Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23729
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarDescricao, nomeClasse=ProdutoControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Not present in nixpkgs
Permalink CVE-2026-23723
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WeGIA has a Critical SQL Injection in Atendido_ocorrenciaControle via id_memorando parameter

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Not present in nixpkgs.
Permalink CVE-2021-47844
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    24 packages
    • libmaxminddb
    • phpExtensions.maxminddb
    • python312Packages.xmind
    • python313Packages.xmind
    • dotnetPackages.MaxMindDb
    • php81Extensions.maxminddb
    • php82Extensions.maxminddb
    • php83Extensions.maxminddb
    • php84Extensions.maxminddb
    • python312Packages.maxminddb
    • python313Packages.maxminddb
    • dotnetPackages.MaxMindGeoIP2
    • perlPackages.MaxMindDBCommon
    • perl540Packages.MaxMindDBReaderXS
    • perl538Packages.MaxMindDBReaderXS
    • perl540Packages.MaxMindDBWriter
    • perl540Packages.MaxMindDBReader
    • perl540Packages.MaxMindDBCommon
    • perl538Packages.MaxMindDBWriter
    • perl538Packages.MaxMindDBReader
    • perl538Packages.MaxMindDBCommon
    • perlPackages.MaxMindDBWriter
    • perlPackages.MaxMindDBReader
    • perlPackages.MaxMindDBReaderXS
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Xmind 2020 - Persistent Cross-Site Scripting

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening.

Affected products

Xmind
  • ==2020

Matching in nixpkgs

Ignored packages (24)

Package maintainers

Impact an old versions not present in supported nixpkgs branches.
Permalink CVE-2026-22864
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    12 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Affected products

deno
  • ==< 2.5.6

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Ignored packages (12)

Package maintainers

No Windows support
Permalink CVE-2026-23727
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perl540Packages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perlPackages.SnowballNorwegian
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=TipoSaidaControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2026-23728
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=DestinoControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2025-24022
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • nvitop
    • psitop
    • gitopper
    • weave-gitops
    • luaPackages.luabitop
    • lua51Packages.luabitop
    • lua52Packages.luabitop
    • luajitPackages.luabitop
    • tailscale-gitops-pusher
    • python312Packages.anitopy
    • python313Packages.anitopy
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
iTop server vulnerable to portal code injection

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.

Affected products

iTop
  • ==>= 3.0.0, < 3.1.3
  • ==>= 3.2.0, < 3.2.1
  • ==< 2.7.12
Ignored packages (11)

pkgs.nvitop

Interactive NVIDIA-GPU process viewer, the one-stop solution for GPU process management

pkgs.psitop

Top for /proc/pressure

Package not shipped in nixpkgs
Permalink CVE-2026-23724
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2026-0695
8.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • terraform-providers.vpsfreecz_vpsadmin
    • python313Packages.types-markupsafe
    • python312Packages.types-markupsafe
    • nodePackages_latest.purescript-psa
    • terraform-providers.vpsadmin
    • python313Packages.psautohint
    • python313Packages.markupsafe
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Stored XSS in Time Entry Audit Trail

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

Affected products

PSA
  • ==All versions prior to 2026.1
Ignored packages (23)

pkgs.mopsa

A Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1

pkgs.svndumpsanitizer

Alternative to svndumpfilter that discovers which nodes should actually be kept

pkgs.ocamlPackages.mopsa

Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1 
Does not impact a package available in nixpkgs
Permalink CVE-2025-14242
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 1 week ago
Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

References

Affected products

vsftpd
  • *

Matching in nixpkgs

pkgs.vsftpd

Very secure FTP daemon

Package maintainers

Only impact a Red hat specific patch not shipped in nixpkgs

https://bugzilla.redhat.com/show_bug.cgi?id=2419826