Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-5914
created 4 months ago
Libarchive: double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

Affected products

rhcos
  • *
libarchive
  • <3.8.0
  • *
rhosdt/jaeger-agent-rhel8
  • *
rhosdt/jaeger-query-rhel8
  • *
rhosdt/jaeger-ingester-rhel8
  • *
rhosdt/jaeger-rhel8-operator
  • *
rhosdt/jaeger-collector-rhel8
  • *
rhosdt/jaeger-operator-bundle
  • *
rhosdt/jaeger-all-in-one-rhel8
  • *
rhosdt/jaeger-es-rollover-rhel8
  • *
discovery/discovery-server-rhel9
  • *
rhosdt/jaeger-es-index-cleaner-rhel8
  • *
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
registry.redhat.io/rhosdt/jaeger-agent-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-query-rhel8
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
compliance/openshift-compliance-openscap-rhel8
  • *
compliance/openshift-compliance-rhel8-operator
  • *
registry.redhat.io/rhosdt/jaeger-ingester-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-rhel8-operator
  • *
openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/rhosdt/jaeger-collector-rhel8
  • *
registry.redhat.io/rhosdt/jaeger-operator-bundle
  • *
compliance/openshift-compliance-must-gather-rhel8
  • *
openshift-sandboxed-containers/osc-rhel9-operator
  • *
registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8
  • *
compliance/openshift-file-integrity-rhel8-operator
  • *
registry.redhat.io/rhosdt/jaeger-es-rollover-rhel8
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *
openshift-sandboxed-containers/osc-must-gather-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/rhosdt/jaeger-es-index-cleaner-rhel8
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/insights-proxy/insights-proxy-container-rhel9
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9
  • *

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

  • nixos-unstable -

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

  • nixos-unstable -

pkgs.haskellPackages.libarchive

Haskell interface to libarchive

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

  • nixos-unstable -

pkgs.python312Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.python313Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.haskellPackages.archive-libarchive

Common interface using libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

Package maintainers: 8

CVE-2025-31061
created 4 months ago
WordPress Wishlist plugin <= 2.1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 2.1.0.

Affected products

wishlist
  • =<2.1.0

Matching in nixpkgs

pkgs.wishlist

Single entrypoint for multiple SSH endpoints

  • nixos-unstable -

Package maintainers: 2

CVE-2025-31396
created 4 months ago
WordPress FLAP - Business WordPress Theme <= 1.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.

Affected products

flap
  • =<1.5

Matching in nixpkgs

pkgs.jflap

GUI tool for experimenting with formal languages topics

  • nixos-unstable -

Package maintainers: 2

CVE-2025-31638
created 4 months ago
WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.

Affected products

spare
  • =<1.7

Matching in nixpkgs

pkgs.asciiquarium-transparent

Aquarium/sea animation in ASCII art (with option of transparent background)

  • nixos-unstable -

pkgs.materia-theme-transparent

Transparent Material Design theme for GNOME/GTK based desktop environments

pkgs.gnomeExtensions.transparent-top-bar

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.

  • nixos-unstable -
    • nixpkgs-unstable 24

pkgs.gnomeExtensions.transparent-window-moving

Makes the window semi-transparent when moving or resizing

  • nixos-unstable -
    • nixpkgs-unstable 19

pkgs.sway-contrib.inactive-windows-transparency

It makes inactive sway windows transparent

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar

  • nixos-unstable -
    • nixpkgs-unstable 24

Package maintainers: 4

CVE-2025-28945
created 4 months ago
WordPress Valen - Sport, Fashion WooCommerce WordPress Theme <= 2.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through 2.4.

Affected products

valen
  • =<2.4

Matching in nixpkgs

pkgs.valentina

Open source sewing pattern drafting software

  • nixos-unstable -

pkgs.gnomeExtensions.valent

GNOME Shell integration for Valent

pkgs.sbclPackages.cl-prevalence

pkgs.haskellPackages.equivalence

Maintaining an equivalence relation implemented as union-find using STT

  • nixos-unstable -

pkgs.vscode-extensions.valentjn.vscode-ltex

  • nixos-unstable -

Package maintainers: 7

CVE-2025-5918
created 4 months ago
Libarchive: reading past eof may be triggered for piped file streams

A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

  • nixos-unstable -

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

  • nixos-unstable -

pkgs.haskellPackages.libarchive

Haskell interface to libarchive

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

  • nixos-unstable -

pkgs.python312Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.python313Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.haskellPackages.archive-libarchive

Common interface using libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

Package maintainers: 8

CVE-2025-39475
created 4 months ago
WordPress Arlo <= 6.0.3 - Local File Inclusion Vulnerability

Path Traversal vulnerability in Frenify Arlo allows PHP Local File Inclusion. This issue affects Arlo: from n/a through 6.0.3.

