Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23553
2.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 4 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @SigmaSquadron dismissed 2 months, 4 weeks ago
x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Affected products

Xen
  • ==consult Xen advisory XSA-479

Matching in nixpkgs

pkgs.xen

Type-1 hypervisor intended for embedded and hyperscale use cases

pkgs.xenon

Monitoring tool based on radon

pkgs.hhexen

Linux port of Raven Game's Hexen

pkgs.uhexen2

Cross-platform port of Hexen II game

pkgs.qemu_xen

Generic and open source machine emulator and virtualizer

pkgs.xenomapper

Utility for post processing mapped reads that have been aligned to a primary genome and a secondary genome and binning reads into species specific, multimapping in each species, unmapped and unassigned bins

pkgs.nxengine-evo

Complete open-source clone/rewrite of the masterpiece jump-and-run platformer Doukutsu Monogatari (also known as Cave Story)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

Package maintainers

Already fixed.
Permalink CVE-2025-55292
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    47 packages
    • python313Packages.ha-silabs-firmware-client
    • ghidra-extensions.ghidra-firmware-utils
    • azure-cli-extensions.firmwareanalysis
    • ath9k-htc-blobless-firmware-unstable
    • python313Packages.virt-firmware
    • python312Packages.virt-firmware
    • armTrustedFirmwareAllwinnerH6
    • armTrustedFirmwareAllwinnerH616
    • nitrokey-storage-firmware
    • armTrustedFirmwareAllwinner
    • ath9k-htc-blobless-firmware
    • raspberrypiWirelessFirmware
    • nitrokey-trng-rs232-firmware
    • armTrustedFirmwareRK3568
    • armTrustedFirmwareRK3588
    • armTrustedFirmwareRK3399
    • armTrustedFirmwareRK3328
    • sigrok-firmware-fx2lafw
    • nitrokey-start-firmware
    • b43Firmware_5_1_138
    • facetimehd-firmware
    • intel2200BGFirmware
    • xow_dongle-firmware
    • broadcom-bt-firmware
    • uefi-firmware-parser
    • nitrokey-pro-firmware
    • armTrustedFirmwareQemu
    • armTrustedFirmwareS905
    • libreelec-dvb-firmware
    • armTrustedFirmwareTools
    • b43Firmware_6_30_163_46
    • nitrokey-fido2-firmware
    • rtl8192su-firmware
    • system76-firmware
    • rtl8761b-firmware
    • klipper-firmware
    • firmware-updater
    • armbian-firmware
    • firmware-manager
    • zd1211fw
    • sof-firmware
    • alsa-firmware
    • ivsc-firmware
    • raspberrypifw
    • gnome-firmware
    • linux-firmware
    • rt5677-firmware
    3 months ago
  • @LeSuisse dismissed 3 months ago
In Meshtastic, an attacker can spoof licensed amateur flag for a node

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

Affected products

firmware
  • ==<= 2.6.2
Ignored packages (47)

pkgs.zd1211fw

Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip

  • nixos-unstable 1.5
    • nixpkgs-unstable 1.5
    • nixos-unstable-small 1.5

pkgs.uefi-firmware-parser

Tool for parsing, extracting, and recreating UEFI firmware volumes

  • nixos-unstable 1.12
    • nixpkgs-unstable 1.12
    • nixos-unstable-small 1.12 
Not present in nixpkgs
Permalink CVE-2026-23889
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package pnpm-shell-completion 3 months ago
  • @LeSuisse dismissed 3 months ago
pnpm has Windows-specific tarball Path Traversal

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.

Affected products

pnpm
  • ==< 10.28.1

Matching in nixpkgs

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_10

Fast, disk space efficient package manager for JavaScript

Ignored packages (1)

Package maintainers

No Windows support.
Permalink CVE-2025-64368
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package bombardier 3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Bard theme <= 1.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes Bard bardwp allows Cross Site Request Forgery.This issue affects Bard: from n/a through <= 1.6.

Affected products

bardwp
  • =<<= 1.6
Ignored packages (1)

pkgs.bombardier

Fast cross-platform HTTP benchmarking tool written in Go

WP theme not present in nixpkgs
Permalink CVE-2025-68508
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package brave 3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Brave plugin <= 0.8.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brave Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brave: from n/a through <= 0.8.3.

Affected products

brave-popup-builder
  • =<<= 0.8.3
Ignored packages (1)

pkgs.brave

Privacy-oriented browser for Desktop and Laptop computers

WP plugin not present in nixpkgs
Permalink CVE-2025-62962
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • python313Packages.types-aiobotocore-cloudsearchdomain
    • python312Packages.types-aiobotocore-cloudsearchdomain
    • python313Packages.types-aiobotocore-cloudsearch
    • python312Packages.types-aiobotocore-cloudsearch
    • python313Packages.mypy-boto3-cloudsearchdomain
    • python312Packages.mypy-boto3-cloudsearchdomain
    • haskellPackages.amazonka-cloudsearch-domains
    • python313Packages.mypy-boto3-cloudsearch
    • python312Packages.mypy-boto3-cloudsearch
    • haskellPackages.amazonka-cloudsearch
    • haskellPackages.gogol-cloudsearch
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress CloudSearch plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio CloudSearch cloud-search allows Stored XSS.This issue affects CloudSearch: from n/a through <= 3.0.0.

Affected products

cloud-search
  • =<<= 3.0.0
Ignored packages (11) 
WP plugin not present in nixpkgs
Permalink CVE-2021-47857
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • moodle-dl
    • moodle
    3 months ago
  • @LeSuisse dismissed 3 months ago
Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

Affected products

Moodle
  • ==3.10.3
Ignored packages (2)

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

Current stable and unstable branches not impacted
Permalink CVE-2026-23524
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • hybridreverb2
    • dragonfly-reverb
    3 months ago
  • @LeSuisse dismissed 3 months ago
Laravel Redis Horizontal Scaling Insecure Deserialization

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

Affected products

reverb
  • ==< 1.7.0
Ignored packages (2) 
Not present in nixpkgs
Permalink CVE-2026-23975
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    2 packages
    • ligolo-ng
    • xfce.gigolo
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.

Affected products

golo
  • =<< 1.7.5
Ignored packages (2)

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

WP theme not packaged in nixpkgs
Permalink CVE-2025-68008
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package wordpressPackages.plugins.wp-mail-smtp 3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.

Affected products

wp-mail
  • =<<= 1.3
Ignored packages (1) 
`wp-mail` plugin not packaged in nixpkgs