Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-14609
2.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
SourceCodester CET Automated Grading System with AI Predictive Analytics session fixiation

A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This issue affects some unknown processing. The manipulation results in session fixiation. The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit is now public and may be used.

Affected products

CET Automated Grading System with AI Predictive Analytics
  • ==1.0
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
cross-origin Digest auth state leak

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

References

Affected products

curl
  • =<8.6.0
  • =<8.0.1
  • =<7.12.3
  • =<7.12.2
  • =<8.4.0
  • =<7.69.1
  • =<7.40.0
  • =<7.45.0
  • =<8.15.0
  • =<7.28.0
  • =<7.86.0
  • =<7.20.0
  • =<7.21.2
  • =<7.67.0
  • =<7.16.1
  • =<7.19.2
  • =<8.20.0
  • =<7.38.0
  • =<7.10.6
  • =<7.22.0
  • =<7.37.1
  • =<7.11.2
  • =<7.19.4
  • =<7.50.2
  • =<7.48.0
  • =<7.53.1
  • =<8.9.0
  • =<8.12.1
  • =<7.46.0
  • =<7.18.0
  • =<7.15.3
  • =<7.39.0
  • =<7.65.3
  • =<7.83.0
  • =<7.44.0
  • =<7.16.2
  • =<8.10.1
  • =<7.83.1
  • =<7.19.6
  • =<7.35.0
  • =<8.18.0
  • =<7.26.0
  • =<7.17.1
  • =<7.82.0
  • =<7.11.0
  • =<7.30.0
  • =<7.15.5
  • =<8.1.2
  • =<8.12.0
  • =<8.19.0
  • =<8.16.0
  • =<8.8.0
  • =<7.84.0
  • =<7.65.2
  • =<7.21.5
  • =<7.10.7
  • =<7.14.1
  • =<7.18.2
  • =<7.87.0
  • =<7.21.4
  • =<7.71.1
  • =<7.17.0
  • =<7.19.1
  • =<7.12.0
  • =<7.23.0
  • =<7.51.0
  • =<7.21.7
  • =<7.61.0
  • =<7.56.1
  • =<7.50.3
  • =<7.74.0
  • =<7.28.1
  • =<7.88.1
  • =<7.71.0
  • =<7.16.3
  • =<8.14.0
  • =<7.20.1
  • =<7.52.1
  • =<7.75.0
  • =<7.64.1
  • =<7.60.0
  • =<7.47.0
  • =<7.76.1
  • =<8.11.1
  • =<7.15.0
  • =<7.14.0
  • =<7.13.2
  • =<7.54.1
  • =<7.56.0
  • =<8.10.0
  • =<7.15.2
  • =<7.50.1
  • =<7.27.0
  • =<7.55.0
  • =<7.64.0
  • =<7.21.6
  • =<7.65.0
  • =<7.77.0
  • =<7.81.0
  • =<7.18.1
  • =<7.63.0
  • =<7.55.1
  • =<7.85.0
  • =<7.79.1
  • =<7.42.0
  • =<7.47.1
  • =<7.19.0
  • =<8.14.1
  • =<8.11.0
  • =<7.72.0
  • =<7.21.1
  • =<7.34.0
  • =<7.79.0
  • =<7.15.4
  • =<7.15.1
  • =<8.0.0
  • =<7.37.0
  • =<7.66.0
  • =<7.33.0
  • =<7.58.0
  • =<8.7.0
  • =<8.3.0
  • =<7.59.0
  • =<7.13.1
  • =<8.17.0
  • =<7.25.0
  • =<7.76.0
  • =<7.41.0
  • =<8.2.1
  • =<7.16.4
  • =<7.73.0
  • =<7.68.0
  • =<7.19.7
  • =<7.29.0
  • =<7.88.0
  • =<7.49.1
  • =<7.52.0
  • =<7.50.0
  • =<7.54.0
  • =<7.32.0
  • =<7.53.0
  • =<7.21.0
  • =<8.7.1
  • =<7.21.3
  • =<7.23.1
  • =<7.78.0
  • =<7.65.1
  • =<7.11.1
  • =<7.43.0
  • =<7.24.0
  • =<8.9.1
  • =<7.16.0
  • =<7.31.0
  • =<7.19.5
  • =<7.12.1
  • =<7.19.3
  • =<7.36.0
  • =<7.42.1
  • =<7.61.1
  • =<7.10.8
  • =<7.80.0
  • =<8.13.0
  • =<8.1.1
  • =<7.70.0
  • =<7.57.0
  • =<7.69.0
  • =<7.49.0
  • =<8.5.0
  • =<8.1.0
  • =<7.13.0
  • =<7.62.0
  • =<8.2.0
Dismissed
(no matching packages found)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
None

None

Affected products

Dismissed
(no matching packages found)
Permalink CVE-2026-14617
1.3 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
NousResearch hermes-agent Streaming Reasoning Tag Filter stream_consumer.py GatewayStreamConsumer._filter_and_accumulate case sensitivity

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."

Affected products

hermes-agent
  • ==2026.4.23
  • ==2026.4.15
  • ==2026.4.22
  • ==2026.4.11
  • ==2026.4.12
  • ==2026.4.18
  • ==2026.4.9
  • ==2026.4.21
  • ==2026.4.26
  • ==2026.4.6
  • ==2026.4.14
  • ==2026.4.0
  • ==2026.4.3
  • ==2026.4.25
  • ==2026.4.20
  • ==2026.4.5
  • ==2026.4.27
  • ==2026.4.19
  • ==2026.4.2
  • ==2026.4.10
  • ==2026.4.17
  • ==2026.4.8
  • ==2026.4.7
  • ==2026.4.29
  • ==2026.4.30
  • ==2026.4.24
  • ==2026.4.16
  • ==2026.4.13
  • ==2026.4.4
  • ==2026.4.28
  • ==2026.4.1
Dismissed
(no matching packages found)
Permalink CVE-2026-58294
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Affected products

Microsoft Edge (Chromium-based)
  • <150.0.4078.48
Dismissed
(no matching packages found)
Permalink CVE-2026-58426
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Affected products

Gitea Open Source Git Server
  • =<1.26.1
Dismissed
(no matching packages found)
Permalink CVE-2026-46468
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release …

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper link resolution before file access ('Link following') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information exposure.

Affected products

PowerProtect Data Domain
  • <8.6.1.20 or later
  • <7.13.1.80 or later
  • <8.8.0.0 or later
  • <8.3.1.40 or later
Dismissed
(no matching packages found)
Permalink CVE-2026-57992
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Affected products

Microsoft Edge (Chromium-based)
  • <150.0.4078.48
Dismissed
(no matching packages found)
Permalink CVE-2026-57984
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Affected products

Microsoft Edge (Chromium-based)
  • <150.0.4078.48
Dismissed
(no matching packages found)
Permalink CVE-2026-58298
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft Edge (Chromium-based) Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Affected products

Microsoft Edge (Chromium-based)
  • <150.0.4078.48