Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-22864
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse ignored
    12 packages
    • speech-denoiser
    • openimagedenoise
    • terraform-providers.deno
    • python312Packages.denonavr
    • python313Packages.denonavr
    • haskellPackages.pandoc-sidenote
    • terraform-providers.denoland_deno
    • gnomeExtensions.denon-avr-controler
    • python312Packages.bnunicodenormalizer
    • python313Packages.bnunicodenormalizer
    • vscode-extensions.denoland.vscode-deno
    • home-assistant-component-tests.denonavr
    4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Affected products

deno
  • ==< 2.5.6

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Ignored packages (12)

Package maintainers

No Windows support
Permalink CVE-2026-23727
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perl540Packages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perlPackages.SnowballNorwegian
    4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=TipoSaidaControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2026-23728
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=DestinoControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2025-24022
8.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • nvitop
    • psitop
    • gitopper
    • weave-gitops
    • luaPackages.luabitop
    • lua51Packages.luabitop
    • lua52Packages.luabitop
    • luajitPackages.luabitop
    • tailscale-gitops-pusher
    • python312Packages.anitopy
    • python313Packages.anitopy
    4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
iTop server vulnerable to portal code injection

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.

Affected products

iTop
  • ==< 2.7.12
  • ==>= 3.0.0, < 3.1.3
  • ==>= 3.2.0, < 3.2.1
Ignored packages (11)

pkgs.nvitop

Interactive NVIDIA-GPU process viewer, the one-stop solution for GPU process management

pkgs.psitop

Top for /proc/pressure

Package not shipped in nixpkgs
Permalink CVE-2026-23724
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2026-0695
8.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse ignored
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • terraform-providers.vpsfreecz_vpsadmin
    • python313Packages.types-markupsafe
    • python312Packages.types-markupsafe
    • nodePackages_latest.purescript-psa
    • terraform-providers.vpsadmin
    • python313Packages.psautohint
    • python313Packages.markupsafe
    4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
Stored XSS in Time Entry Audit Trail

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

Affected products

PSA
  • ==All versions prior to 2026.1
Ignored packages (23)

pkgs.mopsa

A Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1

pkgs.svndumpsanitizer

Alternative to svndumpfilter that discovers which nodes should actually be kept

pkgs.ocamlPackages.mopsa

Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1 
Does not impact a package available in nixpkgs
Permalink CVE-2025-14242
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 1 week ago
  • @LeSuisse dismissed 4 months, 1 week ago
Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

References

Affected products

vsftpd
  • *

Matching in nixpkgs

pkgs.vsftpd

Very secure FTP daemon

Package maintainers

Only impact a Red hat specific patch not shipped in nixpkgs

https://bugzilla.redhat.com/show_bug.cgi?id=2419826
Permalink CVE-2025-59029
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 1 week ago
Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

Affected products

pdns-recursor
  • <5.3.2

Matching in nixpkgs

Package maintainers

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html

5.2.x branch is not impacted.
Permalink CVE-2025-62762
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @SigmaSquadron ignored package haskellPackages.smtp-mail 4 months, 2 weeks ago
  • @SigmaSquadron deleted maintainer @mpscholten 4 months, 2 weeks ago maintainer.delete
  • @SigmaSquadron accepted 4 months, 2 weeks ago
  • @SigmaSquadron dismissed 4 months, 2 weeks ago
WordPress SMTP Mail plugin <= 1.3.47 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47.

Affected products

smtp-mail
  • =<<= 1.3.47
Ignored packages (1) 
This is actually related to wordpressPackages.plugins.wp-mail-smtp, which has no maintainers, and it seems that the version in Nixpkgs is unaffected.
Permalink CVE-2025-67467
4.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @SigmaSquadron dismissed 4 months, 2 weeks ago
WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs

We do not package that specific WP plugin.