Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-11561
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Sssd: sssd default kerberos configuration allows privilege escalation on ad-joined linux systems

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, SSSD does not enable the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), allowing an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users. This can result in unauthorized access or privilege escalation on domain-joined Linux hosts.

References

Affected products

sssd
  • *
  • =<2.11.1
rhcos
  • *
rhceph/rhceph-7-rhel9
  • *
rhceph/rhceph-8-rhel9
  • *

Matching in nixpkgs

pkgs.sssd

System Security Services Daemon

Package maintainers

Never impacted the current stable branch

https://github.com/NixOS/nixpkgs/commit/167ebcf138339399754f7a19991d47bc64e76e9d
Permalink CVE-2025-10282
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package hebbot 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
GitLab Domain Confusion in gitlab Leaks API Key

BBOT's gitlab module could be abused to disclose a GitLab API key to an attacker controlled server with a malicious formatted git URL.

Affected products

bbot
  • =<2.6.1
Ignored packages (1) 
Software not present in nixpkgs
Permalink CVE-2025-10284
9.6 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package hebbot 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Improper Archive Extraction in unarchive Enables RCE

BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution.

Affected products

bbot
  • =<2.6.1
Ignored packages (1) 
Software not present in nixpkgs
Permalink CVE-2025-10283
9.6 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package hebbot 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Improper .git Sanitization in gitdumper Enables RCE

BBOT's gitdumper module could be abused to execute commands through a malicious git repository.

Affected products

bbot
  • =<2.6.1
Ignored packages (1) 
Software not present in nixpkgs
Permalink CVE-2025-11568
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Luksmeta: data corruption when handling luks1 partitions with luksmeta

A data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format. An attacker with the necessary permissions can exploit this flaw by writing a large amount of metadata to an encrypted device. The utility fails to correctly validate the available space, causing the metadata to overwrite and corrupt the user's encrypted data. This action leads to a permanent loss of the stored information. Devices using the LUKS formats other than LUKS1 are not affected by this issue.

References

Affected products

rhcos
luksmeta
  • *
  • <10

Matching in nixpkgs

pkgs.luksmeta

Simple library for storing metadata in the LUKSv1 header

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Current stable never impacted.

https://github.com/NixOS/nixpkgs/commit/12b91943b41c223e7c6be3897ebb7ff543c9f38b
Permalink CVE-2025-62068
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package haskellPackages.line2pdf 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress e2pdf plugin <= 1.28.09 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf e2pdf e2pdf.This issue affects e2pdf: from n/a through <= 1.28.09.

Affected products

e2pdf
  • =<<= 1.28.09
Ignored packages (1) 
Software not present in nixpkgs
Permalink CVE-2025-62402
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

Affected products

apache-airflow
  • <3.1.1

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Only impact > 3.0
Permalink CVE-2025-66388
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 1 week ago
Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Affected products

apache-airflow
  • <3.1.4

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Only impact the 3.1.x branch.
Permalink CVE-2025-68438
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Affected products

apache-airflow
  • <3.1.6

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Only impact the 3.1.x branch
Permalink CVE-2025-68924
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    32 packages
    • wordpressPackages.plugins.hcaptcha-for-forms-and-more
    • chickenPackages_5.chickenEggs.sxml-transforms
    • python313Packages.django-formset-js-improved
    • python312Packages.django-formset-js-improved
    • home-assistant-component-tests.modern_forms
    • wordpressPackages.plugins.wpforms-lite
    • nodePackages_latest.@tailwindcss/forms
    • python313Packages.django-crispy-forms
    • python312Packages.django-crispy-forms
    • python313Packages.wtforms-bootstrap5
    • python313Packages.wtforms-sqlalchemy
    • python312Packages.wtforms-sqlalchemy
    • python312Packages.wtforms-bootstrap5
    • python313Packages.permissionedforms
    • python312Packages.permissionedforms
    • inkscape-extensions.applytransforms
    • haskellPackages.unicode-transforms
    • python313Packages.craft-platforms
    • python312Packages.craft-platforms
    • python313Packages.aiomodernforms
    • python313Packages.beanhub-forms
    • python312Packages.aiomodernforms
    • python312Packages.beanhub-forms
    • haskellPackages.unsafeperformst
    • nodePackages.@tailwindcss/forms
    • python313Packages.transforms3d
    • python312Packages.transforms3d
    • python313Packages.nitransforms
    • python312Packages.nitransforms
    • python313Packages.wtforms
    • python312Packages.wtforms
    • platformsh
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply …

In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

Affected products

Forms
  • =<8.13.16
Ignored packages (32)

pkgs.platformsh

Unified tool for managing your Platform.sh services from the command line

Impacted software not present in nixpkgs