Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-41123
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release …

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in the RBAC. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to information tampering.

Affected products

PowerProtect Data Domain
  • <8.6.1.20 or later
  • <7.13.1.80 or later
  • <8.7.0.0 or later
  • <8.3.1.40 or later
Dismissed
(no matching packages found)
Permalink CVE-2026-49815
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release …

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to execution of arbitrary OS commands.

Affected products

PowerProtect Data Domain
  • <8.6.1.20 or later
  • <7.13.1.80 or later
  • <8.8.0.0 or later
  • <8.3.1.40 or later
Dismissed
(no matching packages found)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Gitea template repository generation mishandles symlinked paths

Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.

Affected products

Gitea Open Source Git Server
  • <1.25.5
Dismissed
(no matching packages found)
Permalink CVE-2026-12960
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
An Improper Export of Android Application Components vulnerability in ASUS …

An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open an specified URL. Refer to the ' Security Update for ASUS Router Android App ' section on the ASUS Security Advisory for more information.

Affected products

Router app
  • =<1.0.0.9.71
Dismissed
(no matching packages found)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Gitea tracked-time list endpoint has insufficient permission checks

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Affected products

Gitea Open Source Git Server
  • <1.25.5
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
stale proxy password leak

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

References

Affected products

curl
  • =<8.14.0
  • =<8.9.0
  • =<8.15.0
  • =<8.14.1
  • =<8.12.1
  • =<8.12.0
  • =<8.11.1
  • =<8.20.0
  • =<8.19.0
  • =<8.17.0
  • =<8.10.0
  • =<8.10.1
  • =<8.9.1
  • =<8.8.0
  • =<8.13.0
  • =<8.18.0
  • =<8.16.0
  • =<8.11.0
Dismissed
(no matching packages found)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Gitea draft releases use insufficient permission checks

Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.

Affected products

Gitea Open Source Git Server
  • <1.25.5
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
trailing dot domain super cookie

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

References

Affected products

curl
  • =<8.2.0
  • =<7.71.1
  • =<7.50.1
  • =<7.56.0
  • =<7.72.0
  • =<7.68.0
  • =<7.64.0
  • =<7.64.1
  • =<7.63.0
  • =<7.76.0
  • =<7.59.0
  • =<8.6.0
  • =<7.74.0
  • =<7.58.0
  • =<8.1.2
  • =<7.67.0
  • =<7.48.0
  • =<8.15.0
  • =<7.65.1
  • =<7.54.1
  • =<7.55.0
  • =<7.77.0
  • =<8.7.1
  • =<8.11.0
  • =<7.79.1
  • =<7.83.1
  • =<8.16.0
  • =<7.66.0
  • =<8.12.1
  • =<7.46.0
  • =<8.10.0
  • =<7.62.0
  • =<7.53.0
  • =<8.18.0
  • =<7.51.0
  • =<7.61.1
  • =<7.76.1
  • =<7.49.0
  • =<7.73.0
  • =<7.75.0
  • =<8.14.0
  • =<8.20.0
  • =<7.70.0
  • =<8.5.0
  • =<7.65.2
  • =<8.8.0
  • =<7.79.0
  • =<8.4.0
  • =<7.88.0
  • =<8.12.0
  • =<7.50.3
  • =<8.0.1
  • =<8.2.1
  • =<7.52.0
  • =<7.53.1
  • =<8.13.0
  • =<7.47.1
  • =<7.82.0
  • =<7.65.3
  • =<7.47.0
  • =<7.69.0
  • =<8.3.0
  • =<8.0.0
  • =<7.84.0
  • =<7.65.0
  • =<7.78.0
  • =<7.85.0
  • =<7.81.0
  • =<7.60.0
  • =<7.52.1
  • =<7.57.0
  • =<8.1.1
  • =<8.14.1
  • =<7.50.0
  • =<8.19.0
  • =<7.55.1
  • =<8.9.1
  • =<7.87.0
  • =<7.88.1
  • =<7.50.2
  • =<8.9.0
  • =<8.11.1
  • =<7.71.0
  • =<8.17.0
  • =<8.1.0
  • =<8.10.1
  • =<7.61.0
  • =<7.69.1
  • =<7.54.0
  • =<7.83.0
  • =<7.80.0
  • =<7.86.0
  • =<7.56.1
  • =<7.49.1
  • =<8.7.0
Dismissed
(no matching packages found)
Permalink CVE-2026-10054
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
In affected versions of Eclipse Theia (1.8.1 and later), the …

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

Affected products

Eclipse Theia
  • <1.73.0
Dismissed
(no matching packages found)
Permalink CVE-2022-4989
8.5 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity …

** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to access unintended memory regions via crafted IOCTL requests, leading to privilege escalation.

Affected products

AI Suite 3
  • <v3.03.00