Nixpkgs security tracker

Dismissed

Permalink CVE-2025-61636

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 1 week ago

Codex Special:Block vulnerable to message key XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T394396

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Current stable was never impacted.

https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e

Dismissed

Permalink CVE-2025-61637

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

Stored XSS through system messages in MW Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T394856

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Current stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-61638

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse ignored
2 packages
- nodePackages.parsoid
- nodePackages_latest.parsoid
4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

Sanitizer::validateAttributes data-XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1.

References

https://phabricator.wikimedia.org/T401099

Affected products

Parsoid

<0.16.6, 0.20.4, 0.21.1

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Ignored packages (2)

pkgs.nodePackages.parsoid

None

pkgs.nodePackages_latest.parsoid

None

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Current stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-6590

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

Complete content leak of private wikis due to PasswordReset Wikitext injection in error message

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0.

References

https://phabricator.wikimedia.org/T392746

Affected products

MediaWiki

=<1.39.12, 1.42.76 1.43.1, 1.44.0

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-61642

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

Stored XSS through system messages provided to CodexHtmlForms

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T402313

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-61646

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

Watchlist group mode reveals authors of edits with hidden authorship

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T398706

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.0
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-61640

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

Stored XSS through system messages in Special:RecentChangesLinked (MW Core)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T402075

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-6593

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

References

https://phabricator.wikimedia.org/T396230

Affected products

MediaWiki

<1.39.13, 1.42.7 1.43.2, 1.44.0

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Dismissed

Permalink CVE-2025-61645

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse dismissed 4 months, 2 weeks ago

CodexTablePager has i18n XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

References

https://phabricator.wikimedia.org/T403761

Affected products

MediaWiki

<1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.0
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)

Published

Permalink CVE-2025-67481

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

References

https://phabricator.wikimedia.org/T251032

Affected products

MediaWiki

<1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.0
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.nodePackages.parsoid

pkgs.nodePackages_latest.parsoid

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers