Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-66388
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 5 months ago
Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Affected products

apache-airflow
  • <3.1.4

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Only impact the 3.1.x branch.
Permalink CVE-2025-68438
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse dismissed 5 months ago
Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Affected products

apache-airflow
  • <3.1.6

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Only impact the 3.1.x branch
Permalink CVE-2025-68924
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    32 packages
    • wordpressPackages.plugins.hcaptcha-for-forms-and-more
    • chickenPackages_5.chickenEggs.sxml-transforms
    • python313Packages.django-formset-js-improved
    • python312Packages.django-formset-js-improved
    • home-assistant-component-tests.modern_forms
    • wordpressPackages.plugins.wpforms-lite
    • nodePackages_latest.@tailwindcss/forms
    • python313Packages.django-crispy-forms
    • python312Packages.django-crispy-forms
    • python313Packages.wtforms-bootstrap5
    • python313Packages.wtforms-sqlalchemy
    • python312Packages.wtforms-sqlalchemy
    • python312Packages.wtforms-bootstrap5
    • python313Packages.permissionedforms
    • python312Packages.permissionedforms
    • inkscape-extensions.applytransforms
    • haskellPackages.unicode-transforms
    • python313Packages.craft-platforms
    • python312Packages.craft-platforms
    • python313Packages.aiomodernforms
    • python313Packages.beanhub-forms
    • python312Packages.aiomodernforms
    • python312Packages.beanhub-forms
    • haskellPackages.unsafeperformst
    • nodePackages.@tailwindcss/forms
    • python313Packages.transforms3d
    • python312Packages.transforms3d
    • python313Packages.nitransforms
    • python312Packages.nitransforms
    • python313Packages.wtforms
    • python312Packages.wtforms
    • platformsh
    5 months ago
  • @LeSuisse dismissed 5 months ago
In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply …

In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

Affected products

Forms
  • =<8.13.16
Ignored packages (32)

pkgs.platformsh

Unified tool for managing your Platform.sh services from the command line

Impacted software not present in nixpkgs
Permalink CVE-2025-62291
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    4 packages
    • strongswanNM
    • strongswanTNC
    • strongswanTPM
    • networkmanager_strongswan
    5 months ago
  • @LeSuisse dismissed 5 months ago
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a …

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow.

Affected products

strongSwan
  • <6.0.3

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Current stable branch has never been impacted.

https://github.com/NixOS/nixpkgs/commit/d8a0ae9d79b2914faf8864c94e552211284094c5
Permalink CVE-2025-66005
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse dismissed 5 months ago
Lack of Authentication in the InputManager D-Bus interface

Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.

Affected products

inputplumber
  • <0.63.0

Matching in nixpkgs

Package maintainers

Unstable and current stable branches are never been impacted by this issue.
Permalink CVE-2025-14338
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse dismissed 5 months ago
Polkit authentication dis isabled by default in inputplumber

Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.

Affected products

inputplumber
  • <0.63.0

Matching in nixpkgs

Package maintainers

Unstable and current stable branches are never been impacted by this issue.
Permalink CVE-2026-23744
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    29 packages
    • inspector
    • appium-inspector
    • rubyPackages.gh_inspector
    • perlPackages.ClassInspector
    • haskellPackages.hs-inspector
    • rubyPackages_3_1.gh_inspector
    • rubyPackages_3_2.gh_inspector
    • rubyPackages_3_3.gh_inspector
    • rubyPackages_3_4.gh_inspector
    • rubyPackages_3_5.gh_inspector
    • perl538Packages.ClassInspector
    • perl540Packages.ClassInspector
    • python312Packages.apkinspector
    • python313Packages.apkinspector
    • haskellPackages.amazonka-inspector
    • python312Packages.debian-inspector
    • python313Packages.debian-inspector
    • haskellPackages.amazonka-inspector2
    • kdePackages.accessibility-inspector
    • python312Packages.container-inspector
    • python313Packages.container-inspector
    • python312Packages.mypy-boto3-inspector
    • python313Packages.mypy-boto3-inspector
    • python312Packages.mypy-boto3-inspector2
    • python313Packages.mypy-boto3-inspector2
    • python312Packages.types-aiobotocore-inspector
    • python313Packages.types-aiobotocore-inspector
    • python312Packages.types-aiobotocore-inspector2
    • python313Packages.types-aiobotocore-inspector2
    5 months ago
  • @LeSuisse dismissed 5 months ago
REC in MCPJam inspector due to HTTP Endpoint exposes

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

Affected products

inspector
  • ==<= 1.4.2
Ignored packages (29)

pkgs.inspector

Gtk4 Libadwaita wrapper for various system info cli commands

Impacted software not present in nixpkgs
Permalink CVE-2026-0696
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • python313Packages.markupsafe
    • python313Packages.psautohint
    • terraform-providers.vpsadmin
    • nodePackages_latest.purescript-psa
    • python312Packages.types-markupsafe
    • python313Packages.types-markupsafe
    • terraform-providers.vpsfreecz_vpsadmin
    5 months ago
  • @LeSuisse dismissed 5 months ago
Session Cookies Missing HttpOnly Attribute

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

Affected products

PSA
  • ==All versions prior to 2026.1
Ignored packages (23)

pkgs.mopsa

Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1

pkgs.svndumpsanitizer

Alternative to svndumpfilter that discovers which nodes should actually be kept

pkgs.ocamlPackages.mopsa

Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1 
Impacted software not present in nixpkgs
Permalink CVE-2025-13053
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.NetCUPS
    • perl538Packages.NetCUPS
    • perl540Packages.NetCUPS
    5 months ago
  • @LeSuisse dismissed 5 months ago
A missing encryption of sensitive data vulnerability was found in the UPS settings of ADM

When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.

Affected products

UPS
  • =<4.3.3.RKD2
  • =<5.1.0.RN42
Ignored packages (3) 
Impacted software not present in nixpkgs
Permalink CVE-2023-0835
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package vscode-extensions.yzane.markdown-pdf 5 months ago
  • @LeSuisse dismissed 5 months ago
markdown-pdf version 11.0.0 allows an external attacker to remotely obtain …

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Affected products

markdown-pdf
  • ==11.0.0
Ignored packages (1) 
Impacted software not present in nixpkgs