Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-22044
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package glpi-agent 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
GLPI is Vulnerable to Authenticated SQL Injection

GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.

Affected products

glpi
  • ==>= 0.85, < 10.0.23
Ignored packages (1)

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.15
    • nixpkgs-unstable 1.15
    • nixos-unstable-small 1.15 
`glpi` is not available in nixpkgs.
Permalink CVE-2026-24007
4.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Tuleap is missing CSRF protection in the Overview inconsistent items

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9.

Affected products

tuleap
  • ==< 17.0.99.1768924735

Matching in nixpkgs

pkgs.tuleap-cli

Command-line interface for the Tuleap API

Package maintainers

False positive, impacts `tuleap` (not package in nixpkgs) not `tuleap-cli`
Permalink CVE-2025-58150
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 4 months, 3 weeks ago
  • @SigmaSquadron dismissed 4 months, 2 weeks ago
x86: buffer overrun with shadow paging + tracing

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

Affected products

Xen
  • ==consult Xen advisory XSA-477

Matching in nixpkgs

pkgs.xen

Type-1 hypervisor intended for embedded and hyperscale use cases

pkgs.xenon

Monitoring tool based on radon

pkgs.hhexen

Linux port of Raven Game's Hexen

pkgs.uhexen2

Cross-platform port of Hexen II game

pkgs.qemu_xen

Generic and open source machine emulator and virtualizer

pkgs.xenomapper

Utility for post processing mapped reads that have been aligned to a primary genome and a secondary genome and binning reads into species specific, multimapping in each species, unmapped and unassigned bins

pkgs.nxengine-evo

Complete open-source clone/rewrite of the masterpiece jump-and-run platformer Doukutsu Monogatari (also known as Cave Story)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

Package maintainers

Already fixed.
Permalink CVE-2026-23553
2.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @SigmaSquadron Activity log
  • Created suggestion 4 months, 3 weeks ago
  • @SigmaSquadron dismissed 4 months, 2 weeks ago
x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Affected products

Xen
  • ==consult Xen advisory XSA-479

Matching in nixpkgs

pkgs.xen

Type-1 hypervisor intended for embedded and hyperscale use cases

pkgs.xenon

Monitoring tool based on radon

pkgs.hhexen

Linux port of Raven Game's Hexen

pkgs.uhexen2

Cross-platform port of Hexen II game

pkgs.qemu_xen

Generic and open source machine emulator and virtualizer

pkgs.xenomapper

Utility for post processing mapped reads that have been aligned to a primary genome and a secondary genome and binning reads into species specific, multimapping in each species, unmapped and unassigned bins

pkgs.nxengine-evo

Complete open-source clone/rewrite of the masterpiece jump-and-run platformer Doukutsu Monogatari (also known as Cave Story)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

Package maintainers

Already fixed.
Permalink CVE-2025-55292
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 3 weeks ago
  • @LeSuisse ignored
    47 packages
    • python313Packages.ha-silabs-firmware-client
    • ghidra-extensions.ghidra-firmware-utils
    • azure-cli-extensions.firmwareanalysis
    • ath9k-htc-blobless-firmware-unstable
    • python313Packages.virt-firmware
    • python312Packages.virt-firmware
    • armTrustedFirmwareAllwinnerH6
    • armTrustedFirmwareAllwinnerH616
    • nitrokey-storage-firmware
    • armTrustedFirmwareAllwinner
    • ath9k-htc-blobless-firmware
    • raspberrypiWirelessFirmware
    • nitrokey-trng-rs232-firmware
    • armTrustedFirmwareRK3568
    • armTrustedFirmwareRK3588
    • armTrustedFirmwareRK3399
    • armTrustedFirmwareRK3328
    • sigrok-firmware-fx2lafw
    • nitrokey-start-firmware
    • b43Firmware_5_1_138
    • facetimehd-firmware
    • intel2200BGFirmware
    • xow_dongle-firmware
    • broadcom-bt-firmware
    • uefi-firmware-parser
    • nitrokey-pro-firmware
    • armTrustedFirmwareQemu
    • armTrustedFirmwareS905
    • libreelec-dvb-firmware
    • armTrustedFirmwareTools
    • b43Firmware_6_30_163_46
    • nitrokey-fido2-firmware
    • rtl8192su-firmware
    • system76-firmware
    • rtl8761b-firmware
    • klipper-firmware
    • firmware-updater
    • armbian-firmware
    • firmware-manager
    • zd1211fw
    • sof-firmware
    • alsa-firmware
    • ivsc-firmware
    • raspberrypifw
    • gnome-firmware
    • linux-firmware
    • rt5677-firmware
    4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
In Meshtastic, an attacker can spoof licensed amateur flag for a node

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

Affected products

firmware
  • ==<= 2.6.2
Ignored packages (47)

pkgs.zd1211fw

Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip

  • nixos-unstable 1.5
    • nixpkgs-unstable 1.5
    • nixos-unstable-small 1.5

pkgs.uefi-firmware-parser

Tool for parsing, extracting, and recreating UEFI firmware volumes

  • nixos-unstable 1.12
    • nixpkgs-unstable 1.12
    • nixos-unstable-small 1.12 
Not present in nixpkgs
Permalink CVE-2026-23889
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 3 weeks ago
  • @LeSuisse ignored package pnpm-shell-completion 4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
pnpm has Windows-specific tarball Path Traversal

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.

Affected products

pnpm
  • ==< 10.28.1

Matching in nixpkgs

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_10

Fast, disk space efficient package manager for JavaScript

Ignored packages (1)

Package maintainers

No Windows support.
Permalink CVE-2025-64368
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored package bombardier 4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Bard theme <= 1.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes Bard bardwp allows Cross Site Request Forgery.This issue affects Bard: from n/a through <= 1.6.

Affected products

bardwp
  • =<<= 1.6
Ignored packages (1)

pkgs.bombardier

Fast cross-platform HTTP benchmarking tool written in Go

WP theme not present in nixpkgs
Permalink CVE-2025-68508
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored package brave 4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Brave plugin <= 0.8.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brave Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brave: from n/a through <= 0.8.3.

Affected products

brave-popup-builder
  • =<<= 0.8.3
Ignored packages (1)

pkgs.brave

Privacy-oriented browser for Desktop and Laptop computers

WP plugin not present in nixpkgs
Permalink CVE-2025-62962
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    11 packages
    • python313Packages.types-aiobotocore-cloudsearchdomain
    • python312Packages.types-aiobotocore-cloudsearchdomain
    • python313Packages.types-aiobotocore-cloudsearch
    • python312Packages.types-aiobotocore-cloudsearch
    • python313Packages.mypy-boto3-cloudsearchdomain
    • python312Packages.mypy-boto3-cloudsearchdomain
    • haskellPackages.amazonka-cloudsearch-domains
    • python313Packages.mypy-boto3-cloudsearch
    • python312Packages.mypy-boto3-cloudsearch
    • haskellPackages.amazonka-cloudsearch
    • haskellPackages.gogol-cloudsearch
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress CloudSearch plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio CloudSearch cloud-search allows Stored XSS.This issue affects CloudSearch: from n/a through <= 3.0.0.

Affected products

cloud-search
  • =<<= 3.0.0
Ignored packages (11) 
WP plugin not present in nixpkgs
Permalink CVE-2021-47857
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • moodle-dl
    • moodle
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

Affected products

Moodle
  • ==3.10.3
Ignored packages (2)

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

Current stable and unstable branches not impacted