CVE-2025-40927 created 4 months ago CGI::Simple versions 1.281 and earlier for Perl has a HTTP response splitting flaw CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters. As a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks. The issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete. Impact By injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server’s response That can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation Affected products CGI-Simple <1.282 Matching in nixpkgs pkgs.perlPackages.CGISimple Simple totally OO CGI interface that is CGI.pm compliant nixos-unstable - nixpkgs-unstable 1.282 pkgs.perl538Packages.CGISimple Simple totally OO CGI interface that is CGI.pm compliant nixos-unstable - nixpkgs-unstable 1.282 pkgs.perl540Packages.CGISimple Simple totally OO CGI interface that is CGI.pm compliant nixos-unstable - nixpkgs-unstable 1.282
pkgs.perlPackages.CGISimple Simple totally OO CGI interface that is CGI.pm compliant nixos-unstable - nixpkgs-unstable 1.282
pkgs.perl538Packages.CGISimple Simple totally OO CGI interface that is CGI.pm compliant nixos-unstable - nixpkgs-unstable 1.282
pkgs.perl540Packages.CGISimple Simple totally OO CGI interface that is CGI.pm compliant nixos-unstable - nixpkgs-unstable 1.282
CVE-2025-4437 created 4 months ago Cri-o: large /etc/passwd file may lead to denial of service There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host. Affected products cri-o rhcos Matching in nixpkgs pkgs.cri-o Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-unstable - nixpkgs-unstable 1.34.0 pkgs.cri-o-unwrapped Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-unstable - nixpkgs-unstable 1.34.0 Package maintainers: 2 @vdemeester Vincent Demeester <vincent@sbr.pm> @saschagrunert Sascha Grunert <mail@saschagrunert.de>
pkgs.cri-o Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-unstable - nixpkgs-unstable 1.34.0
pkgs.cri-o-unwrapped Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-unstable - nixpkgs-unstable 1.34.0
CVE-2025-4877 created 4 months ago Libssh: write beyond bounds in binary to base64 conversion functions There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh. Affected products rhcos libssh <0.11.2 libssh2 Matching in nixpkgs pkgs.libssh SSH client library nixos-unstable - nixpkgs-unstable 0.11.2 pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1 pkgs.haskellPackages.libssh libssh bindings nixos-unstable - nixpkgs-unstable 0.1.0.0 pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2 Package maintainers: 3 @svanderburg Sander van der Burg <s.vanderburg@tudelft.nl> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @geluk Johan Geluk <johan+nix@geluk.io>
pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1
pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2
CVE-2025-49436 created 4 months ago WordPress Custom Menu plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thiudis Custom Menu allows Stored XSS. This issue affects Custom Menu: from n/a through 1.8. Affected products custom-menu =<1.8 Matching in nixpkgs pkgs.gnomeExtensions.custom-menu Custom application menu with JSON configuration. Launch apps with specific profiles or execute toggle commands (e.g., for mounted drives) directly from your GNOME menu. nixos-unstable - nixpkgs-unstable 2 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
pkgs.gnomeExtensions.custom-menu Custom application menu with JSON configuration. Launch apps with specific profiles or execute toggle commands (e.g., for mounted drives) directly from your GNOME menu. nixos-unstable - nixpkgs-unstable 2
