Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-21368
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
Out-of-bounds Write in Camera Driver

Memory Corruption when parsing jpeg commands due to unaccounted extra writes to the buffer during validation checks.

Affected products

Snapdragon
  • ==Snapdragon 7 Gen 1 Mobile Platform
  • ==QAMSRV1H
  • ==WSA8845H
  • ==Snapdragon XR2 5G Platform
  • ==SM7525
  • ==FastConnect 7800
  • ==SXR2350P
  • ==SC8380XP
  • ==WCD9378
  • ==Snapdragon 460 Mobile Platform
  • ==SXR2330P
  • ==QCM4490
  • ==WCN3950
  • ==QXM1094
  • ==SM7435
  • ==QAM8255P
  • ==QCA6595
  • ==WCN7860
  • ==SA8770P
  • ==Snapdragon AR1 Gen 1 Platform
  • ==SA8620P
  • ==XRV9209
  • ==Snapdragon 4 Gen 2 Mobile Platform
  • ==WSA8815
  • ==QCS4490
  • ==WSA8845
  • ==WCD9375
  • ==Pandeiro
  • ==IQ9 Series Platform
  • ==WSA8830
  • ==Snapdragon 662 Mobile Platform
  • ==WSA8810
  • ==Snapdragon XR2+ Gen 1 Platform
  • ==SD865 5G
  • ==QXM1095
  • ==QLN1086BD
  • ==WCN7881
  • ==Snapdragon 8 Elite
  • ==WCD9385
  • ==QXM1096
  • ==SRV1M
  • ==Snapdragon 6 Gen 3 Mobile Platform
  • ==WCD9380
  • ==QPA1086BD
  • ==QLN1083BD
  • ==SM7550P
  • ==Snapdragon 8 Gen 1 Mobile Platform
  • ==Snapdragon 8+ Gen 2 Mobile Platform
  • ==QCA6595AU
  • ==QCA6678AQ
  • ==WCN3988
  • ==WCN6450
  • ==WCD9390
  • ==WCD9395
  • ==WCN6755
  • ==LeMans_AU_LGIT
  • ==WSA8840
  • ==QCS8550
  • ==QAMSRV1M
  • ==QCA6698AU
  • ==Snapdragon 8 Gen 2 Mobile Platform
  • ==SXR2230P
  • ==WCN7861
  • ==X1E80100
  • ==WCD9371
  • ==QPA1083BD
  • ==Snapdragon 6 Gen 1 Mobile Platform
  • ==SDR753
  • ==WCN6650
  • ==SA7775P
  • ==SM8550P
  • ==LeMansAU
  • ==FastConnect 6700
  • ==QCA6698AQ
  • ==WSA8835
  • ==SM7550
  • ==SA8255P
  • ==FastConnect 6900
  • ==G3x Gen 2
  • ==WSA8832
  • ==SRV1H
  • ==QXM1093
  • ==SAR2130P
  • ==SD 8 Gen1 5G
  • ==XRV7209
  • ==SA9000P
  • ==QCA6797AQ
  • ==WCD9370
  • ==Netrani
  • ==QCM8838
  • ==SA7255P

Matching in nixpkgs

Permalink CVE-2026-56810
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2. When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition. This issue affects mint: from 0.5.0 before 1.9.1.

Affected products

mint
  • <1.9.1
elixir-mint/mint
  • <193ce714907d16e8adc4ab3c40e4f0c2f045b2a6

Matching in nixpkgs

pkgs.garmintools

Provides the ability to communicate with the Garmin Forerunner 305 via the USB interface

  • nixos-unstable 0.10
    • nixpkgs-unstable 0.10
    • nixos-unstable-small 0.10
  • nixos-26.05 0.10
    • nixos-26.05-small 0.10
    • nixpkgs-26.05-darwin 0.10

pkgs.mint-themes

Mint-X and Mint-Y themes for the cinnamon desktop

pkgs.mint-x-icons

Mint/metal theme based on mintified versions of Clearlooks Revamp, Elementary and Faenza

pkgs.marwaita-mint

Variation for marwaita GTK theme based on linux mint color scheme

  • nixos-unstable 24
    • nixpkgs-unstable 24
    • nixos-unstable-small 24
  • nixos-26.05 24
    • nixos-26.05-small 24
    • nixpkgs-26.05-darwin 24

Package maintainers

Permalink CVE-2026-44937
8.3 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
SUSE Rancher Fleet had an Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components

Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the system.

Affected products

Fleet
  • <0.14.6
  • <0.13.11
  • <0.15.2
  • <0.12.15

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-21369
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
Out-of-bounds Write in Camera Driver

Memory Corruption when handling flash commands due to outdated LED count values being used after userspace modification.

