Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2008-0888
created 3 months ago
The NEEDBITS macro in the inflate_dynamic function in inflate.c for …

The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.

Affected products

unzip
  • <6.0

Matching in nixpkgs

pkgs.unzip

Extraction utility for archives compressed in .zip format

pkgs.runzip

Tool to convert filename encoding inside a ZIP archive

pkgs.ripunzip

Tool to unzip files in parallel

pkgs.unzipNLS

Extraction utility for archives compressed in .zip format

pkgs.haskellPackages.unzip-traversable

Unzip functions for general Traversable containers

pkgs.haskellPackages.wai-middleware-gunzip

WAI middleware to unzip request bodies

Package maintainers: 3

CVE-2025-30673
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Sub::HandlesVia for Perl allows untrusted code to be included from the current working directory

Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. Sub::HandlesVia uses Mite to produce the affected code section due to CVE-2025-30672

Affected products

Sub-HandlesVia
  • <0.050002

Matching in nixpkgs

pkgs.perlPackages.SubHandlesVia

Alternative handles_via implementation

pkgs.perl538Packages.SubHandlesVia

Alternative handles_via implementation

pkgs.perl540Packages.SubHandlesVia

Alternative handles_via implementation

CVE-2025-31784
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more Plugin <= 1.4.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Rudy Susanto Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more allows Cross Site Request Forgery. This issue affects Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more: from n/a through 1.4.0.

Affected products

embed-extended
  • =<1.4.0

Matching in nixpkgs

pkgs.wordpressPackages.plugins.embed-extended

CVE-2025-31787
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
WordPress Cue by AudioTheme.com plugin <= 2.4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brady Vercher Cue allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cue: from n/a through 2.4.4.

Affected products

cue
  • =<2.4.4

Matching in nixpkgs

pkgs.cue

Data constraint language which aims to simplify tasks involving defining and using data

pkgs.mkcue

Generates CUE sheets from a CD TOC

pkgs.cuelsp

Language Server implementation for CUE, with built-in support for Dagger

pkgs.cuetsy

Experimental CUE->TypeScript exporter

pkgs.libcue

CUE Sheet Parser Library

pkgs.cuetools

Set of utilities for working with cue files and toc files

pkgs.ddrescue

GNU ddrescue, a data recovery tool

pkgs.mrrescue

Arcade-style fire fighting game

pkgs.myrescue

Hard disk recovery tool that reads undamaged regions first

pkgs.dd_rescue

Tool to copy data from a damaged block device

pkgs.rescuetime

Helps you understand your daily habits so you can focus and be more productive

pkgs.ddrescueview

Tool to graphically examine ddrescue mapfiles

pkgs.tests.cue-validation

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.haskellPackages.cue-sheet

Support for construction, rendering, and parsing of CUE sheets

pkgs.python312Packages.aiooncue

Module to interact with the Kohler Oncue API

pkgs.python313Packages.aiooncue

Module to interact with the Kohler Oncue API

pkgs.vscode-extensions.asdine.cue

Cue language support for Visual Studio Code

pkgs.home-assistant-component-tests.oncue

Open source home automation that puts local control and privacy first

pkgs.tree-sitter-grammars.tree-sitter-cue

pkgs.vimPlugins.nvim-treesitter-parsers.cue

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-cue

Python bindings for tree-sitter-cue

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-cue

Python bindings for tree-sitter-cue

CVE-2025-31846
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Theater for WordPress plugin <= 0.18.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theater for WordPress: from n/a through 0.18.7.

Affected products

theatre
  • =<0.18.7

Matching in nixpkgs

pkgs.haskellPackages.theatre-dev

Minimalistic actor library experiments

CVE-2025-31446
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress WP Cleaner plugin <= 1.1.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner allows Reflected XSS. This issue affects WP Cleaner: from n/a through 1.1.5.

Affected products

wpcleaner
  • =<1.1.5

Matching in nixpkgs

Package maintainers: 1

CVE-2025-31557
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress OSM – OpenStreetMap plugin <= 6.1.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MiKa OSM – OpenStreetMap allows DOM-Based XSS. This issue affects OSM – OpenStreetMap: from n/a through 6.1.6.

Affected products

osm
  • =<6.1.6

Matching in nixpkgs

pkgs.josm

Extensible editor for OpenStreetMap

pkgs.osmo

Handy personal organizer

pkgs.mosml

Light-weight implementation of Standard ML

pkgs.osmid

Lightweight, portable, easy to use tool to convert MIDI to OSC and OSC to MIDI

pkgs.erosmb

SMB network scanner

pkgs.gosmee

Command line server and client for webhooks deliveries (and https://smee.io)

pkgs.imposm

Imports OpenStreetMap data into PostGIS

pkgs.qosmic

Cosmic recursive flame fractal editor

pkgs.cosmocc

Compilers for Cosmopolitan C/C++ programs

pkgs.readosm

Open source library to extract valid data from within an Open Street Map input file

pkgs.osmo-bsc

GSM Base Station Controller

pkgs.osmo-bts

Osmocom GSM Base Transceiver Station (BTS)

pkgs.osmo-hlr

Osmocom implementation of 3GPP Home Location Registr (HLR)

pkgs.osmo-iuh

Osmocom IuH library

pkgs.osmo-mgw

Osmocom Media Gateway (MGW). speaks RTP and E1 as well as MGCP

pkgs.osmo-msc

Osmocom implementation of 3GPP Mobile Swtiching Centre (MSC)

pkgs.osmo-pcu

Osmocom Packet control Unit (PCU): Network-side GPRS (RLC/MAC); BTS- or BSC-colocated

pkgs.cosmic-bg

Applies Background for the COSMIC Desktop Environment

pkgs.libosmium

Fast and flexible C++ library for working with OpenStreetMap data

pkgs.osm2pgsql

OpenStreetMap data to PostgreSQL converter

pkgs.osmctools

Command line tools for transforming Open Street Map files

pkgs.osmo-ggsn

Osmocom Gateway GPRS Support Node (GGSN), successor of OpenGGSN

pkgs.osmo-sgsn

Osmocom implementation of the 3GPP Serving GPRS Support Node (SGSN)

pkgs.cosmic-osd

OSD for the COSMIC Desktop Environment

pkgs.osmo-hnbgw

Osmocom Home NodeB Gateway, for attaching femtocells to the 3G CN (OsmoMSC, OsmoSGSN)

pkgs.cosmic-comp

Compositor for the COSMIC Desktop Environment

pkgs.cosmic-edit

Text Editor for the COSMIC Desktop Environment

pkgs.cosmic-idle

Idle daemon for the COSMIC Desktop Environment

pkgs.cosmic-term

Terminal for the COSMIC Desktop Environment

pkgs.libosmoabis

Osmocom Abis interface library

pkgs.libosmocore

Set of Osmocom core libraries

pkgs.libosmscout

Simple, high-level interfaces for offline location and POI lokup, rendering and routing functionalities based on OpenStreetMap (OSM) data

pkgs.osm-gps-map

GTK widget for displaying OpenStreetMap tiles

pkgs.osmium-tool

Multipurpose command line tool for working with OpenStreetMap data based on the Osmium library

pkgs.osmo-hnodeb

Upper layers implementation of HomeNodeB for 3G/UMTS

pkgs.cosmic-files

File Manager for the COSMIC Desktop Environment

pkgs.cosmic-icons

System76 Cosmic icon theme for Linux

pkgs.cosmic-panel

Panel for the COSMIC Desktop Environment

pkgs.cosmic-randr

Library and utility for displaying and configuring Wayland outputs

pkgs.cosmic-store

App Store for the COSMIC Desktop Environment

pkgs.cosmopolitan

Your build-once run-anywhere c library

pkgs.osmtogeojson

Converts OSM data to GeoJSON

pkgs.cosmic-player

Media player for the COSMIC Desktop Environment

pkgs.libosmo-netif

Osmocom network / socket interface library

pkgs.cosmic-applets

Applets for the COSMIC Desktop Environment

pkgs.cosmic-ext-ctl

CLI for COSMIC Desktop configuration management

pkgs.cosmic-greeter

Greeter for the COSMIC Desktop Environment

pkgs.cosmic-session

Session manager for the COSMIC desktop environment

pkgs.cosmic-launcher

Launcher for the COSMIC Desktop Environment

pkgs.cosmic-settings

Settings for the COSMIC Desktop Environment

pkgs.libosmo-sigtran

SCCP + SIGTRAN (SUA/M3UA) libraries as well as OsmoSTP

pkgs.osmscout-server

Maps server providing tiles, geocoder, and router

pkgs.rtl-sdr-osmocom

Software to turn the RTL2832U into a SDR receiver

pkgs.cosmic-protocols

Additional wayland-protocols used by the COSMIC desktop environment

pkgs.libcosmicAppHook

Setup hook for configuring and wrapping applications based on libcosmic

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.cosmic-applibrary

Application Template for the COSMIC Desktop Environment

pkgs.cosmic-ext-tweaks

Tweaking tool for the COSMIC Desktop Environment

pkgs.cosmic-screenshot

Screenshot tool for the COSMIC Desktop Environment

pkgs.cosmic-wallpapers

Wallpapers for the COSMIC Desktop Environment

pkgs.luaPackages.cosmo

Safe templates for Lua

pkgs.osmo-sip-connector

This implements an interface between the MNCC (Mobile Network Call Control) interface of OsmoMSC (and also previously OsmoNITB) and SIP

pkgs.lua51Packages.cosmo

Safe templates for Lua

pkgs.lua52Packages.cosmo

Safe templates for Lua

pkgs.lua53Packages.cosmo

Safe templates for Lua

pkgs.lua54Packages.cosmo

Safe templates for Lua

pkgs.python-cosmopolitan

Actually Portable Python using Cosmopolitan

pkgs.cosmic-notifications

Notifications for the COSMIC Desktop Environment

pkgs.luajitPackages.cosmo

Safe templates for Lua

pkgs.cosmic-ext-calculator

Calculator for the COSMIC Desktop Environment

pkgs.cosmic-settings-daemon

Settings Daemon for the COSMIC Desktop Environment

pkgs.cosmic-workspaces-epoch

Workspaces Epoch for the COSMIC Desktop Environment

pkgs.python312Packages.osmnx

Package to easily download, construct, project, visualize, and analyze complex street networks from OpenStreetMap with NetworkX