CVE-2025-48171 created 4 months ago WordPress Cena Store <= 2.11.26 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion. This issue affects Cena Store: from n/a through 2.11.26. Affected products cena =<2.11.26 Matching in nixpkgs pkgs.ocenaudio Cross-platform, easy to use, fast and functional audio editor nixos-unstable - nixpkgs-unstable 3.15.3 pkgs.spacenavd Device driver and SDK for 3Dconnexion 3D input devices nixos-unstable - nixpkgs-unstable 1.3.1 pkgs.asciinema-scenario Create asciinema videos from a text file nixos-unstable - nixpkgs-unstable 0.3.0 pkgs.spacenav-cube-example Example application to test the spacenavd driver nixos-unstable - nixpkgs-unstable 1.2 pkgs.rubyPackages.mercenary nixos-unstable - nixpkgs-unstable 0.3.6 pkgs.rubyPackages_3_1.mercenary nixos-unstable - nixpkgs-unstable 0.3.6 pkgs.rubyPackages_3_2.mercenary nixos-unstable - nixpkgs-unstable 0.3.6 pkgs.rubyPackages_3_3.mercenary nixos-unstable - nixpkgs-unstable 0.3.6 pkgs.rubyPackages_3_4.mercenary nixos-unstable - nixpkgs-unstable 0.3.6 pkgs.python312Packages.testscenarios Pyunit extension for dependency injection nixos-unstable - nixpkgs-unstable 0.5.0 pkgs.python313Packages.testscenarios Pyunit extension for dependency injection nixos-unstable - nixpkgs-unstable 0.5.0 pkgs.azure-cli-extensions.scenario-guide Microsoft Azure Command-Line Tools Scenario Guidance Extension nixos-unstable - nixpkgs-unstable 0.1.1 pkgs.haskellPackages.opengl-spacenavigator Library and example for using a SpaceNavigator-compatible 3-D mouse with OpenGL nixos-unstable - nixpkgs-unstable 0.1.5.5 Package maintainers: 5 @garbas Rok Garbas <rok@garbas.si> @ulrikstrid Ulrik Strid <ulrik.strid@outlook.com> @katexochen Paul Meyer <katexochen0@gmail.com> @onny Jonas Heinrich <onny@project-insanity.org> @Sohalt sohalt <nixos@sohalt.net>
pkgs.ocenaudio Cross-platform, easy to use, fast and functional audio editor nixos-unstable - nixpkgs-unstable 3.15.3
pkgs.spacenavd Device driver and SDK for 3Dconnexion 3D input devices nixos-unstable - nixpkgs-unstable 1.3.1
pkgs.asciinema-scenario Create asciinema videos from a text file nixos-unstable - nixpkgs-unstable 0.3.0
pkgs.spacenav-cube-example Example application to test the spacenavd driver nixos-unstable - nixpkgs-unstable 1.2
pkgs.python312Packages.testscenarios Pyunit extension for dependency injection nixos-unstable - nixpkgs-unstable 0.5.0
pkgs.python313Packages.testscenarios Pyunit extension for dependency injection nixos-unstable - nixpkgs-unstable 0.5.0
pkgs.azure-cli-extensions.scenario-guide Microsoft Azure Command-Line Tools Scenario Guidance Extension nixos-unstable - nixpkgs-unstable 0.1.1
pkgs.haskellPackages.opengl-spacenavigator Library and example for using a SpaceNavigator-compatible 3-D mouse with OpenGL nixos-unstable - nixpkgs-unstable 0.1.5.5
CVE-2023-5342 created 4 months ago Shim: expired secure boot certificate The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded. Affected products shim shim-x64 <15.8-2 Matching in nixpkgs pkgs.yoshimi High quality software synthesizer based on ZynAddSubFX nixos-unstable - nixpkgs-unstable 2.3.4.1 pkgs.epoll-shim Small epoll implementation using kqueue nixos-unstable - nixpkgs-unstable 0.0.20240608 pkgs.libudev0-shim Shim to preserve libudev.so.0 compatibility nixos-unstable - nixpkgs-unstable 1 pkgs.plex-mpv-shim Allows casting of videos to MPV via the Plex mobile and web app nixos-unstable - nixpkgs-unstable 1.11.0 pkgs.shim-unsigned UEFI shim loader nixos-unstable - nixpkgs-unstable 16.1 pkgs.doas-sudo-shim Shim for the sudo command that utilizes doas nixos-unstable - nixpkgs-unstable 0.1.2 pkgs.rshim-user-space User-space rshim driver for the BlueField SoC nixos-unstable - nixpkgs-unstable 2.4.4 pkgs.jellyfin-mpv-shim Allows casting of videos to MPV via the jellyfin