Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0041
published 4 months, 3 weeks ago
Permalink CVE-2025-62399
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 4 months, 3 weeks ago
  • @LeSuisse deleted maintainer @freezeboy 4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Moodle: password brute force risk when mobile/web services enabled

moodle
  • <4.5.7
  • <5.0.3
  • <4.4.11
  • <4.1.21
NIXPKGS-2026-0040
published 4 months, 3 weeks ago
Permalink CVE-2025-62397
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 4 months, 3 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @kmein
    • @freezeboy
    4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Moodle: router produces json instead of 404 error for invalid course id

moodle
  • <5.0.3
NIXPKGS-2026-0039
published 4 months, 3 weeks ago
Permalink CVE-2025-62393
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 4 months, 3 weeks ago
  • @LeSuisse deleted maintainer @freezeboy 4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Moodle: course access permissions not properly checked in course_output_fragment_course_overview

moodle
  • <5.0.3
NIXPKGS-2026-0038
published 4 months, 3 weeks ago
Permalink CVE-2025-62400
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 4 months, 3 weeks ago
  • @LeSuisse deleted
    2 maintainers
    • @kmein
    • @freezeboy
    4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Moodle: hidden group names visible to event creators

moodle
  • <4.5.7
  • <5.0.3
  • <4.4.11
  • <4.1.21
NIXPKGS-2026-0028
published 4 months, 3 weeks ago
Permalink CVE-2026-22854
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 3 weeks ago
  • @LeSuisse deleted maintainer @peterhoeg 4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

FreeRDP has a heap-buffer-overflow in drive_process_irp_read

FreeRDP
  • ==< 3.20.1
NIXPKGS-2026-0037
published 4 months, 3 weeks ago
Permalink CVE-2025-62394
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 4 months, 3 weeks ago
  • @LeSuisse deleted maintainer @freezeboy 4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Moodle: quiz notifications sent to suspended participants

moodle
  • <4.5.7
  • <5.0.3
NIXPKGS-2026-0036
published 4 months, 3 weeks ago
Permalink CVE-2025-62401
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored package moodle-dl 4 months, 3 weeks ago
  • @LeSuisse deleted maintainer @freezeboy 4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Moodle: possible to bypass timer in timed assignments

moodle
  • <4.5.7
  • <5.0.3
  • <4.4.11
  • <4.1.21
NIXPKGS-2026-0035
published 4 months, 3 weeks ago
Permalink CVE-2025-11731
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.libxslt
    • python313Packages.libxslt
    4 months, 3 weeks ago
  • @LeSuisse deleted maintainer @jtojnar 4 months, 3 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Libxslt: type confusion in exsltfuncresultcompfunction of libxslt

rhcos
libxslt
  • <1.1.44
NIXPKGS-2026-0034
published 4 months, 3 weeks ago
Permalink CVE-2025-12105
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months, 3 weeks ago
  • @LeSuisse ignored
    2 packages
    • tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"
    • libsoup_2_4
    4 months, 3 weeks ago
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Libsoup: heap use-after-free in libsoup message queue handling during http/2 read completion

libsoup
  • =<3.6.5
libsoup3
  • * 
Upstream fix: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9ba1243a24e442fa5ec44684617a4480027da960
NIXPKGS-2026-0032
published 4 months, 3 weeks ago
Permalink CVE-2026-23528
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 3 weeks ago
  • @LeSuisse ignored
    16 packages
    • github-distributed-owners
    • haskellPackages.distributed-fork
    • haskellPackages.aivika-distributed
    • haskellPackages.distributed-static
    • haskellPackages.distributed-closure
    • haskellPackages.distributed-process
    • haskellPackages.powerqueue-distributed
    • haskellPackages.distributed-process-ekg
    • haskellPackages.distributed-process-async
    • haskellPackages.distributed-process-tests
    • haskellPackages.distributed-process-extras
    • haskellPackages.distributed-process-systest
    • haskellPackages.distributed-process-execution
    • haskellPackages.distributed-process-supervisor
    • haskellPackages.distributed-process-client-server
    • haskellPackages.distributed-process-monad-control
    4 months, 3 weeks ago
  • @LeSuisse accepted 4 months, 3 weeks ago
  • @LeSuisse published on GitHub 4 months, 3 weeks ago

Dask distributed Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard

distributed
  • ==< 2026.1.0 
Upstream advisory: https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
Upstream fix: https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa