Nixpkgs security tracker

Permalink CVE-2025-7195

5.2 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): HIGH
Availability impact (A): LOW

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

References

RHSA-2025:21368 x_refsource_REDHATvendor-advisory
RHSA-2025:21885 x_refsource_REDHATvendor-advisory
RHSA-2026:0737 x_refsource_REDHATvendor-advisory
RHSA-2025:22415 x_refsource_REDHATvendor-advisory
RHSA-2025:19961 x_refsource_REDHATvendor-advisory
https://access.redhat.com/security/cve/CVE-2025-7195 vdb-entryx_refsource_REDHAT
RHBZ#2376300 issue-trackingx_refsource_REDHAT
RHSA-2025:22684 x_refsource_REDHATvendor-advisory
RHSA-2025:22420 x_refsource_REDHATvendor-advisory
RHSA-2025:19958 x_refsource_REDHATvendor-advisory
RHSA-2025:23529 x_refsource_REDHATvendor-advisory
RHSA-2025:23542 x_refsource_REDHATvendor-advisory
RHSA-2026:0722 x_refsource_REDHATvendor-advisory
RHSA-2025:19332 x_refsource_REDHATvendor-advisory
RHEA-2025:23478 x_refsource_REDHATvendor-advisory
RHSA-2025:19335 x_refsource_REDHATvendor-advisory
RHSA-2025:23528 x_refsource_REDHATvendor-advisory
RHSA-2025:22418 x_refsource_REDHATvendor-advisory
RHSA-2026:2572 x_refsource_REDHATvendor-advisory
RHEA-2026:0129 x_refsource_REDHATvendor-advisory
RHSA-2025:22683 x_refsource_REDHATvendor-advisory
RHSA-2025:22416 x_refsource_REDHATvendor-advisory
RHSA-2026:0718 x_refsource_REDHATvendor-advisory
RHSA-2026:0627 x_refsource_REDHATvendor-advisory
RHEA-2025:23406 x_refsource_REDHATvendor-advisory
RHBA-2024:11569 x_refsource_REDHATvendor-advisory

