Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-22863
created 3 months ago
Deno node:crypto doesn't finalize cipher

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

Affected products

deno
  • ==< 2.6.0

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Package maintainers

Permalink CVE-2026-23527
8.9 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 3 months ago
Request Smuggling (TE.TE) in h3 v1

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

Affected products

h3
  • ==< 1.15.5

Matching in nixpkgs

pkgs.h3_3

Hexagonal hierarchical geospatial indexing system

pkgs.h3_4

Hexagonal hierarchical geospatial indexing system

Package maintainers

Permalink CVE-2025-66417
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
GLPI has an unauthenticated SQL injection through the inventory endpoint

GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.3

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.15
    • nixpkgs-unstable 1.15
    • nixos-unstable-small 1.15
  • nixos-25.11 1.15
    • nixpkgs-25.11-darwin 1.15

Package maintainers

Permalink CVE-2023-7334
created 3 months ago
Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC).

Affected products

T+
  • =<16.x

Matching in nixpkgs

pkgs.itpp

IT++ is a C++ library of mathematical, signal processing and communication classes and functions

pkgs.nlojet

Implementation of calculation of the hadron jet cross sections

pkgs.websocketpp

C++/Boost Asio based websocket client/server library

Package maintainers

Permalink CVE-2026-0881
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Sandbox escape in the Messaging System component

Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147.

Affected products

Firefox
  • <147
Thunderbird
  • <147

Matching in nixpkgs

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-25.11 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Permalink CVE-2026-0884
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Use-after-free in the JavaScript Engine component

Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7.

Affected products

Firefox
  • <147
Firefox ESR
  • <140.7
Thunderbird
  • <147
  • <140.7

Matching in nixpkgs

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-25.11 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Permalink CVE-2026-0892
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Memory safety bugs fixed in Firefox 147 and Thunderbird 147

Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147.

Affected products

Firefox
  • <147
Thunderbird
  • <147

Matching in nixpkgs

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-25.11 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Permalink CVE-2025-64516
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
GLPI incorrectly authorizes access to documents

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.3
  • ==>= 10.0.0, < 10.0.21

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.15
    • nixpkgs-unstable 1.15
    • nixos-unstable-small 1.15
  • nixos-25.11 1.15
    • nixpkgs-25.11-darwin 1.15

Package maintainers

Permalink CVE-2025-14327
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 months ago
Spoofing issue in the Downloads Panel component

Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146.

Affected products

Firefox
  • <146
Firefox ESR
  • <140.7
Thunderbird
  • <146
  • <140.7

Matching in nixpkgs

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-25.11 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Permalink CVE-2026-22862
created 3 months ago
go-ethereum has a DoS via malicious p2p message

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

Affected products

go-ethereum
  • ==< 1.16.8

Matching in nixpkgs

Package maintainers