pkgs.python313Packages.osmnx

Package to easily download, construct, project, visualize, and analyze complex street networks from OpenStreetMap with NetworkX

pkgs.gnuradioPackages.osmosdr

Gnuradio block for OsmoSDR and rtl-sdr

pkgs.graylogPlugins.twiliosms

Alarm callback plugin for integrating the Twilio SMS API into Graylog

pkgs.python312Packages.aiosmb

Python SMB library

pkgs.python312Packages.osmapi

Python wrapper for the OSM API

pkgs.python313Packages.aiosmb

Python SMB library

pkgs.python313Packages.osmapi

Python wrapper for the OSM API

pkgs.kdePackages.kosmindoormap

OSM multi-floor indoor map renderer

pkgs.xdg-desktop-portal-cosmic

XDG Desktop Portal for the COSMIC Desktop Environment

pkgs.python312Packages.aiosmtpd

Asyncio based SMTP server

pkgs.python312Packages.pyosmium

Python bindings for libosmium

pkgs.python313Packages.aiosmtpd

Asyncio based SMTP server

pkgs.python313Packages.pyosmium

Python bindings for libosmium

pkgs.python312Packages.aiosmtplib

Module which provides a SMTP client

pkgs.python312Packages.py-aosmith

Python client library for A. O. Smith water heaters

pkgs.python313Packages.aiosmtplib

Module which provides a SMTP client

pkgs.python313Packages.py-aosmith

Python client library for A. O. Smith water heaters

pkgs.python312Packages.azure-cosmos

Azure Cosmos DB API

pkgs.python313Packages.azure-cosmos

Azure Cosmos DB API

pkgs.python312Packages.osmpythontools

Library to access OpenStreetMap-related services

pkgs.python313Packages.osmpythontools

Library to access OpenStreetMap-related services

pkgs.azure-cli-extensions.cosmosdb-preview

Microsoft Azure Command-Line Tools Cosmosdb-preview Extension

pkgs.python312Packages.azure-mgmt-cosmosdb

Module to work with the Microsoft Azure Cosmos DB Management

pkgs.python313Packages.azure-mgmt-cosmosdb

Module to work with the Microsoft Azure Cosmos DB Management

pkgs.home-assistant-component-tests.aosmith

Open source home automation that puts local control and privacy first

pkgs.python312Packages.azure-cosmosdb-nspkg

This is the Microsoft Azure CosmosDB namespace package

pkgs.python312Packages.azure-cosmosdb-table

This is the Microsoft Azure Log Analytics Client Library

pkgs.python313Packages.azure-cosmosdb-nspkg

This is the Microsoft Azure CosmosDB namespace package

pkgs.python313Packages.azure-cosmosdb-table

This is the Microsoft Azure Log Analytics Client Library

Package maintainers: 54

CVE-2025-31549
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Fusion plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Inc. Fusion allows DOM-Based XSS. This issue affects Fusion: from n/a through 1.6.3.

Affected products

fusion
  • =<1.6.3

Matching in nixpkgs

pkgs.datafusion-cli

CLI for Apache Arrow DataFusion

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.finalfusion-utils

Utility for converting, quantizing, and querying word embeddings

pkgs.python312Packages.datafusion

Extensible query execution framework

pkgs.python313Packages.datafusion

Extensible query execution framework

pkgs.haskellPackages.fusion-plugin

GHC plugin to make stream fusion more predictable

pkgs.python312Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.k-diffusion

Karras et al. (2022) diffusion models for PyTorch

pkgs.python313Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python313Packages.k-diffusion

Karras et al. (2022) diffusion models for PyTorch

pkgs.haskellPackages.gogol-datafusion

Google Cloud Data Fusion SDK

pkgs.haskellPackages.list-fusion-probe

testing list fusion for success

pkgs.haskellPackages.gogol-fusiontables

Google Fusion Tables SDK

pkgs.haskellPackages.fusion-plugin-types

Types for the fusion-plugin package

pkgs.vimPlugins.nvim-treesitter-parsers.fusion

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 4

CVE-2025-31538
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Checklist plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in checklistcom Checklist allows Stored XSS. This issue affects Checklist: from n/a through 1.1.9.

Affected products

checklist
  • =<1.1.9

Matching in nixpkgs

pkgs.haskellPackages.tasty-checklist

Check multiple items during a tasty test

CVE-2024-13939
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829

Affected products

String-Compare-ConstantTime
  • =<0.321

Matching in nixpkgs

pkgs.perlPackages.StringCompareConstantTime

Timing side-channel protected string compare

pkgs.perl538Packages.StringCompareConstantTime

Timing side-channel protected string compare

pkgs.perl540Packages.StringCompareConstantTime

Timing side-channel protected string compare