Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-50334
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Push Notification Information Disclosure Vulnerability

Exposure of sensitive information to an unauthorized actor in Windows Notification allows an authorized attacker to disclose information locally.

Affected products

Windows Server 2012
  • <6.2.9200.26226
Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2012 (Server Core installation)
  • <6.2.9200.26226
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(no matching packages found)
Permalink CVE-2026-47992
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Adobe Commerce is affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to execute malicious SQL commands, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction.

Affected products

Adobe Commerce
  • ==2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-jul
  • =<2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18
Adobe Commerce B2B
  • =<1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18
  • ==1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-jul
Magento Open Source
  • =<2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15
  • ==2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul
Adobe Commerce Webhooks Plugin
  • =<1.20.0
  • ==1.21.0
Dismissed
(no matching packages found)
Permalink CVE-2026-58542
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Media Remote Code Execution Vulnerability

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.

References

Affected products

Windows Server 2025
  • <10.0.26100.33158
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-47303
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
ASP.NET Core Elevation of Privilege Vulnerability

Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.

References

Affected products

.NET 8.0
  • <8.0.29
.NET 9.0
  • <9.0.18
.NET 10.0
  • <10.0.6
Microsoft Visual Studio 2026 version 18.7
  • <18.7.4
Microsoft Visual Studio 2022 version 17.12
  • <17.12.22
Microsoft Visual Studio 2022 version 17.14
  • <17.14.36
Dismissed
(no matching packages found)
Permalink CVE-2026-15622
5.5 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization

A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function get_workspace_file of the file executor_manager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument user_id can lead to authorization bypass. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 67fcc88505c57f77d3fcf04eb5b89425b10cbf48. Upgrading the affected component is recommended.

Affected products

poco-claw
  • ==0.5.4
  • ==0.5.3
  • ==0.5.2
  • ==0.5.1
  • ==0.5.0
Dismissed
(no matching packages found)
Permalink CVE-2026-24220
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual …

NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.

Affected products

TensorRT-LLM
  • =<v1.3.0 rc11
Dismissed
(no matching packages found)
Permalink CVE-2026-50340
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Runtime Elevation of Privilege Vulnerability

Use after free in Windows Runtime allows an authorized attacker to elevate privileges over a network.

Affected products

Windows Server 2025
  • <10.0.26100.33158
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-15389
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Inadequate access control in Sesame Time session management

A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier (USID) as the sole validation mechanism, without verifying whether that identifier legitimately belongs to the user making the request. As a result, an attacker who obtains a valid USID can impersonate a victim’s session and access their confidential information, including emails, user IDs, roles and corporate data. This vulnerability is exacerbated by poor session lifecycle management: new logins generate additional USIDs without revoking the previous ones, allowing multiple active sessions to coexist and thereby expanding the attack surface.

Affected products

Sesame Time
  • *
Dismissed
(no matching packages found)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Apache Kylin: Improper authorization in job information retrieval

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin. Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to upgrade to version 5.0.4, which fixes the issue.

Affected products

Apache Kylin
  • =<5.0.3
Dismissed
(no matching packages found)
Permalink CVE-2026-50679
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 9 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Search Service Elevation of Privilege Vulnerability

Heap-based buffer overflow in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally.

Affected products

Windows Server 2025
  • <10.0.26100.33158
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158