Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-49795
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Kernel Elevation of Privilege Vulnerability

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.

References

Affected products

Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-58546
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Remote Desktop Client Information Disclosure Vulnerability

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Affected products

Windows Server 2012
  • <6.2.9200.26226
Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2012 (Server Core installation)
  • <6.2.9200.26226
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(exclusively hosted service)
Permalink CVE-2026-55010
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 19 hours ago Activity log
  • Created & dismissed (exclusively hosted service) suggestion
Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability

Heap-based buffer overflow in Minecraft Bedrock Dedicated Server allows an unauthorized attacker to execute code over a network.

Affected products

Minecraft Bedrock Dedicated Server
  • ==-
Dismissed
(no matching packages found)
Permalink CVE-2026-50504
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Remote Desktop Client Information Disclosure Vulnerability

Buffer over-read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.

Affected products

Windows Server 2012
  • <6.2.9200.26226
Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2012 (Server Core installation)
  • <6.2.9200.26226
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(no matching packages found)
Permalink CVE-2026-50354
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Kernel Elevation of Privilege Vulnerability

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.

References

Affected products

Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2269
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
Permalink CVE-2026-56192
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Microsoft Office Information Disclosure Vulnerability

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

Affected products

Microsoft Office 2016
  • <16.0.5561.1000
Microsoft Office 2019
  • <https://aka.ms/OfficeSecurityReleases
Microsoft Office LTSC 2021
  • <https://aka.ms/OfficeSecurityReleases
Microsoft Office LTSC 2024
  • <https://aka.ms/OfficeSecurityReleases
Microsoft Office 365 for Mac
  • <16.111.26071215
Microsoft SharePoint Server 2019
  • <16.0.10417.20175
Microsoft 365 Apps for Enterprise
  • <https://aka.ms/OfficeSecurityReleases
Microsoft Office LTSC for Mac 2021
  • <16.111.26071215
Microsoft Office LTSC for Mac 2024
  • <16.111.26071215
Microsoft SharePoint Enterprise Server 2016
  • <16.0.5561.1001
Microsoft SharePoint Server Subscription Edition
  • <16.0.19725.20434
Dismissed
(no matching packages found)
Permalink CVE-2026-58547
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally.

Affected products

Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26100.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Dismissed
(no matching packages found)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 …

osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3 are vulnerable to a stored XSS due to a vulnerable Bootstrap Tooltip component and insufficient HTML sanitization, allowing remote attackers to execute arbitrary JavaScript in Agent or Admin sessions.

Affected products

n/a
  • ==n/a
Dismissed
(no matching packages found)
Permalink CVE-2026-50324
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Active Directory Federation Services Denial of Service Vulnerability

Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.

Affected products

Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows Server 2012 R2
  • <6.3.9600.23291
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158
Windows Server 2012 R2 (Server Core installation)
  • <6.3.9600.23291
Dismissed
(no matching packages found)
Permalink CVE-2026-50357
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Exploit Code Maturity (E): Unproven (U)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 19 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Numeric truncation error in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally.

Affected products

Windows Server 2016
  • <10.0.14393.9339
Windows Server 2019
  • <10.0.17763.9020
Windows Server 2022
  • <10.0.20348.5386
Windows Server 2025
  • <10.0.26100.33158
Windows 10 Version 1607
  • <10.0.14393.9339
Windows 10 Version 1809
  • <10.0.17763.9020
Windows 10 Version 21H2
  • <10.0.19044.7548
Windows 10 Version 22H2
  • <10.0.19045.7548
Windows 11 Version 24H2
  • <10.0.26100.8875
Windows 11 Version 25H2
  • <10.0.26200.8875
Windows 11 version 26H1
  • <10.0.28000.2525
Windows Server 2016 (Server Core installation)
  • <10.0.14393.9339
Windows Server 2019 (Server Core installation)
  • <10.0.17763.9020
Windows Server 2025 (Server Core installation)
  • <10.0.26100.33158