Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-1629
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
Permalink Preview Information Disclosure After Permission Revocation

Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580

References

Affected products

Mattermost
  • =<10.11.10
  • ==10.11.11
  • ==11.4.0

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-24458
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month ago Activity log
  • Created suggestion 1 month ago
DoS attack via login attempts with multi-megabyte passwords

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

References

Affected products

Mattermost
  • ==11.2.3
  • ==10.11.11
  • =<11.3.0
  • ==11.3.1
  • =<10.11.10
  • ==11.4.0
  • =<11.2.2

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-4253
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 month ago Activity log
  • Created suggestion 1 month ago
Tenda AC8 Web UploadCfg route_set_user_policy_rule os command injection

A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the argument wans.policy.list1 results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Affected products

AC8
  • ==16.03.50.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-69196
created 1 month ago Activity log
  • Created suggestion 1 month ago
FastMCP OAuth Proxy token reuse across MCP servers

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Affected products

fastmcp
  • ==< 2.14.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-25780
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 month ago Activity log
  • Created suggestion 1 month ago
Memory Exhaustion via Malformed DOC File Upload

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581

References

Affected products

Mattermost
  • ==11.2.3
  • ==10.11.11
  • =<11.3.0
  • ==11.3.1
  • =<10.11.10
  • ==11.4.0
  • =<11.2.2

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2025-52649
1.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature

HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature. Predictable identifiers may allow an attacker to infer or guess system-generated values, potentially leading to limited information disclosure or unintended access under specific conditions.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-52646
2.2 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-52643
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment

HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2463
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
Unauthorized access to invite ID during team creation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

References

Affected products

Mattermost
  • ==11.2.3
  • ==10.11.11
  • =<11.3.0
  • ==11.3.1
  • =<10.11.10
  • ==11.4.0
  • =<11.2.2

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-2457
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
WebSocket Message Spoofing via Permalink Embed Manipulation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569

References

Affected products

Mattermost
  • ==11.2.3
  • ==10.11.11
  • =<11.3.0
  • ==11.3.1
  • =<10.11.10
  • ==11.4.0
  • =<11.2.2

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers