Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-52645
1.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not include sufficient authenticity verification.

HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not include sufficient authenticity verification. This may allow the possibility of unverified or modified model artifacts being used, potentially leading to integrity concerns or unintended behaviour.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-26304
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
Permission Bypass in Playbook Run Creation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

References

Affected products

Mattermost
  • ==11.2.3
  • ==11.4.0
  • ==11.3.1
  • =<11.2.2
  • =<11.3.0

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2025-62319
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month ago Activity log
  • Created suggestion 1 month ago
Boolean-Based SQL Injection in Multiple Unica Components

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

Affected products

Unica
  • ==Version 25.1.1 and below

Matching in nixpkgs

pkgs.unicap

Universal video capture API

pkgs.gnomeExtensions.server-communicator

Send API requests to servers or mount them at a click of a button. Copies and shows response in a dialog.

  • nixos-unstable 6
    • nixpkgs-unstable 6
    • nixos-unstable-small 6
  • nixos-25.11 6
    • nixos-25.11-small 6
    • nixpkgs-25.11-darwin 6

Package maintainers

Permalink CVE-2026-2458
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
Unauthorized channel enumeration in private teams after member removal

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568

References

Affected products

Mattermost
  • ==11.2.3
  • ==10.11.11
  • =<11.3.0
  • ==11.3.1
  • =<10.11.10
  • ==11.4.0
  • =<11.2.2

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2025-52636
1.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by a improper handling of uploads files Size

HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-52644
5.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged.

HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-26246
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 month ago Activity log
  • Created suggestion 1 month ago
Memory Exhaustion via Malformed PSD File Upload

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572

References

Affected products

Mattermost
  • ==10.11.11
  • ==11.2.3
  • =<10.11.10
  • ==11.3.1
  • =<11.2.2
  • ==11.4.0
  • =<11.3.0

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2025-52642
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
HCL AION is affected by an internal filesystem paths disloser vulnerability

HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour. Exposure of internal paths may reveal environment structure details which could potentially aid in further targeted attacks or information disclosure.

Affected products

AION
  • ==2.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-26230
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
Team Admin Privilege Escalation to Demote Members to Guest

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531

References

Affected products

Mattermost
  • ==11.4.0
  • =<10.11.10
  • ==10.11.11

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2026-4265
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
Guest user can upload files without permission across teams

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553

References

Affected products

Mattermost
  • ==10.11.11
  • ==11.2.3
  • =<10.11.10
  • ==11.4.0
  • =<11.2.2
  • ==11.3.1
  • =<11.3.0

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers