniel Nagy <danielnagy@posteo.de>
@lukego Luke Gorrie <luke@snabb.co>
@Uthar Kasper Gałkowski <galkowskikasper@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@hraban Hraban Luyat <hraban@0brg.net>

Untriaged

Permalink CVE-2026-8265

2.0 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 weeks, 5 days ago Activity log

Created suggestion 2 weeks, 5 days ago

Tenda AC6 httpd getLogFile get_log_file os command injection

A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function get_log_file of the file /goform/getLogFile of the component httpd. The manipulation of the argument wans.flag leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

References

VDB-362562 | Tenda AC6 httpd getLogFile get_log_file os command injection vdb-entrytechnical-description
VDB-362562 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #810076 | Tenda AC6 V2.0 (AC1206) Firmware V15.03.06.23 Command Injection via wans.flag third-party-advisory
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing… exploit
https://www.tenda.com.cn/ product

Affected products

AC6

==15.03.06.23

Matching in nixpkgs

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

Package maintainers

@phryneas Lenz Weber <mail@lenzw.de>

Untriaged

Permalink CVE-2026-8263

2.0 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 weeks, 5 days ago Activity log

Created suggestion 2 weeks, 5 days ago

Tenda AC6 httpd WifiExtraSet fromSetWirelessRepeat os command injection

A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

References

VDB-362560 | Tenda AC6 httpd WifiExtraSet fromSetWirelessRepeat os command injection vdb-entrytechnical-description
VDB-362560 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #810074 | Tenda AC6 V2.0 (AC1206) Firmware V15.03.06.23 Command Injection via mac/ssid third-party-advisory
https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromSetWirelessRepeat.md exploit
https://www.tenda.com.cn/ product

Affected products

AC6

==15.03.06.49_multi_TDE01

Matching in nixpkgs

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

Package maintainers

@phryneas Lenz Weber <mail@lenzw.de>

Untriaged

Permalink CVE-2026-8259

2.0 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 weeks, 5 days ago Activity log

Created suggestion 2 weeks, 5 days ago

Tenda AC6 httpd telnet os command injection

A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

References

VDB-362556 | Tenda AC6 httpd telnet os command injection vdb-entrytechnical-description
VDB-362556 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #809877 | Tenda AC6 V2.0 (AC1206) Firmware V15.03.06.23 Command Injection third-party-advisory
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing… exploit
https://www.tenda.com.cn/ product

Affected products

AC6

==2.0
==15.03.06.23

Matching in nixpkgs

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

Package maintainers

@phryneas Lenz Weber <mail@lenzw.de>

Untriaged

Permalink CVE-2026-8264

2.1 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 weeks, 5 days ago Activity log

Created suggestion 2 weeks, 5 days ago

Tenda AC6 httpd WifiApScan formWifiApScan os command injection

A weakness has been identified in Tenda AC6 15.03.06.23. Affected by this vulnerability is the function formWifiApScan of the file /goform/WifiApScan of the component httpd. Executing a manipulation of the argument wl2g.public.country/wl5g.public.country can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

References

VDB-362561 | Tenda AC6 httpd WifiApScan formWifiApScan os command injection vdb-entrytechnical-description
VDB-362561 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #810075 | Tenda AC6 V2.0 (AC1206) Firmware V15.03.06.23 Command Injection via country parameter third-party-advisory
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing… exploit
https://www.tenda.com.cn/ product

Affected products

AC6

==15.03.06.23

Matching in nixpkgs

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

Package maintainers

@phryneas Lenz Weber <mail@lenzw.de>

Untriaged

Permalink CVE-2026-4960

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Exploit Code Maturity (E): Proof-of-Concept (P)
Remediation Level (RL): Not Defined (X)
Report Confidence (RC): Reasonable (R)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 2 months ago Activity log

Created suggestion 2 months ago

Tenda AC6 POST Request WizardHandle fromWizardHandle stack-based overflow

A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

References

VDB-353837 | Tenda AC6 POST Request WizardHandle fromWizardHandle stack-based overflow vdb-entrytechnical-description
VDB-353837 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #777616 | Tenda AC6 AC6 V1.0 V15.03.05.16 Buffer Overflow third-party-advisory
https://lavender-bicycle-a5a.notion.site/Tenda-AC6-WizardHandle-32053a41781f800… exploit
https://www.tenda.com.cn/ product

Affected products

AC6

==15.03.05.16

Matching in nixpkgs

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

pkgs.tests.haskell.upstreamStackHpackVersion

Test that the stack in Nixpkgs uses the same version of Hpack as the upstream stack release

Package maintainers

@phryneas Lenz Weber <mail@lenzw.de>
@cdepillabout Dennis Gosnell <cdep.illabout@gmail.com>

Untriaged

Permalink CVE-2026-4961

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Exploit Code Maturity (E): Proof-of-Concept (P)
Remediation Level (RL): Not Defined (X)
Report Confidence (RC): Reasonable (R)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 2 months ago Activity log

Created suggestion 2 months ago

Tenda AC6 POST Request QuickIndex formQuickIndex stack-based overflow

A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

References

VDB-353838 | Tenda AC6 POST Request QuickIndex formQuickIndex stack-based overflow vdb-entrytechnical-description
VDB-353838 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #777617 | Tenda AC6 AC6 V1.0 V15.03.05.16 Buffer Overflow third-party-advisory
https://lavender-bicycle-a5a.notion.site/Tenda-AC6-QuickIndex-32053a41781f80758… exploit
https://www.tenda.com.cn/ product

Affected products

AC6

==15.03.05.16

Matching in nixpkgs

pkgs.replay-node-cli

Time Travel Debugger for Web Development - Node Command Line

nixos-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-unstable 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-unstable-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
nixos-25.11 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixos-25.11-small 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c
- nixpkgs-25.11-darwin 0.1.7-20220726-bac6d66b5ca1-5b966f2f136c

pkgs.tests.haskell.upstreamStackHpackVersion

Test that the stack in Nixpkgs uses the same version of Hpack as the upstream stack release

Package maintainers

@phryneas Lenz Weber <mail@lenzw.de>
@cdepillabout Dennis Gosnell <cdep.illabout@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.cc65

pkgs.sc68

pkgs.ndisc6

pkgs.libiec61850

pkgs.libiec61883

pkgs.c64-debugger

pkgs.crc64fast-nvme

pkgs.replay-node-cli

pkgs.vimpager-latest

pkgs.akkuPackages.oleg

pkgs.ibus-engines.bamboo

pkgs.sbclPackages.iterate

pkgs.coreboot-toolchain.ppc64

pkgs.akkuPackages.chez-sockets

pkgs.python312Packages.rfc6555

pkgs.python313Packages.rfc6555

pkgs.python314Packages.rfc6555

pkgs.dhallPackages.dhall-kubernetes

pkgs.python312Packages.steamworkspy

pkgs.python313Packages.steamworkspy

pkgs.python314Packages.steamworkspy

pkgs.vimPlugins.nvim-treesitter-parsers.pod

pkgs.vimPlugins.nvim-treesitter-parsers.vhs

pkgs.vimPlugins.nvim-treesitter-parsers.rasi

pkgs.vimPlugins.nvim-treesitter-parsers.scss

pkgs.vimPlugins.nvim-treesitter-parsers.yuck

pkgs.vimPlugins.nvim-treesitter-parsers.templ

pkgs.vimPlugins.nvim-treesitter-parsers.scheme

pkgs.androidenv.androidPkgs.all.packages.build-tools.v30_0_3

pkgs.androidenv.androidPkgs.all.packages.build-tools.v32_0_0

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.cc65

pkgs.sc68

pkgs.ndisc6

pkgs.libiec61850

pkgs.libiec61883

pkgs.c64-debugger

pkgs.crc64fast-nvme

pkgs.replay-node-cli

pkgs.vimpager-latest

pkgs.akkuPackages.oleg

pkgs.ibus-engines.bamboo

pkgs.sbclPackages.iterate

pkgs.coreboot-toolchain.ppc64

pkgs.akkuPackages.chez-sockets

pkgs.python312Packages.rfc6555

pkgs.python313Packages.rfc6555

pkgs.python314Packages.rfc6555

pkgs.dhallPackages.dhall-kubernetes

pkgs.python312Packages.steamworkspy

pkgs.python313Packages.steamworkspy

pkgs.python314Packages.steamworkspy

pkgs.vimPlugins.nvim-treesitter-parsers.pod

pkgs.vimPlugins.nvim-treesitter-parsers.vhs

pkgs.vimPlugins.nvim-treesitter-parsers.rasi

pkgs.vimPlugins.nvim-treesitter-parsers.scss

pkgs.vimPlugins.nvim-treesitter-parsers.yuck

pkgs.vimPlugins.nvim-treesitter-parsers.templ

pkgs.vimPlugins.nvim-treesitter-parsers.scheme

pkgs.androidenv.androidPkgs.all.packages.build-tools.v30_0_3

pkgs.androidenv.androidPkgs.all.packages.build-tools.v32_0_0

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.cc65

pkgs.sc68

pkgs.ndisc6

pkgs.libiec61850

pkgs.libiec61883

pkgs.c64-debugger

pkgs.crc64fast-nvme

pkgs.replay-node-cli