Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-25148
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • python312Packages.pyqwikswitch
    • python313Packages.pyqwikswitch
    • python314Packages.pyqwikswitch
    • home-assistant-component-tests.qwikswitch
    • tests.home-assistant-component-tests.qwikswitch
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Qwik SSR XSS via Unsafe Virtual Node Serialization

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0.

Affected products

qwik
  • ==< 1.19.0
Ignored packages (5) 
Not present in nixpkgs.
Permalink CVE-2026-25149
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • python312Packages.pyqwikswitch
    • python313Packages.pyqwikswitch
    • python314Packages.pyqwikswitch
    • home-assistant-component-tests.qwikswitch
    • tests.home-assistant-component-tests.qwikswitch
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Qwik City Open Redirect via fixTrailingSlash

Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0.

Affected products

qwik
  • ==< 1.19.0
Ignored packages (5) 
Not present in nixpkgs.
Permalink CVE-2026-25155
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    5 packages
    • python312Packages.pyqwikswitch
    • python313Packages.pyqwikswitch
    • python314Packages.pyqwikswitch
    • home-assistant-component-tests.qwikswitch
    • tests.home-assistant-component-tests.qwikswitch
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.

Affected products

qwik
  • ==< 1.12.0
Ignored packages (5) 
Not present in nixpkgs.
Permalink CVE-2025-61646
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Watchlist group mode reveals authors of edits with hidden authorship

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Affected products

MediaWiki
  • <1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)
Permalink CVE-2025-61640
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Stored XSS through system messages in Special:RecentChangesLinked (MW Core)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

Affected products

MediaWiki
  • <1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)
Permalink CVE-2025-6593
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
"{{SITENAME}} registered email address has been changed" email sent to unverified email addresses

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0.

Affected products

MediaWiki
  • <1.39.13, 1.42.7 1.43.2, 1.44.0

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)
Permalink CVE-2025-61645
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
CodexTablePager has i18n XSS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1.

Affected products

MediaWiki
  • <1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

Stable was never impacted (https://github.com/NixOS/nixpkgs/commit/ebc9ceccc71196b1b32b198377b362dffa3ea30e)
Permalink CVE-2026-25490
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2026-25483
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.azure-mgmt-commerce
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2026-25482
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.azure-mgmt-commerce
    • python312Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs