Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-2313
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Use after free in CSS in Google Chrome prior to …

Use after free in CSS in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-1456
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger exponential processing in markdown preview.

References

Affected products

GitLab
  • <18.8.4
  • <18.7.4

Matching in nixpkgs

pkgs.gitlab-duo

CLI for GitLab AI assistant

  • nixos-unstable -

pkgs.gitlab-kas

Kubernetes Agent (Gitlab side)

  • nixos-unstable -

pkgs.danger-gitlab

Gem that exists to ensure all dependencies are set up for Danger with GitLab

pkgs.gitlab-clippy

Convert clippy warnings into GitLab Code Quality report

Package maintainers

Permalink CVE-2025-64487
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Outline is vulnerable to privilege escalation vulnerability in document sharing

Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in 1.1.0.

Affected products

outline
  • ==<= 1.0.1

Matching in nixpkgs

pkgs.outline

Fastest wiki and knowledge base for growing teams. Beautiful, feature rich, and markdown compatible

Package maintainers

Permalink CVE-2025-14560
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow.

References

Affected products

GitLab
  • <18.7.4
  • <18.8.4
  • <18.6.6

Matching in nixpkgs

pkgs.gitlab-duo

CLI for GitLab AI assistant

  • nixos-unstable -

pkgs.gitlab-kas

Kubernetes Agent (Gitlab side)

  • nixos-unstable -

pkgs.danger-gitlab

Gem that exists to ensure all dependencies are set up for Danger with GitLab

pkgs.gitlab-clippy

Convert clippy warnings into GitLab Code Quality report

Package maintainers

Permalink CVE-2026-25633
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Statamic's missing authorization allows access to assets

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.

Affected products

cms
  • ==>= 6.0.0-alpha.1, < 6.2.5
  • ==< 5.73.6

Matching in nixpkgs

pkgs.lcms1

Color management engine

  • nixos-unstable 1.19
    • nixpkgs-unstable 1.19
    • nixos-unstable-small 1.19
  • nixos-25.11 1.19
    • nixpkgs-25.11-darwin 1.19

pkgs.lcms2

Color management engine

  • nixos-unstable 2.17
    • nixpkgs-unstable 2.17
    • nixos-unstable-small 2.17
  • nixos-25.11 2.17
    • nixpkgs-25.11-darwin 2.17

pkgs.xcmsdb

Device Color Characterization utility for X Color Management System

pkgs.argyllcms

Color management system (compatible with ICC)

pkgs.pcmsolver

API for the Polarizable Continuum Model

Package maintainers

Permalink CVE-2025-12073
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Server-Side Request Forgery (SSRF) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.

References

Affected products

GitLab
  • <18.8.4
  • <18.7.4
  • <18.6.6

Matching in nixpkgs

pkgs.gitlab-duo

CLI for GitLab AI assistant

  • nixos-unstable -

pkgs.gitlab-kas

Kubernetes Agent (Gitlab side)

  • nixos-unstable -

pkgs.danger-gitlab

Gem that exists to ensure all dependencies are set up for Danger with GitLab

pkgs.gitlab-clippy

Convert clippy warnings into GitLab Code Quality report

Package maintainers

Permalink CVE-2026-1387
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repeatedly querying it through GraphQl.

References

Affected products

GitLab
  • <18.6.6
  • <18.7.4
  • <18.8.4

Matching in nixpkgs

pkgs.gitlab-duo

CLI for GitLab AI assistant

  • nixos-unstable -

pkgs.gitlab-kas

Kubernetes Agent (Gitlab side)

  • nixos-unstable -

pkgs.danger-gitlab

Gem that exists to ensure all dependencies are set up for Danger with GitLab

pkgs.gitlab-clippy

Convert clippy warnings into GitLab Code Quality report

Package maintainers

Permalink CVE-2026-2314
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Heap buffer overflow in Codecs in Google Chrome prior to …

Heap buffer overflow in Codecs in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2025-15569
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 1 week ago by @fricklerhandwerk Activity log
  • Created suggestion 2 months, 1 week ago
  • @fricklerhandwerk ignored package python314Packages.pymupdf-fonts 2 months, 1 week ago
Artifex MuPDF win_main.c get_system_dpi uncontrolled search path

A flaw has been found in Artifex MuPDF up to 1.26.1 on Windows. The impacted element is the function get_system_dpi of the file platform/x11/win_main.c. This manipulation causes uncontrolled search path. The attack requires local access. The attack is considered to have high complexity. The exploitability is regarded as difficult. Upgrading to version 1.26.2 is sufficient to resolve this issue. Patch name: ebb125334eb007d64e579204af3c264aadf2e244. Upgrading the affected component is recommended.

Affected products

MuPDF
  • ==1.26.0
  • ==1.26.2
  • ==1.26.1

Matching in nixpkgs

pkgs.mupdf

Lightweight PDF, XPS, and E-book viewer and toolkit written in portable C

Ignored packages (1)

Package maintainers

Permalink CVE-2025-15570
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
ckolivas lrzip stream.c lzma_decompress_buf use after free

A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

lrzip
  • ==0.651

Matching in nixpkgs

pkgs.lrzip

CK LRZIP compression program (LZMA + RZIP)