Affected products

Snapdragon
  • ==QAMSRV1H
  • ==WSA8845H
  • ==Snapdragon XR2 5G Platform
  • ==SM7525
  • ==FastConnect 7800
  • ==SXR2350P
  • ==SC8380XP
  • ==WCD9378
  • ==Kalpeni
  • ==WCN3910
  • ==Snapdragon 460 Mobile Platform
  • ==SXR2330P
  • ==SM6225P
  • ==QCM4490
  • ==WCN3950
  • ==QXM1094
  • ==SD662
  • ==QCA6595
  • ==QAM8255P
  • ==WCN7860
  • ==Snapdragon AR1 Gen 1 Platform
  • ==SA8770P
  • ==SA8620P
  • ==XRV9209
  • ==WSA8815
  • ==QCM2290
  • ==FastConnect 6200
  • ==QCS4490
  • ==WSA8845
  • ==Snapdragon Wear Elite platform
  • ==WCD9375
  • ==Pandeiro
  • ==IQ9 Series Platform
  • ==WSA8830
  • ==QCA8695AU
  • ==Snapdragon 662 Mobile Platform
  • ==Snapdragon 695 5G Mobile Platform
  • ==SA6155P
  • ==SA8195P
  • ==QCS4290
  • ==WSA8810
  • ==Snapdragon XR2+ Gen 1 Platform
  • ==SD865 5G
  • ==QXM1095
  • ==G1 Gen 1
  • ==QLN1086BD
  • ==WCN7881
  • ==SA8155P
  • ==Snapdragon 8 Elite
  • ==WCD9385
  • ==QXM1096
  • ==SRV1M
  • ==Snapdragon 680 4G Mobile Platform
  • ==WCD9380
  • ==QCM5430
  • ==QPA1086BD
  • ==QLN1083BD
  • ==SM7550P
  • ==SA8295P
  • ==Snapdragon 8+ Gen 2 Mobile Platform
  • ==WCN3988
  • ==WCN6450
  • ==WCD9390
  • ==WCD9395
  • ==WCN6755
  • ==LeMans_AU_LGIT
  • ==QCM6490
  • ==Snapdragon 4 Gen 1 Mobile Platform
  • ==Themisto
  • ==WSA8840
  • ==QAMSRV1M
  • ==Snapdragon 8 Gen 2 Mobile Platform
  • ==SXR2230P
  • ==WCN7861
  • ==X1E80100
  • ==WCD9371
  • ==QPA1083BD
  • ==SDR753
  • ==QCS2290
  • ==QCA6696
  • ==WCN6650
  • ==Qualcomm Video Collaboration VC3 Platform
  • ==SA7775P
  • ==SM8550P
  • ==LeMansAU
  • ==FastConnect 6700
  • ==QCA6698AQ
  • ==WSA8835
  • ==SM7550
  • ==SA8255P
  • ==FastConnect 6900
  • ==G3x Gen 2
  • ==QCA6574AU
  • ==WSA8832
  • ==SRV1H
  • ==QXM1093
  • ==QCM4325
  • ==Snapdragon 480+ 5G Mobile Platform
  • ==SAR2130P
  • ==XRV7209
  • ==SA9000P
  • ==QCA6797AQ
  • ==QAM8295P
  • ==Snapdragon 685 4G Mobile Platform
  • ==WCD9370
  • ==Snapdragon 480 5G Mobile Platform
  • ==QCA6688AQ
  • ==QCM8838
  • ==SA7255P

Matching in nixpkgs

Permalink CVE-2026-13698
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 3 days ago Activity log
  • Created suggestion
A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 …

A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service

Affected products

OpenVPN
  • =<2.7.4
  • =<2.6.20
  • =<2.5.11

Matching in nixpkgs

pkgs.openvpn3

OpenVPN 3 Linux client

  • nixos-unstable 27
    • nixpkgs-unstable 27
    • nixos-unstable-small 27
  • nixos-26.05 27
    • nixos-26.05-small 27
    • nixpkgs-26.05-darwin 27

Package maintainers

Permalink CVE-2026-55646
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 week, 3 days ago Activity log
  • Created suggestion
vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit

vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0.

Affected products

vllm
  • ==>= 0.22.0, < 0.24.0

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

Package maintainers

Permalink CVE-2026-21379
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 week, 3 days ago Activity log
  • Created suggestion
Buffer Over-read in Windows Compute

Memory Corruption when allocating memory with sizes that exceed the maximum allowed value.

Affected products

Snapdragon
  • ==Snapdragon 7c+ Gen 3 Compute
  • ==WSA8845H
  • ==FastConnect 6200
  • ==QCA0000
  • ==FastConnect 6800
  • ==WSA8845
  • ==FastConnect 7800
  • ==WCD9341
  • ==IQX7181
  • ==SC8380XP
  • ==WSA8835
  • ==WCD9375
  • ==FastConnect 6900
  • ==WSA8830
  • ==Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite"
  • ==Snapdragon 8cx Gen 2 5G Compute Platform "Poipu Pro"
  • ==QCM6490
  • ==Snapdragon 8cx Compute Platform
  • ==WSA8840
  • ==Snapdragon 8c Compute Platform "Poipu Lite"
  • ==XG101002
  • ==WSA8810
  • ==X2000077
  • ==Snapdragon 8cx Gen 3 Compute Platform
  • ==X2000086
  • ==Cologne
  • ==XG101032
  • ==WCD9340
  • ==QCA6430
  • ==WCD9370
  • ==Snapdragon 8cx Compute Platform "Poipu Pro"
  • ==X2000092
  • ==WCD9378C
  • ==WCD9385
  • ==QCA6391
  • ==Qualcomm Video Collaboration VC3 Platform
  • ==XG101039
  • ==WCD9380
  • ==X2000094
  • ==Snapdragon 8cx Gen 2 5G Compute Platform
  • ==QCM5430
  • ==X2000090
  • ==WSA8815
  • ==AQT1000
  • ==IQX5121
  • ==FastConnect 6700
  • ==QCA6420

Matching in nixpkgs

Permalink CVE-2026-54234
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 week, 3 days ago Activity log
  • Created suggestion
vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.

Affected products

vllm
  • ==< 0.24.0

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

Package maintainers

Permalink CVE-2026-54059
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 week, 3 days ago Activity log
  • Created suggestion
Pillow: PcfFontFile._load_bitmaps()`: `Image.frombytes()` called without `_decompression_bomb_check()` — bomb protection bypass via PCF font loading

Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0.

Affected products

Pillow
  • ==< 12.3.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-59195
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
created 1 week, 3 days ago Activity log
  • Created suggestion
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config

pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name. This vulnerability is fixed in 10.34.4 and 11.8.0.

Affected products

pnpm
  • ==< 10.34.4
  • ==>= 11.0.0, < 11.8.0

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers