Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23724
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    5 months ago
  • @LeSuisse dismissed 5 months ago
WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

Affected products

WeGIA
  • ==< 3.6.2
Ignored packages (3) 
Package not available in nixpkgs
Permalink CVE-2026-0695
8.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • terraform-providers.vpsfreecz_vpsadmin
    • python313Packages.types-markupsafe
    • python312Packages.types-markupsafe
    • nodePackages_latest.purescript-psa
    • terraform-providers.vpsadmin
    • python313Packages.psautohint
    • python313Packages.markupsafe
    5 months ago
  • @LeSuisse dismissed 5 months ago
Stored XSS in Time Entry Audit Trail

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

Affected products

PSA
  • ==All versions prior to 2026.1
Ignored packages (23)

pkgs.mopsa

Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1

pkgs.svndumpsanitizer

Alternative to svndumpfilter that discovers which nodes should actually be kept

pkgs.ocamlPackages.mopsa

Modular and Open Platform for Static Analysis using Abstract Interpretation

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1 
Does not impact a package available in nixpkgs
Permalink CVE-2025-14242
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse dismissed 5 months ago
Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

References

Affected products

vsftpd
  • *

Matching in nixpkgs

pkgs.vsftpd

Very secure FTP daemon

Package maintainers

Only impact a Red hat specific patch not shipped in nixpkgs

https://bugzilla.redhat.com/show_bug.cgi?id=2419826
Permalink CVE-2025-59029
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 5 months ago
Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

Affected products

pdns-recursor
  • <5.3.2

Matching in nixpkgs

Package maintainers

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html

5.2.x branch is not impacted.
Permalink CVE-2025-62762
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @SigmaSquadron Activity log
  • Created suggestion 5 months, 1 week ago
  • @SigmaSquadron ignored package haskellPackages.smtp-mail 5 months, 1 week ago
  • @SigmaSquadron deleted maintainer @mpscholten 5 months, 1 week ago maintainer.delete
  • @SigmaSquadron accepted 5 months, 1 week ago
  • @SigmaSquadron dismissed 5 months, 1 week ago
WordPress SMTP Mail plugin <= 1.3.47 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47.

Affected products

smtp-mail
  • =<<= 1.3.47
Ignored packages (1) 
This is actually related to wordpressPackages.plugins.wp-mail-smtp, which has no maintainers, and it seems that the version in Nixpkgs is unaffected.
Permalink CVE-2025-67467
4.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @SigmaSquadron Activity log
  • Created suggestion 5 months, 1 week ago
  • @SigmaSquadron dismissed 5 months, 1 week ago
WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs

We do not package that specific WP plugin.
Permalink CVE-2025-66527
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @SigmaSquadron Activity log
  • Created suggestion 5 months, 1 week ago
  • @SigmaSquadron dismissed 5 months, 1 week ago
WordPress Lobo theme <= 2.8.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.

Affected products

lobo
  • =<<= 2.8.6

Matching in nixpkgs

We do not package the Lobo theme.
Permalink CVE-2025-58936
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package catamaran 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Catamaran theme <= 1.15 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15.

Affected products

catamaran
  • =<<= 1.15
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-58929
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package haskellPackages.pantry 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Pantry theme <= 1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4.

Affected products

pantry
  • =<<= 1.4
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-60061
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package elfkickers 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Kicker theme <= 2.2.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Kicker kicker allows PHP Local File Inclusion.This issue affects Kicker: from n/a through <= 2.2.0.

Affected products

kicker
  • =<<= 2.2.0
Ignored packages (1)

pkgs.elfkickers

Collection of programs that access and manipulate ELF files

  • nixos-unstable 3.2
    • nixpkgs-unstable 3.2
    • nixos-unstable-small 3.2 
WP theme not present in nixpkgs