Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(exclusively hosted service)
Permalink CVE-2026-4810
created 20 hours ago
Remote Code Execution in Google Agent Development Kit (ADK)

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This vulnerability was patched in versions 1.28.1 and 2.0.0a2. Customers need to redeploy the upgraded ADK to their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance.

Affected products

Agent Development Kit (ADK)
  • <1.28.1
  • <2.0.0a2
Permalink CVE-2026-34512
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 days, 13 hours ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 4 days, 20 hours ago
  • @fricklerhandwerk dismissed 4 days, 13 hours ago
OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint

OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.

Affected products

OpenClaw
  • ==2026.3.25
  • <2026.3.25

Matching in nixpkgs

Package maintainers

ddd
Dismissed
(exclusively hosted service)
Permalink CVE-2026-32186
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 week, 3 days ago
Microsoft Bing Elevation of Privilege Vulnerability

Microsoft Bing Elevation of Privilege Vulnerability

References

Affected products

Microsoft Bing
  • ==-
Dismissed
(exclusively hosted service)
Permalink CVE-2026-32211
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Azure MCP Server Information Disclosure Vulnerability

Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.

Affected products

Azure Web Apps
  • ==-
Dismissed
(exclusively hosted service)
Permalink CVE-2026-32213
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Azure AI Foundry Elevation of Privilege Vulnerability

Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.

Affected products

Azure AI Foundry
  • ==-
Dismissed
(exclusively hosted service)
Permalink CVE-2026-26135
9.6 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability

Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.

Affected products

Azure Custom Locations Resource Provider
  • ==-
Dismissed
(exclusively hosted service)
Permalink CVE-2026-33105
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

Affected products

Azure Kubernetes Service
  • ==-
Dismissed
(exclusively hosted service)
Permalink CVE-2026-33107
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Azure Databricks Elevation of Privilege Vulnerability

Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.

Affected products

Azure Databricks
  • ==-
Dismissed
(exclusively hosted service)
Permalink CVE-2026-32173
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Azure SRE Agent Information Disclosure Vulnerability

Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.

Affected products

Azure SRE Agent Gateway - SignalR Hub
  • ==-
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-4541
2.5 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 3 weeks, 1 day ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 weeks, 1 day ago
  • @fricklerhandwerk dismissed (not in Nixpkgs) 3 weeks, 1 day ago
janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification

A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended. If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected products

tinyssh
  • ==20260301
  • ==20250501

Matching in nixpkgs

Package maintainers