Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-50686
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows OLE Remote Code Execution Vulnerability

Access of resource using incompatible type ('type confusion') in Windows OLE allows an unauthorized attacker to execute code over a network.

References

Affected products

Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(no matching packages found)
Permalink CVE-2026-50303
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Key Guard Security Feature Bypass Vulnerability

Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.

Affected products

Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-49171
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Speech Runtime Elevation of Privilege Vulnerability

Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.

Affected products

Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-45304
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 hours ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.

Affected products

yaml
  • ==>= 8.0.0-BETA1, < 8.0.12
  • ==>= 6.0.0-BETA1, < 6.4.40
  • ==>= 7.0.0-BETA1, < 7.4.12
  • ==< 5.4.52
symfony
  • ==>= 8.0.0-BETA1, < 8.0.12
  • ==>= 6.0.0-BETA1, < 6.4.40
  • ==>= 7.0.0-BETA1, < 7.4.12
  • ==< 5.4.52
Dismissed
(no matching packages found)
Permalink CVE-2026-48338
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

ColdFusion is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.

Affected products

ColdFusion 2023
  • =<21
  • ==22
ColdFusion 2025
  • =<10
  • ==11
Dismissed
(no matching packages found)
Permalink CVE-2026-62657
4.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): Unreported (U)
  • Provider Urgency (U): Amber (Amber)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Certificate validation vulnerability in NETGEAR Gaming Router and certain Nighthawk models

A security flaw in the router's certificate validation process was discovered in the NETGEAR XR1000 Gaming Router and certain Nighthawk models that could allow an unauthorized person to remotely access and take control of the device.

Affected products

MR70
  • <V1.0.4.48
MS70
  • <V1.0.4.48
XR1000
  • <V1.0.2.86
RAXE500
  • <V1.2.14.114
Dismissed
(no matching packages found)
Permalink CVE-2026-50522
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft SharePoint Remote Code Execution Vulnerability

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

Affected products

Microsoft SharePoint Server 2019
  • <16.0.10417.20175
Microsoft SharePoint Enterprise Server 2016
  • <16.0.5561.1001
Microsoft SharePoint Server Subscription Edition
  • <16.0.19725.20434
Dismissed
(no matching packages found)
Permalink CVE-2026-15265
9.4 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): High (H)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Tenable Agent Path Traversal Leading to Remote Code Execution

A path traversal vulnerability in Tenable Agent 11.2.0 and 11.1.3 and lower allows a privileged attacker to write arbitrary files outside the intended plugin directory, potentially leading to remote code execution.

References

Affected products

tenable_agent
  • =<11.1.3
  • ==11.2.0
Dismissed
(no matching packages found)
Permalink CVE-2026-58626
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Remote Desktop Services Remote Code Execution Vulnerability

Use after free in Windows Remote Desktop Services allows an authorized attacker to execute code over a network.

Affected products

Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-55651
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 3 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Easy!Appointments Vulnerable to Appointments Takeover via Excessive Data Exposure

Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users. Using these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue.

Affected products

easyappointments
  • === 1.5.2