Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-59029
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

Affected products

pdns-recursor
  • <5.3.2

Matching in nixpkgs

Package maintainers

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html

5.2.x branch is not impacted.
Permalink CVE-2025-62762
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @SigmaSquadron ignored package haskellPackages.smtp-mail 3 months, 2 weeks ago
  • @SigmaSquadron deleted maintainer @mpscholten 3 months, 2 weeks ago maintainer.delete
  • @SigmaSquadron accepted 3 months, 2 weeks ago
  • @SigmaSquadron dismissed 3 months, 2 weeks ago
WordPress SMTP Mail plugin <= 1.3.47 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47.

Affected products

smtp-mail
  • =<<= 1.3.47
Ignored packages (1) 
This is actually related to wordpressPackages.plugins.wp-mail-smtp, which has no maintainers, and it seems that the version in Nixpkgs is unaffected.
Permalink CVE-2025-67467
4.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @SigmaSquadron dismissed 3 months, 2 weeks ago
WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs

We do not package that specific WP plugin.
Permalink CVE-2025-66527
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @SigmaSquadron dismissed 3 months, 2 weeks ago
WordPress Lobo theme <= 2.8.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.

Affected products

lobo
  • =<<= 2.8.6

Matching in nixpkgs

Package maintainers

We do not package the Lobo theme.
Permalink CVE-2025-58936
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package catamaran 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Catamaran theme <= 1.15 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15.

Affected products

catamaran
  • =<<= 1.15
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-58929
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package haskellPackages.pantry 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Pantry theme <= 1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4.

Affected products

pantry
  • =<<= 1.4
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-60061
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package elfkickers 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Kicker theme <= 2.2.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Kicker kicker allows PHP Local File Inclusion.This issue affects Kicker: from n/a through <= 2.2.0.

Affected products

kicker
  • =<<= 2.2.0
Ignored packages (1)

pkgs.elfkickers

Collection of programs that access and manipulate ELF files

  • nixos-unstable 3.2
    • nixpkgs-unstable 3.2
    • nixos-unstable-small 3.2 
WP theme not present in nixpkgs
Permalink CVE-2025-53449
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package haskellPackages.convexHullNd 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Convex theme <= 1.11 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11.

Affected products

convex
  • =<<= 1.11
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-14542
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package strutcpp 3 months, 2 weeks ago
  • @LeSuisse deleted maintainer @SchweGELBin 3 months, 2 weeks ago maintainer.delete
  • @LeSuisse dismissed 3 months, 2 weeks ago
Command execution in python-utcp allows attackers to achieve remote code execution when fetching a remote Manual from a malicious endpoint

The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client.

Affected products

utcp
  • <1.1.0
Ignored packages (1) 
`python-utcp` is not packaged in nixpkgs.
Permalink CVE-2025-5467
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored package haskellPackages.apportionment 3 months, 2 weeks ago
  • @LeSuisse deleted maintainer @thielema 3 months, 2 weeks ago maintainer.delete
  • @LeSuisse dismissed 3 months, 2 weeks ago
Ubuntu Apport Insecure File Permissions Vulnerability

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Affected products

apport
  • <2.33.0-0ubuntu1
  • <2.28.1-0ubuntu3.6
  • <2.20.1-0ubuntu2.30+esm5
  • <2.20.9-0ubuntu7.29+esm1
  • <2.20.11-0ubuntu27.28
  • <2.20.11-0ubuntu82.7
  • <2.32.0-0ubuntu5.1
Ignored packages (1) 
`apport` is not packaged in nixpkgs.