Affected products

operator-sdk

<0.15.2

odf4/cephcsi-rhel9

*

odf4/mcg-cli-rhel9

*

odf4/odf-cli-rhel9

*

odf4/mcg-core-rhel9

*

odf4/odf-console-rhel9

*

odf4/mcg-rhel9-operator

*

odf4/ocs-rhel9-operator

*

odf4/odf-rhel9-operator

*

odf4/odr-rhel9-operator

*

odf4/odf-must-gather-rhel9

*

openshift4/cnf-tests-rhel8

openshift4/cnf-tests-rhel9

odf4/cephcsi-rhel9-operator

*

odf4/odf-cosi-sidecar-rhel9

*

odf4/ocs-client-console-rhel9

*

odf4/rook-ceph-rhel9-operator

*

rhacm2/rbac-query-proxy-rhel9

rhacm2/search-collector-rhel9

multicluster-engine/work-rhel8

multicluster-engine/work-rhel9

*

odf4/ocs-client-rhel9-operator

*

rhacm2/metrics-collector-rhel9

odf4/ocs-metrics-exporter-rhel9

*

apicurio/apicurio-registry-rhel8

*

apicurio/apicurio-studio-ui-rhel8

*

odf4/odf-csi-addons-sidecar-rhel9

*

odf4/odf-csi-addons-rhel9-operator

*

openshift4/ztp-site-generate-rhel8

rhacm2/iam-policy-controller-rhel9

apicurio/apicurio-registry-ui-rhel8

*

fuse7/fuse-apicurito-rhel8-operator

multicluster-engine/discovery-rhel8

multicluster-engine/discovery-rhel9

*

multicluster-engine/placement-rhel8

multicluster-engine/placement-rhel9

*

odf4/odf-multicluster-console-rhel9

*

rhacm2/acm-cluster-permission-rhel8

rhacm2/acm-cluster-permission-rhel9

*

rhacm2/cert-policy-controller-rhel9

odf4/odf-multicluster-rhel9-operator

*

rhacm2/cluster-backup-rhel9-operator

*

rhacm2/multicloud-integrations-rhel8

rhacm2/multicloud-integrations-rhel9

*

web-terminal/web-terminal-exec-rhel9

rhacm2/config-policy-controller-rhel9

rhacm2/grafana-dashboard-loader-rhel9

multicluster-engine/registration-rhel8

multicluster-engine/registration-rhel9

*

multicluster-engine/addon-manager-rhel8

multicluster-engine/addon-manager-rhel9

*

devworkspace/devworkspace-rhel8-operator

devworkspace/devworkspace-rhel9-operator

rhacm2/klusterlet-addon-controller-rhel8

rhacm2/klusterlet-addon-controller-rhel9

*

web-terminal/web-terminal-rhel9-operator

apicurio/apicurio-registry-rhel8-operator

*

rhacm2/endpoint-monitoring-rhel9-operator

rhacm2/governance-policy-propagator-rhel9

openshift4/lifecycle-agent-operator-bundle

rhacm2/multicluster-operators-channel-rhel8

rhacm2/multicluster-operators-channel-rhel9

*

apicurio/apicurio-registry-3-operator-bundle

*

devworkspace/devworkspace-project-clone-rhel8

devworkspace/devworkspace-project-clone-rhel9

advanced-cluster-security/rhacs-rhel8-operator

compliance/openshift-compliance-rhel8-operator

*

container-native-virtualization/virt-api-rhel9

*

container-native-virtualization/pr-helper-rhel9

*

multicluster-engine/registration-operator-rhel8

multicluster-engine/registration-operator-rhel9

*

rhacm2/multicluster-operators-application-rhel8

rhacm2/multicluster-operators-application-rhel9

*

container-native-virtualization/aaq-server-rhel9

*

container-native-virtualization/virtio-win-rhel9

*

container-native-virtualization/wasp-agent-rhel9

*

rhacm2/multicluster-observability-rhel9-operator

rhacm2/multicluster-operators-subscription-rhel9

*

container-native-virtualization/kubemacpool-rhel9

*

compliance/openshift-file-integrity-rhel8-operator

*

container-native-virtualization/aaq-operator-rhel9

*

container-native-virtualization/sidecar-shim-rhel9

*

container-native-virtualization/virt-handler-rhel9

*

rhacm2/acm-governance-policy-framework-addon-rhel9

compliance/openshift-file-integrity-operator-bundle

container-native-virtualization/bridge-marker-rhel9

*

container-native-virtualization/virt-launcher-rhel9

*

container-native-virtualization/virt-operator-rhel9

*

multicluster-engine/hypershift-addon-rhel8-operator

multicluster-engine/hypershift-addon-rhel9-operator

container-native-virtualization/aaq-controller-rhel9

*

container-native-virtualization/ovs-cni-plugin-rhel9

*

container-native-virtualization/cnv-must-gather-rhel9

*

container-native-virtualization/virt-cdi-cloner-rhel9

*

container-native-virtualization/virt-controller-rhel9

*

container-native-virtualization/kubesecondarydns-rhel9

*

container-native-virtualization/libguestfs-tools-rhel9

*

container-native-virtualization/virt-exportproxy-rhel9

*

container-native-virtualization/vm-console-proxy-rhel9

*

container-native-virtualization/virt-cdi-importer-rhel9

*

container-native-virtualization/virt-cdi-operator-rhel9

*

container-native-virtualization/virt-exportserver-rhel9

*

container-native-virtualization/virt-cdi-apiserver-rhel9

*

multicluster-engine/clusterlifecycle-state-metrics-rhel8

multicluster-engine/clusterlifecycle-state-metrics-rhel9

*

container-native-virtualization/hco-bundle-registry-rhel9

