The Haskell Security Advisory Database is a repository of security advisories filed against packages published via Hackage.
It is generated from Haskell Security Advisory Database. Feel free to report new or historic security issues.
| # | Package(s) | Summary |
|---|---|---|
| HSEC-2025-0006 | @hackage/x509-store,@hackage/crypton-x509-store | Private key leak via inherited file descriptor |
| HSEC-2025-0005 | @hackage/cabal-install | cabal-install dependency confusion |
| HSEC-2025-0004 | @hackage/spacecookie | Broken Path Sanitization in spacecookie Library |
| HSEC-2025-0003 | @hackage/xz-clib | Use after free in multithreaded lzma (.xz) decoder |
| HSEC-2025-0002 | @hackage/cryptonite,@hackage/crypton | Double Public Key Signing Function Oracle Attack on Ed25519 |
| HSEC-2025-0001 | ghc:ghc | Subword division operations may produce incorrect results |
| HSEC-2024-0009 | @hackage/biscuit-haskell | Public key confusion in third-party blocks |
| HSEC-2024-0008 | ghc:ghc,ghc:ghc,ghc:ghc | Sign extension error in the PPC64le FFI |
| HSEC-2024-0007 | ghc:ghc,ghc:ghc | Sign extension error in the AArch64 NCG |
| HSEC-2024-0006 | @hackage/base | fromIntegral: conversion error |
| HSEC-2024-0003 | @hackage/process | process: command injection via argument list on Windows |
| HSEC-2024-0002 | @hackage/bzlib,@hackage/bz2,@hackage/bzlib-conduit | out-of-bounds write when there are many bzip2 selectors |
| HSEC-2024-0001 | @hackage/keter | Reflected XSS vulnerability in keter |
| HSEC-2023-0015 | @hackage/cabal-install | cabal-install uses expired key policies |
| HSEC-2023-0014 | @hackage/pandoc | Arbitrary file write is possible when using PDF output or --extract-media with untrusted input |
| HSEC-2023-0013 | @hackage/git-annex | git-annex plaintext storage of embedded credentials on encrypted remotes |
| HSEC-2023-0012 | @hackage/git-annex | git-annex checksum exposure to encrypted special remotes |
| HSEC-2023-0011 | @hackage/git-annex | git-annex GPG decryption attack via compromised remote |
| HSEC-2023-0010 | @hackage/git-annex | git-annex private data exfiltration to compromised remote |
| HSEC-2023-0009 | @hackage/git-annex | git-annex command injection via malicious SSH hostname |
| HSEC-2023-0008 | @hackage/hledger-web | Stored XSS in hledger-web |
| HSEC-2023-0007 | @hackage/base,@hackage/toml-reader | readFloat: memory exhaustion with large exponent |
| HSEC-2023-0006 | @hackage/x509-validation | x509-validation does not enforce pathLenConstraint |
| HSEC-2023-0005 | @hackage/tls-extra | tls-extra: certificate validation does not check Basic Constraints |
| HSEC-2023-0004 | @hackage/xml-conduit | xml-conduit unbounded entity expansion |
| HSEC-2023-0003 | @hackage/xmonad-contrib | code injection in xmonad-contrib |
| HSEC-2023-0002 | @hackage/biscuit-haskell | Improper Verification of Cryptographic Signature |
| HSEC-2023-0001 | @hackage/aeson | Hash flooding vulnerability in aeson |