mobile and web app nixos-unstable - nixpkgs-unstable 2.9.0 pkgs.mpv-shim-default-shaders Preconfigured set of MPV shaders and configurations for MPV Shim media clients nixos-unstable - nixpkgs-unstable 2.1.0 pkgs.python312Packages.shimmy API conversion tool for popular external reinforcement learning environments nixos-unstable - nixpkgs-unstable 2.0.0 pkgs.pantheon.elementary-print-shim Simple shim for printing support via Contractor nixos-unstable - nixpkgs-unstable 0.1.3 pkgs.python312Packages.notebook-shim Switch frontends to Jupyter Server nixos-unstable - nixpkgs-unstable 0.2.4 pkgs.python313Packages.notebook-shim Switch frontends to Jupyter Server nixos-unstable - nixpkgs-unstable 0.2.4 pkgs.python312Packages.pytz-deprecation-shim Shims to make deprecation of pytz easier nixos-unstable - nixpkgs-unstable 0.1.0.post0 pkgs.python313Packages.pytz-deprecation-shim Shims to make deprecation of pytz easier nixos-unstable - nixpkgs-unstable 0.1.0.post0 Package maintainers: 11 @dani0854 Danil Suetin <suetin085+nixpkgs@protonmail.com> @wegank Weijia Wang <contact@weijia.wang> @jojosch Johannes Schleifenbaum <johannes@js-webcoding.de> @devusb Morgan Helton <mhelton@devusb.us> @davidak David Kleuker <post@davidak.de> @bobby285271 Bobby Rong <rjl931189261@126.com> @dotlambda Robert Schütz <rschuetz17@gmail.com> @GaetanLepage Gaetan Lepage <gaetan@glepage.com> @thillux Markus Theil <theil.markus@gmail.com> @baloo Arthur Gautier <nixpkgs@superbaloo.net> @RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
pkgs.yoshimi High quality software synthesizer based on ZynAddSubFX nixos-unstable - nixpkgs-unstable 2.3.4.1
pkgs.epoll-shim Small epoll implementation using kqueue nixos-unstable - nixpkgs-unstable 0.0.20240608
pkgs.plex-mpv-shim Allows casting of videos to MPV via the Plex mobile and web app nixos-unstable - nixpkgs-unstable 1.11.0
pkgs.doas-sudo-shim Shim for the sudo command that utilizes doas nixos-unstable - nixpkgs-unstable 0.1.2
pkgs.rshim-user-space User-space rshim driver for the BlueField SoC nixos-unstable - nixpkgs-unstable 2.4.4
pkgs.jellyfin-mpv-shim Allows casting of videos to MPV via the jellyfin mobile and web app nixos-unstable - nixpkgs-unstable 2.9.0
pkgs.mpv-shim-default-shaders Preconfigured set of MPV shaders and configurations for MPV Shim media clients nixos-unstable - nixpkgs-unstable 2.1.0
pkgs.python312Packages.shimmy API conversion tool for popular external reinforcement learning environments nixos-unstable - nixpkgs-unstable 2.0.0
pkgs.pantheon.elementary-print-shim Simple shim for printing support via Contractor nixos-unstable - nixpkgs-unstable 0.1.3
pkgs.python312Packages.notebook-shim Switch frontends to Jupyter Server nixos-unstable - nixpkgs-unstable 0.2.4
pkgs.python313Packages.notebook-shim Switch frontends to Jupyter Server nixos-unstable - nixpkgs-unstable 0.2.4
pkgs.python312Packages.pytz-deprecation-shim Shims to make deprecation of pytz easier nixos-unstable - nixpkgs-unstable 0.1.0.post0
pkgs.python313Packages.pytz-deprecation-shim Shims to make deprecation of pytz easier nixos-unstable - nixpkgs-unstable 0.1.0.post0
CVE-2025-55716 created 4 months ago WordPress WP Statistics Plugin <= 14.15 - Broken Access Control Vulnerability Missing Authorization vulnerability in VeronaLabs WP Statistics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Statistics: from n/a through 14.15. Affected products wp-statistics =<14.15 Matching in nixpkgs pkgs.wordpressPackages.plugins.wp-statistics nixos-unstable - nixpkgs-unstable 14.13.1
CVE-2025-53241 created 4 months ago WordPress Simplified Plugin <= 1.0.9 - Server Side Request Forgery (SSRF) Vulnerability Server-Side Request Forgery (SSRF) vulnerability in kodeshpa Simplified allows Server Side Request Forgery. This issue affects Simplified: from n/a through 1.0.9. Affected products simplified =<1.0.9 Matching in nixpkgs pkgs.gnomeExtensions.net-speed-simplified A Net Speed extension With Loads of Customization. Fork of simplenetspeed nixos-unstable - nixpkgs-unstable 44 pkgs.gnomeExtensions.net-totals-simplified A Net totals extension that only displays totals. Forked from Net Speed extension (netspeedsimplified@prateekmedia.extension) With Loads of Customization, version 43 nixos-unstable - nixpkgs-unstable 3 pkgs.haskellPackages.phonetic-languages-simplified-base A basics of the phonetic-languages functionality that can be groupped nixos-unstable - nixpkgs-unstable 0.9.0.0 pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common Common functionality for 'with-tuples' and old version of properties nixos-unstable - nixpkgs-unstable 0.4.1.0 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
pkgs.gnomeExtensions.net-speed-simplified A Net Speed extension With Loads of Customization. Fork of simplenetspeed nixos-unstable - nixpkgs-unstable 44
pkgs.gnomeExtensions.net-totals-simplified A Net totals extension that only displays totals. Forked from Net Speed extension (netspeedsimplified@prateekmedia.extension) With Loads of Customization, version 43 nixos-unstable - nixpkgs-unstable 3
pkgs.haskellPackages.phonetic-languages-simplified-base A basics of the phonetic-languages functionality that can be groupped nixos-unstable - nixpkgs-unstable 0.9.0.0
pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common Common functionality for 'with-tuples' and old version of properties nixos-unstable - nixpkgs-unstable 0.4.1.0
CVE-2025-28975 created 4 months ago WordPress Alike - WordPress Custom Post Comparison <= 3.0.1 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Alike - WordPress Custom Post Comparison allows Reflected XSS. This issue affects Alike - WordPress Custom Post Comparison: from n/a through 3.0.1. Affected products alike =<3.0.1 Matching in nixpkgs pkgs.soundalike Find duplicate audio files using acoustic fingerprints nixos-unstable - nixpkgs-unstable 0.1.2 pkgs.gnomeExtensions.compiz-alike-magic-lamp-effect Magic lamp effect inspired by the Compiz ones nixos-unstable - nixpkgs-unstable 21 Package maintainers: 2 @honnip Jung seungwoo <me@honnip.page> @atar13 Anthony Tarbinian <atar137h@gmail.com>
pkgs.soundalike Find duplicate audio files using acoustic fingerprints nixos-unstable - nixpkgs-unstable 0.1.2
pkgs.gnomeExtensions.compiz-alike-magic-lamp-effect Magic lamp effect inspired by the Compiz ones nixos-unstable - nixpkgs-unstable 21
CVE-2025-49053 created 4 months ago WordPress WP Airdrop Manager plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kadesthemes WP Airdrop Manager allows Stored XSS. This issue affects WP Airdrop Manager: from n/a through 1.0.5. Affected products airdrop =<1.0.5 Matching in nixpkgs pkgs.pairdrop Local file sharing in your browser nixos-unstable - nixpkgs-unstable 1.11.2 pkgs.airdrop-cli Use Airdrop from the CLI on macOS written in Swift nixos-unstable - nixpkgs-unstable 0-unstable-2024-04-13 pkgs.nodePackages.hs-airdrop Handshake airdrop redemption nixos-unstable - nixpkgs-unstable 0.10.0 pkgs.nodePackages_latest.hs-airdrop Handshake airdrop redemption nixos-unstable - nixpkgs-unstable 0.10.0 Package maintainers: 3 @Enzime Michael Hoang @diogotcorreia Diogo Correia <me@diogotc.com> @dit7ya Mostly Void <7rat13@gmail.com>
pkgs.airdrop-cli Use Airdrop from the CLI on macOS written in Swift nixos-unstable - nixpkgs-unstable 0-unstable-2024-04-13
pkgs.nodePackages_latest.hs-airdrop Handshake airdrop redemption nixos-unstable - nixpkgs-unstable 0.10.0