*

container-native-virtualization/hostpath-csi-driver-rhel9

*

container-native-virtualization/virt-cdi-controller-rhel9

*

multicluster-globalhub/multicluster-globalhub-agent-rhel9

container-native-virtualization/hostpath-provisioner-rhel9

*

container-native-virtualization/virt-cdi-uploadproxy-rhel9

*

multicluster-engine/managedcluster-import-controller-rhel8

multicluster-engine/managedcluster-import-controller-rhel9

*

container-native-virtualization/kubevirt-dpdk-checkup-rhel9

*

container-native-virtualization/kubevirt-ssp-operator-rhel9

*

container-native-virtualization/virt-artifacts-server-rhel9

*

container-native-virtualization/virt-cdi-uploadserver-rhel9

*

multicluster-globalhub/multicluster-globalhub-manager-rhel9

openshift4/topology-aware-lifecycle-manager-operator-bundle

multicluster-globalhub/multicluster-globalhub-rhel9-operator

container-native-virtualization/kubevirt-console-plugin-rhel9

*

container-native-virtualization/multus-dynamic-networks-rhel9

*

multicluster-globalhub/multicluster-globalhub-operator-bundle

container-native-virtualization/kubevirt-apiserver-proxy-rhel9

*

container-native-virtualization/kubevirt-ipam-controller-rhel9

*

container-native-virtualization/kubevirt-storage-checkup-rhel9

*

container-native-virtualization/cluster-network-addons-operator

container-native-virtualization/kubevirt-realtime-checkup-rhel9

*

container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm

container-native-virtualization/vm-network-latency-checkup-rhel9

*

container-native-virtualization/kubevirt-template-validator-rhel9

*

container-native-virtualization/hostpath-provisioner-operator-rhel9

*

container-native-virtualization/kubevirt-common-instancetypes-rhel9

*

container-native-virtualization/hyperconverged-cluster-webhook-rhel9

*

container-native-virtualization/cluster-network-addons-operator-rhel9

*

container-native-virtualization/cnv-containernetworking-plugins-rhel9

*

container-native-virtualization/hyperconverged-cluster-operator-rhel9

*

container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm-rhel9

container-native-virtualization/passt-network-binding-plugin-cni-rhel9

*

container-native-virtualization/kubevirt-api-lifecycle-automation-rhel9

*

container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status

container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9

*

container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9

*

container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9

*

container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status-rhel9

Matching in nixpkgs

pkgs.operator-sdk

SDK for building Kubernetes applications. Provides high level APIs, useful abstractions, and project scaffolding

nixos-unstable 1.39.2
- nixpkgs-unstable 1.39.2
- nixos-unstable-small 1.39.2

Package maintainers

@arnarg Arnar Ingason <arnarg@fastmail.com>

First version introduced in nixpkgs is 0.18.2 (https://github.com/NixOS/nixpkgs/commit/5458f54a8301f59a8acf5d42856d84f8019efd8d).

Permalink CVE-2025-69031

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored
2 packages
- arcanechat-tui
- deltachat-cursed
3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Arcane theme <= 3.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6.

References

Affected products

arcane

=<<= 3.6.6

Ignored packages (2)

pkgs.arcanechat-tui

Lightweight Delta Chat client

nixos-unstable 0.11.1
- nixpkgs-unstable 0.11.1
- nixos-unstable-small 0.11.1

pkgs.deltachat-cursed

Lightweight Delta Chat client

nixos-unstable 0.11.1
- nixpkgs-unstable 0.11.1
- nixos-unstable-small 0.11.1

WP theme not present in nixpkgs

Permalink CVE-2025-68985

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored
2 packages
- typstPackages.aoran
- typstPackages.aoran_0_1_0
3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Aora theme <= 1.3.15 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.

References

Affected products

aora

=<<= 1.3.15

WP theme not present in nixpkgs

Permalink CVE-2025-69331

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored package haskellPackages.theatre-dev 3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19.

References

Affected products

theatre

=<<= 0.19

Ignored packages (1)

pkgs.haskellPackages.theatre-dev

Minimalistic actor library experiments

nixos-unstable 0.5.0.1
- nixpkgs-unstable 0.5.0.1
- nixos-unstable-small 0.5.0.1

WP plugin not present in nixpkgs

Permalink CVE-2025-63070

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored package lomiri.lomiri-download-manager 3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32.

