Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2022-28653
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Users can consume unlimited disk space in /var/crash

Users can consume unlimited disk space in /var/crash

Affected products

apport
  • <2.21.0

Matching in nixpkgs

pkgs.haskellPackages.apportionment

Round a set of numbers while maintaining its sum

Package maintainers: 1

CVE-2025-0750
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 3 months ago
Cri-o: cri-o path traversal in log handling functions allows arbitrary unmounting

A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

Affected products

cri-o
  • <1.33.1
  • *
rhcos

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers: 2

CVE-2025-23684
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
WordPress Debug Tool plugin <= 2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.

Affected products

debug-tool
  • =<2.2

Matching in nixpkgs

pkgs.python312Packages.django-debug-toolbar

Configurable set of panels that display debug information about the current request/response

pkgs.python313Packages.django-debug-toolbar

Configurable set of panels that display debug information about the current request/response

pkgs.python312Packages.django-graphiql-debug-toolbar

Django Debug Toolbar for GraphiQL IDE

pkgs.python313Packages.django-graphiql-debug-toolbar

Django Debug Toolbar for GraphiQL IDE

Package maintainers: 2

CVE-2025-23592
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress dForms plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound dForms allows Reflected XSS. This issue affects dForms: from n/a through 1.0.

Affected products

dforms
  • =<1.0

Matching in nixpkgs

pkgs.python312Packages.permissionedforms

Django extension for creating forms that vary according to user permissions

pkgs.python313Packages.permissionedforms

Django extension for creating forms that vary according to user permissions

Package maintainers: 1

CVE-2024-11218
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Podman: buildah: container breakout by using --jobs=2 and a race condition when building a malicious containerfile

A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

Affected products

rhcos
  • *
podman
  • *
buildah
  • <1.33.12
  • *
  • <1.37.6
  • <1.38.1
  • <1.35.5
container-tools:rhel8
  • *
container-tools:rhel8/podman
container-tools:rhel8/buildah

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

pkgs.buildah

Tool which facilitates building OCI images

pkgs.podman-tui

Podman Terminal UI

pkgs.podman-bootc

Streamlining podman+bootc interactions

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

pkgs.buildah-unwrapped

Tool which facilitates building OCI images

pkgs.nomad-driver-podman

Podman task driver for Nomad

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

pkgs.python313Packages.podman

Python bindings for Podman's RESTful API

Package maintainers: 8

CVE-2025-23892
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.

Affected products

progress-tracker
  • =<0.9.3

Matching in nixpkgs

pkgs.progress-tracker

Simple kanban-style task organiser

Package maintainers: 1

CVE-2025-23884
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers: 1

CVE-2025-23919
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella van Durpe Slides & Presentations allows Code Injection.This issue affects Slides & Presentations: from n/a through 0.0.39.

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

pkgs.openslide

C library that provides a simple interface to read whole-slide images

pkgs.manim-slides

Tool for live presentations using manim

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.backslide

Automatic background-image (wallpaper) slideshow for Gnome Shell

pkgs.python312Packages.openslide

Python bindings to the OpenSlide library for reading whole-slide microscopy images

pkgs.python313Packages.openslide

Python bindings to the OpenSlide library for reading whole-slide microscopy images

pkgs.haskellPackages.gogol-slides

Google Slides SDK

pkgs.python312Packages.goslide-api

Python API to utilise the Slide Open Cloud and Local API

pkgs.python313Packages.goslide-api

Python API to utilise the Slide Open Cloud and Local API

pkgs.typstPackages.gradslide_0_1_0

Simple component to show a value between 0 and 1 on a nice gradient slider

pkgs.typstPackages.typslides_1_1_1

Minimalistic Typst slides

pkgs.typstPackages.typslides_1_2_0

Minimalistic Typst slides

pkgs.typstPackages.typslides_1_2_1

Minimalistic Typst slides

pkgs.typstPackages.typslides_1_2_3

Minimalistic Typst slides

pkgs.typstPackages.typslides_1_2_4

Minimalistic Typst slides

pkgs.typstPackages.typslides_1_2_5

Minimalistic Typst slides

pkgs.typstPackages.typslides_1_2_6

Minimalistic Typst slides

pkgs.python312Packages.manim-slides

Tool for live presentations using manim

pkgs.python313Packages.manim-slides

Tool for live presentations using manim

pkgs.vscode-extensions.antfu.slidev

pkgs.python312Packages.textual-slider

Textual widget for a simple slider

pkgs.python313Packages.textual-slider

Textual widget for a simple slider

pkgs.typstPackages.parcio-slides_0_1_0

A simple polylux slide templated based on the ParCIO working group at OvGU Magdeburg

pkgs.typstPackages.parcio-slides_0_1_1

A simple polylux slide templated based on the ParCIO working group at OvGU Magdeburg

pkgs.gnomeExtensions.night-light-slider

Add a slider for Night Light temperature to the Quick Settings menu.

pkgs.gnomeExtensions.wallpaper-slideshow

Wallpaper slideshow extension. Optionally downloads BING wallpaper of the day.

pkgs.typstPackages.silky-slides-insa_0_1_0

A template made for presentations of INSA, a French engineering school

pkgs.typstPackages.silky-slides-insa_0_1_1

A template made for presentations of INSA, a French engineering school

pkgs.gnomeExtensions.keyboard-backlight-slider

Allow setting the keyboard backlight brightness with a slider in the main menu

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

pkgs.home-assistant-component-tests.slide_local

Open source home automation that puts local control and privacy first

pkgs.typstPackages.tud-corporate-design-slides_0_1_0

Presentation template for TU Dresden (Technische Universität Dresden

pkgs.typstPackages.upb-corporate-design-slides_0_1_0

Presentation template for Paderborn University (UPB

pkgs.typstPackages.upb-corporate-design-slides_0_1_1

Presentation template for Paderborn University (UPB

pkgs.typstPackages.upb-corporate-design-slides_0_1_2

Presentation template for Paderborn University (UPB

pkgs.typstPackages.upb-corporate-design-slides_0_1_3

Presentation template for Paderborn University (UPB

pkgs.vscode-extensions.ms-toolsai.vscode-jupyter-slideshow

Package maintainers: 13

CVE-2025-23886
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Annie plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie allows Stored XSS.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers: 1

CVE-2025-23760
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.

Affected products

chatter
  • =<1.0.1

Matching in nixpkgs

pkgs.chatterino2

Chat client for Twitch chat

pkgs.chatterino7

Chat client for Twitch chat

pkgs.haskellPackages.chatter

A library of simple NLP algorithms

pkgs.typstPackages.chatter_0_1_0

Write dialog between any number of characters quickly and cleanly. Great for translations or short assignments

Package maintainers: 4