CVE Tools

nixos

Operating Systemsoss-project

10

Cumulative CVEs

2

Monthly snapshots

#175

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting nixos.

CVE-2026-44029An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are ...5.3May 5, 2026
CVE-2026-44028An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine ...7.5May 5, 2026
CVE-2026-31431crypto: algif_aead - Revert to operating out-of-placeKEV7.8Apr 22, 2026
CVE-2026-39860Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination9.0Apr 8, 2026
CVE-2026-25137NixOs Odoo database and filestore publicly accessible with default odoo configuration9.1Feb 2, 2026
CVE-2025-64766NixOS has hardcoded credentials in Onlyoffice module5.3Nov 17, 2025
CVE-2025-54864Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins7.5Aug 12, 2025
CVE-2025-54800Hydra persistent XSS in build metrics6.1Aug 12, 2025
CVE-2025-53819Nix's privilege dropping to build user broke for macOS7.9Jul 14, 2025
CVE-2025-52993A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix be...5.6Jun 27, 2025
CVE-2025-52992The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sand...3.2Jun 27, 2025
CVE-2025-52991The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into ...3.2Jun 27, 2025
CVE-2025-46416The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix throug...2.9Jun 27, 2025
CVE-2025-46415A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.9...3.2Jun 27, 2025
CVE-2025-32435Hydra no restricted eval after nix-eval-jobs migration2.6Apr 15, 2025