Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-14801
4.8 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): Not Defined (X)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
GPAC TeXML File load_text.c txtin_probe_duration divide by zero

A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.

Affected products

GPAC
  • ==26.03-DEV-rev342-g80071f700-master

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-26.05 0.6
    • nixos-26.05-small 0.6
    • nixpkgs-26.05-darwin 0.6
Permalink CVE-2026-55514
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
vLLM denial of service via prompt embeds on M-RoPE models

vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is authorized to make a /v1/completions request can make such a request and induce a crash. This issue is fixed in version 0.24.0.

Affected products

vllm
  • ==>= 0.12.0, < 0.24.0

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

Package maintainers

Permalink CVE-2026-21384
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
Out-of-bounds Write in Camera Driver

Memory Corruption when updating prepared commands with invalid port indices based on user space input exceeds supported read client limits.

Affected products

Snapdragon
  • ==QAMSRV1H
  • ==Snapdragon 7 Gen 1 Mobile Platform
  • ==WSA8845H
  • ==Snapdragon XR2 5G Platform
  • ==FastConnect 7800
  • ==SXR2350P
  • ==SC8380XP
  • ==Snapdragon 460 Mobile Platform
  • ==SXR2330P
  • ==QCM4490
  • ==WCN3950
  • ==QXM1094
  • ==SM7435
  • ==QCA6595
  • ==QAM8255P
  • ==WCN7860
  • ==SA8770P
  • ==Snapdragon AR1 Gen 1 Platform
  • ==SA8620P
  • ==XRV9209
  • ==Snapdragon 4 Gen 2 Mobile Platform
  • ==WSA8815
  • ==QCS4490
  • ==WSA8845
  • ==WCD9375
  • ==Pandeiro
  • ==WSA8830
  • ==Snapdragon 662 Mobile Platform
  • ==WSA8810
  • ==Snapdragon XR2+ Gen 1 Platform
  • ==SD865 5G
  • ==QXM1095
  • ==QLN1086BD
  • ==WCN7881
  • ==Snapdragon 8 Elite
  • ==WCD9385
  • ==QXM1096
  • ==SRV1M
  • ==Snapdragon 6 Gen 3 Mobile Platform
  • ==WCD9380
  • ==QCM5430
  • ==QPA1086BD
  • ==QLN1083BD
  • ==Snapdragon 8 Gen 1 Mobile Platform
  • ==QCA6595AU
  • ==QCA6678AQ
  • ==WCN3988
  • ==WCN6755
  • ==LeMans_AU_LGIT
  • ==QCM6490
  • ==WSA8840
  • ==QAMSRV1M
  • ==QCS8550
  • ==QCA6698AU
  • ==SXR2230P
  • ==WCN7861
  • ==QPA1083BD
  • ==Snapdragon 6 Gen 1 Mobile Platform
  • ==SDR753
  • ==Qualcomm Video Collaboration VC3 Platform
  • ==SA7775P
  • ==LeMansAU
  • ==FastConnect 6700
  • ==QCA6698AQ
  • ==WSA8835
  • ==SA8255P
  • ==FastConnect 6900
  • ==WSA8832
  • ==SRV1H
  • ==QXM1093
  • ==SAR2130P
  • ==SD 8 Gen1 5G
  • ==XRV7209
  • ==SA9000P
  • ==QCA6797AQ
  • ==WCD9370
  • ==Netrani
  • ==QCM8838
  • ==SA7255P

Matching in nixpkgs

Permalink CVE-2026-59196
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
pnpm: hoisted install imports lockfile alias outside node_modules

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fixed in 10.34.4 and 11.7.0.

Affected products

pnpm
  • ==< 10.34.4
  • ==>= 11.0.0, < 11.7.0

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Permalink CVE-2025-59615
6.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
Use After Free in Computer Vision

Memory Corruption when invoking device input/output control operations for mapping and unmapping persistent memory buffers due to improper synchronization.

Affected products

Snapdragon
  • ==WSA8845H
  • ==WSA8845
  • ==Snapdragon XR2 5G Platform
  • ==FastConnect 7800
  • ==SXR2350P
  • ==Orne
  • ==SC8380XP
  • ==WSA8835
  • ==WCN3988
  • ==WCN6450
  • ==SM8845P
  • ==WSA8850
  • ==WCD9375
  • ==WCD9378
  • ==Snapdragon 8 Elite Gen 5
  • ==FastConnect 6900
  • ==Pandeiro
  • ==WCD9395
  • ==WSA8830
  • ==Snapdragon 662 Mobile Platform
  • ==Molokai
  • ==QCM6490
  • ==WSA8840
  • ==WSA8832
  • ==Snapdragon 460 Mobile Platform
  • ==QXM1093
  • ==QMP2001
  • ==SXR2230P
  • ==SXR2330P
  • ==WSA8810
  • ==Snapdragon XR2+ Gen 1 Platform
  • ==WSA8855C
  • ==XRV7209
  • ==WCN3950
  • ==WCN7861
  • ==WCN7760
  • ==WSA8850W
  • ==QXM1094
  • ==SD865 5G
  • ==QXM1095
  • ==WCD9370
  • ==WCN7880
  • ==WCN7881
  • ==QLN1086BD
  • ==QMP1000
  • ==WCN7860
  • ==QPA1083BD
  • ==Snapdragon AR1 Gen 1 Platform
  • ==WCD9385
  • ==SM6850
  • ==SXR2250P
  • ==QXM1096
  • ==Qualcomm Video Collaboration VC3 Platform
  • ==WCD9380
  • ==XRV9209
  • ==QCM5430
  • ==QPA1086BD
  • ==QLN1083BD
  • ==WSA8815
  • ==FastConnect 6700

Matching in nixpkgs

Permalink CVE-2026-55379
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 week, 3 days ago Activity log
  • Created suggestion
Pillow BdfFontFile`: `Image.new()` called without `_decompression_bomb_check()` — bomb protection bypass via font loading

Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf_char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image._decompression_bomb_check(), bypassing Pillow's documented decompression bomb protection and allowing excessive memory allocation. This issue is fixed in version 12.3.0.

Affected products

Pillow
  • ==< 12.3.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-55798
4.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
Pillow: WindowsViewer.get_command() OS command injection via unescaped shell path

Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allowing shell metacharacters in the file path to inject arbitrary cmd.exe commands. This issue is fixed in version 12.3.0.

Affected products

Pillow
  • ==< 12.3.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-14788
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
radareorg radare2 cfile.c r_core_bin_load use after free

A security vulnerability has been detected in radareorg radare2 up to 6.1.6. Affected by this vulnerability is the function r_core_bin_load of the file libr/core/cfile.c. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 635ab1eeb30340c26076722a90cb91fb2272130b. Applying a patch is advised to resolve this issue.

Affected products

radare2
  • ==6.1.2
  • ==6.1.5
  • ==6.1.6
  • ==6.1.1
  • ==6.1.4
  • ==6.1.0
  • ==6.1.3

Matching in nixpkgs

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

Package maintainers

Permalink CVE-2026-14787
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
radareorg radare2 pb Print cmd_print.inc cmd_print integer overflow

A weakness has been identified in radareorg radare2 up to 6.1.6. Affected is the function cmd_print in the library libr/core/cmd_print.inc of the component pb Print Command Handler. This manipulation causes integer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: 2b6265476c75567006b0fcbb749f4ae7b189c5df. It is recommended to apply a patch to fix this issue.

Affected products

radare2
  • ==6.1.2
  • ==6.1.5
  • ==6.1.6
  • ==6.1.1
  • ==6.1.4
  • ==6.1.0
  • ==6.1.3

Matching in nixpkgs

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

Package maintainers

Permalink CVE-2026-58403
5.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
Hugo symlink confinement bypass in os.ReadFile

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

Affected products

hugo
  • ==>= 0.123.0, < 0.163.1

Matching in nixpkgs

Package maintainers