Affected products

arlo
  • =<6.0.3

Matching in nixpkgs

pkgs.barlow

Grotesk variable font superfamily

  • nixos-unstable -

pkgs.clearlooks-phenix

GTK3 port of the Clearlooks theme

  • nixos-unstable -

pkgs.python312Packages.pyarlo

Python library to work with Netgear Arlo cameras

  • nixos-unstable -

pkgs.python313Packages.pyarlo

Python library to work with Netgear Arlo cameras

  • nixos-unstable -

pkgs.python312Packages.warlock

Python object model built on JSON schema and JSON patch

  • nixos-unstable -

pkgs.python313Packages.warlock

Python object model built on JSON schema and JSON patch

  • nixos-unstable -

pkgs.haskellPackages.barlow-lens

lens via string literals

pkgs.rubyPackages.charlock_holmes

  • nixos-unstable -

pkgs.python312Packages.solarlog-cli

Python library to access the Solar-Log JSON interface

  • nixos-unstable -

pkgs.python313Packages.solarlog-cli

Python library to access the Solar-Log JSON interface

  • nixos-unstable -

pkgs.rubyPackages_3_1.charlock_holmes

  • nixos-unstable -

pkgs.rubyPackages_3_2.charlock_holmes

  • nixos-unstable -

pkgs.rubyPackages_3_3.charlock_holmes

  • nixos-unstable -

pkgs.rubyPackages_3_4.charlock_holmes

  • nixos-unstable -

pkgs.python312Packages.zeversolarlocal

Python module to interact with Zeversolar inverters

  • nixos-unstable -

pkgs.python313Packages.zeversolarlocal

Python module to interact with Zeversolar inverters

  • nixos-unstable -

pkgs.home-assistant-component-tests.solarlog

Open source home automation that puts local control and privacy first

Package maintainers: 4

CVE-2025-32291
created 4 months ago
WordPress SUMO Affiliates Pro <= 10.7.0 - Arbitrary File Upload Vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in FantasticPlugins SUMO Affiliates Pro allows Using Malicious Files. This issue affects SUMO Affiliates Pro: from n/a through 10.7.0.

Affected products

affs
  • =<10.7.0

Matching in nixpkgs

pkgs.unyaffs

Tool to extract files from a YAFFS2 file system image

  • nixos-unstable -

pkgs.yaffshiv

Simple YAFFS file system parser and extractor

Package maintainers: 2

CVE-2025-39476
created 4 months ago
WordPress Revo theme <= 4.0.26 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Revo allows PHP Local File Inclusion. This issue affects Revo: from n/a through 4.0.26.

Affected products

revo
  • =<4.0.26

Matching in nixpkgs

pkgs.prevo

Offline version of the Esperanto dictionary Reta Vortaro

  • nixos-unstable -

pkgs.adminerevo

Database management in a single PHP file

  • nixos-unstable -

pkgs.prevo-data

Data for offline version of the Esperanto dictionary Reta Vortaro

pkgs.prevo-tools

CLI tools for the offline version of the Esperanto dictionary Reta Vortaro

  • nixos-unstable -

pkgs.trevorproxy

Module to rotate the source IP address via SSH proxies and other methods

  • nixos-unstable -

pkgs.trevorspray

Modular password spraying tool

  • nixos-unstable -

pkgs.revolt-desktop

Open source user-first chat platform

  • nixos-unstable -

pkgs.python312Packages.pyrevolve

Python library to manage checkpointing for adjoints

  • nixos-unstable -

pkgs.python312Packages.trevorproxy

Module to rotate the source IP address via SSH proxies and other methods

  • nixos-unstable -

pkgs.python313Packages.trevorproxy

Module to rotate the source IP address via SSH proxies and other methods

  • nixos-unstable -

pkgs.python312Packages.brevo-python

Fully-featured Python API client to interact with Brevo

  • nixos-unstable -

pkgs.python313Packages.brevo-python

Fully-featured Python API client to interact with Brevo

  • nixos-unstable -

Package maintainers: 7

CVE-2025-5916
created 4 months ago
Libarchive: integer overflow while reading warc files at archive_read_support_format_warc.c

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

  • nixos-unstable -

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

  • nixos-unstable -

pkgs.haskellPackages.libarchive

Haskell interface to libarchive

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

  • nixos-unstable -

pkgs.python312Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.python313Packages.libarchive-c

Python interface to libarchive

  • nixos-unstable -

pkgs.haskellPackages.archive-libarchive

Common interface using libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

Package maintainers: 8