Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-25892
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.

Affected products

adminer
  • ==>= 4.6.2, < 5.4.2

Matching in nixpkgs

pkgs.adminer

Database management in a single PHP file

Package maintainers

Permalink CVE-2026-25916
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block …

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Affected products

Webmail
  • <1.6.13
  • <1.5.13

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-25957
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.

Affected products

cube
  • ==>= 1.5.0, < 1.5.13
  • ==>= 1.1.17, < 1.4.2

Matching in nixpkgs

pkgs.pascube

Simple OpenGL spinning cube written in Pascal

  • nixos-unstable -
    • nixpkgs-unstable 1.5.1
    • nixos-unstable-small 1.5.1
  • nixos-25.11 1.5.1
    • nixpkgs-25.11-darwin 1.5.1

pkgs.musikcube

Terminal-based music player, library, and streaming audio server

pkgs.classicube

Lightweight, custom Minecraft Classic/ClassiCube client with optional additions written from scratch in C

pkgs.stm32cubemx

Graphical tool for configuring STM32 microcontrollers and microprocessors

pkgs.spacenav-cube-example

Example application to test the spacenavd driver

  • nixos-unstable 1.2
    • nixpkgs-unstable 1.2
    • nixos-unstable-small 1.2
  • nixos-25.11 1.2
    • nixpkgs-25.11-darwin 1.2

Package maintainers

Permalink CVE-2026-25958
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Cube privilege escalation via a specially crafted request

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.

Affected products

cube
  • ==>= 1.5.0, < 1.5.13
  • ==>= 1.1.0, < 1.4.2
  • ==>= 0.27.19, < 1.0.14

Matching in nixpkgs

pkgs.pascube

Simple OpenGL spinning cube written in Pascal

  • nixos-unstable -
    • nixpkgs-unstable 1.5.1
    • nixos-unstable-small 1.5.1
  • nixos-25.11 1.5.1
    • nixpkgs-25.11-darwin 1.5.1

pkgs.musikcube

Terminal-based music player, library, and streaming audio server

pkgs.classicube

Lightweight, custom Minecraft Classic/ClassiCube client with optional additions written from scratch in C

pkgs.stm32cubemx

Graphical tool for configuring STM32 microcontrollers and microprocessors

pkgs.spacenav-cube-example

Example application to test the spacenavd driver

  • nixos-unstable 1.2
    • nixpkgs-unstable 1.2
    • nixos-unstable-small 1.2
  • nixos-25.11 1.2
    • nixpkgs-25.11-darwin 1.2

Package maintainers

Permalink CVE-2025-27234
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0.

Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.

Affected products

Zabbix
  • =<5.0.46

Matching in nixpkgs

pkgs.zabbix.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix60.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix70.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix72.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix74.web

Enterprise-class open source distributed monitoring solution (web frontend)

pkgs.zabbix.agent2

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix60.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix70.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix72.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix74.agent

Enterprise-class open source distributed monitoring solution (client-side agent)

pkgs.zabbix.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

pkgs.zabbix74.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

Package maintainers

Permalink CVE-2026-2180
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tenda RX3 fast_setting_wifi_set stack-based overflow

A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.

Affected products

RX3
  • ==16.03.13.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2181
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tenda RX3 openSchedWifi stack-based overflow

A security flaw has been discovered in Tenda RX3 16.03.13.11. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

Affected products

RX3
  • ==16.03.13.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2185
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tenda RX3 MAC Filtering Configuration Endpoint setBlackRule set_device_name stack-based overflow

A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Affected products

RX3
  • ==16.03.13.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2186
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tenda RX3 SetIpMacBind fromSetIpMacBind stack-based overflow

A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

Affected products

RX3
  • ==16.03.13.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2187
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tenda RX3 formSetQosBand set_qosMib_list stack-based overflow

A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Affected products

RX3
  • ==16.03.13.11

Matching in nixpkgs

Package maintainers