References

Affected products

download-manager

=<<= 3.3.32

Ignored packages (1)

pkgs.lomiri.lomiri-download-manager

Performs uploads and downloads from a centralized location

nixos-unstable 0.2.2
- nixpkgs-unstable 0.2.2
- nixos-unstable-small 0.2.2

WP plugin not present in nixpkgs

Permalink CVE-2025-62103

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored package media-downloader 3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Media Library File Download plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery.This issue affects Media Library File Download: from n/a through <= 1.4.

References

Affected products

media-download

=<<= 1.4

Ignored packages (1)

pkgs.media-downloader

Qt/C++ GUI front end for yt-dlp and others

nixos-unstable 5.4.6
- nixpkgs-unstable 5.4.6
- nixos-unstable-small 5.4.6

WP plugin not present in nixpkgs

Permalink CVE-2025-66533

7.8 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored package filegive 3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress GiveWP plugin <= 4.13.1 - Arbitrary Shortocde Execution vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

References

Affected products

give

=<<= 4.13.1

Ignored packages (1)

pkgs.filegive

Easy p2p file sending program

nixos-unstable 2022-05-29
- nixpkgs-unstable 2022-05-29
- nixos-unstable-small 2022-05-29

WP plugin not present in nixpkgs

Permalink CVE-2025-67549

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored
2 packages
- libvoikko
- voikko-fi
3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress oik plugin <= 4.15.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3.

References

Affected products

oik

=<<= 4.15.3

Ignored packages (2)

pkgs.libvoikko

Finnish language processing library

nixos-unstable 4.3.3
- nixpkgs-unstable 4.3.3
- nixos-unstable-small 4.3.3

pkgs.voikko-fi

Description of Finnish morphology written for libvoikko

nixos-unstable 2.5
- nixpkgs-unstable 2.5
- nixos-unstable-small 2.5

WP plugin not present in nixpkgs

Permalink CVE-2025-60042

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored package vscode-extensions.chrischinchilla.vscode-pandoc 3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Chinchilla theme <= 1.16 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16.

References

Affected products

chinchilla

=<<= 1.16

Ignored packages (1)

pkgs.vscode-extensions.chrischinchilla.vscode-pandoc

Converts Markdown files to pdf, docx, or html files using pandoc

nixos-unstable 0.6.2
- nixpkgs-unstable 0.6.2
- nixos-unstable-small 0.6.2

WP theme not present in nixpkgs

Permalink CVE-2025-53439

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 2 weeks ago
@LeSuisse ignored
2 packages
- vscode-extensions.elijah-potter.harper
- harper
3 months, 2 weeks ago
@LeSuisse dismissed 3 months, 2 weeks ago

WordPress Harper theme <= 1.13 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13.

References

Affected products

harper

=<<= 1.13

Ignored packages (2)

pkgs.harper

Grammar Checker for Developers

nixos-unstable 0.71.0
- nixpkgs-unstable 0.71.0
- nixos-unstable-small 0.71.0

pkgs.vscode-extensions.elijah-potter.harper

The grammar checker for developers as a Visual Studio Code extension

nixos-unstable 0.71.0
- nixpkgs-unstable 0.71.0
- nixos-unstable-small 0.71.0

WP theme not present in nixpkgs

Dismissed suggestions

References

Affected products

Matching in nixpkgs

pkgs.operator-sdk

Package maintainers

References

Affected products

pkgs.arcanechat-tui

pkgs.deltachat-cursed

References

Affected products

References

Affected products

pkgs.haskellPackages.theatre-dev

References

Affected products

pkgs.lomiri.lomiri-download-manager

References

Affected products

pkgs.media-downloader

References

Affected products

pkgs.filegive

References

Affected products

pkgs.libvoikko

pkgs.voikko-fi

References

Affected products

pkgs.vscode-extensions.chrischinchilla.vscode-pandoc

References

Affected products

pkgs.harper

pkgs.vscode-extensions.elijah-potter.harper