Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-25487
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2026-25484
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS in Product Type Name

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2026-25488
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2026-25489
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2025-67480
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
list=allrevisions can be used to bypass Extension:Lockdown

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

This extension does not seem present in nixpkgs
Permalink CVE-2019-25261
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
AnyDesk 5.4.0 - Unquoted Service Path

AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges.

Affected products

AnyDesk
  • ==5.4.0

Matching in nixpkgs

pkgs.anydesk

Desktop sharing application, providing remote support and online meetings

Current stable branch was never impacted.
Permalink CVE-2026-24982
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • spectra
    • spectral-language-server
    • python312Packages.spectra
    • python313Packages.spectra
    • python314Packages.spectra
    • python312Packages.spectral-cube
    • python313Packages.spectral-cube
    • python314Packages.spectral-cube
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Spectra plugin <= 2.19.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.

Affected products

ultimate-addons-for-gutenberg
  • =<<= 2.19.17
Ignored packages (8)

pkgs.spectra

C++ library for large scale eigenvalue problems, built on top of Eigen

WP plugin not present in nixpkgs
Permalink CVE-2026-25485
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.azure-mgmt-commerce
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs
Permalink CVE-2020-37105
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package pmbootstrap 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
PMB 5.6 - 'logid' SQL Injection

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

Affected products

PMB
  • ==5.6
Ignored packages (1)

pkgs.pmbootstrap

Sophisticated chroot/build/flash tool to develop and install postmarketOS

Not present in nixpkgs
Permalink CVE-2026-25522
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1
Ignored packages (8) 
Not present in nixpkgs