Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-50409
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Overlay Filter Information Disclosure Vulnerability

Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally.

Affected products

Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-57982
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Use of uninitialized resource in Windows RDP allows an authorized attacker to disclose information over a network.

Affected products

Windows Server 2012
  • <6.2.9200.26226
Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2012 (Server Core installation)
  • <6.2.9200.26226
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(no matching packages found)
Permalink CVE-2026-9292
8.4 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Rockwell Automation FactoryTalk® DataMosaix™ Private Cloud - Stored Cross-Site Scripting

A Stored Cross-Site Scripting security issue exists within FactoryTalk® DataMosaix™ Private Cloud. The vulnerability stems from improper neutralization of user-supplied input within the Workflows configuration. An authenticated attacker with high privileges can inject malicious scripts that are permanently stored on the server. This vulnerability can result in the execution of malicious JavaScript when other users access the affected page, potentially allowing for account takeover, credential theft, or redirection to a malicious website.

Affected products

FactoryTalk® DataMosaix™ Private Cloud
  • ==Version 8.02 and below
Dismissed
(no matching packages found)
Permalink CVE-2026-58640
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows NTFS Remote Code Execution Vulnerability

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.

References

Affected products

Windows Server 2012
  • <6.2.9200.26226
Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 23H2
  • <10.0.22631.7376
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 23H2
  • <10.0.22631.7376
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2012 (Server Core installation)
  • <6.2.9200.26226
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(no matching packages found)
Permalink CVE-2026-54108
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft SharePoint Server Spoofing Vulnerability

External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

References

Affected products

Microsoft SharePoint Server 2019
  • <16.0.10417.20175
Microsoft SharePoint Enterprise Server 2016
  • <16.0.5561.1001
Microsoft SharePoint Server Subscription Edition
  • <16.0.19725.20434
Dismissed
(no matching packages found)
Permalink CVE-2025-11698
9.2 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): High (H)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
CompactLogix ®, ControlLogix ®, Compact GuardLogix ® and GuardLogix ® Buffer Overflow

A denial-of-service issue exists in 5380/5480/5580 controllers boot firmware lower than version 1.072. This vulnerability could potentially allow a malicious user to write invalid file data to the controller, causing the device to enter a major non-recoverable fault (MNRF).

Affected products

CompactLogix® 5380 Recovery Image Compact GuardLogix® 5380 Recovery Image CompactLogix® 5480 Recovery Image ControlLogix® 5580 Recovery Image GuardLogix® 5580 Recovery Image
  • ==Boot firmware versions before 1.072
Dismissed
(no matching packages found)
Permalink CVE-2026-50458
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft Brokering File System Elevation of Privilege Vulnerability

Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.

Affected products

Windows Server 2025
  • <10.0.26100.33158
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-54058
8.3 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Pillow: Out-of-bounds read via attacker-controlled row stride on Pillow's mmap path (McIdas AREA files)

Pillow is a Python imaging library. Prior to 12.3.0, when Pillow loads an uncompressed McIdas AREA image from a filename through the mmap raw codec path, attacker-controlled header words can set a row stride smaller than the natural row width, causing pixel access such as Image.tobytes(), getpixel, convert, or save to read beyond the mapped region and disclose adjacent process memory or fault. This issue is fixed in version 12.3.0.

Affected products

Pillow
  • ==< 12.3.0
Dismissed
(no matching packages found)
Permalink CVE-2026-50436
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Kernel Elevation of Privilege Vulnerability

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.

References

Affected products

Windows Server 2025
  • <10.0.26100.33158
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-10573
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 2 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
1734 POINT I/OTM - Denial of Service via Malformed Inputs on CIP Object

A denial-of-service security issue exists in 1734 POINT I/O™ module. The security issue stems from improper handling of crafted CIP messages, which can cause the module to enter a faulted state. A restart is required to recover.

Affected products

1734 POINT I/O
  • ==3.023