Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-29075
8.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    9 packages
    • mesa
    • libGLX
    • libgbm
    • mesa-demos
    • mesa-gl-headers
    • mesa_i686.x86_64-linux
    • driversi686Linux.mesa.x86_64-linux
    • grafanaPlugins.mesak-imagesave-panel
    • driversi686Linux.mesa-demos.x86_64-linux
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd.

References

Affected products

mesa
  • ==<= 3.5.0
Ignored packages (9) 
Not in nixpkgs
Permalink CVE-2026-28794
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    6 packages
    • protorpc
    • haskellPackages.utxorpc
    • python312Packages.aiorpcx
    • python312Packages.zerorpc
    • python313Packages.aiorpcx
    • python314Packages.aiorpcx
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.

References

Affected products

orpc
  • ==< 1.13.6
Ignored packages (6) 
Not in nixpkgs
Permalink CVE-2026-28050
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @mweinelt removed
    14 packages
    • python312Packages.beacontools
    • python312Packages.ibeacon-ble
    • python313Packages.beacontools
    • python313Packages.ibeacon-ble
    • python314Packages.beacontools
    • python314Packages.ibeacon-ble
    • python312Packages.thermobeacon-ble
    • python313Packages.thermobeacon-ble
    • python314Packages.thermobeacon-ble
    • haskellPackages.gogol-proximitybeacon
    • home-assistant-component-tests.ibeacon
    • home-assistant-component-tests.thermobeacon
    • tests.home-assistant-component-tests.ibeacon
    • tests.home-assistant-component-tests.thermobeacon
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Beacon theme <= 2.24 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Beacon beacon allows PHP Local File Inclusion.This issue affects Beacon: from n/a through <= 2.24.

References

Affected products

beacon
  • =<<= 2.24
Ignored packages (14) 
Not in nixpkgs
Permalink CVE-2026-22421
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @mweinelt removed
    11 packages
    • quantumminigolf
    • quantum-espresso
    • filebrowser-quantum
    • cudaPackages.cuquantum
    • pkgsRocm.quantum-espresso
    • azure-cli-extensions.quantum
    • python312Packages.quantum-gateway
    • python313Packages.quantum-gateway
    • python314Packages.quantum-gateway
    • home-assistant-component-tests.quantum_gateway
    • tests.home-assistant-component-tests.quantum_gateway
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Quantum theme <= 1.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Quantum quantum allows PHP Local File Inclusion.This issue affects Quantum: from n/a through <= 1.0.

References

Affected products

quantum
  • =<<= 1.0
Ignored packages (11) 
Not in nixpkgs
Permalink CVE-2026-30244
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    35 packages
    • xplanet
    • freeplane
    • m2-planet
    • crossplane
    • microplane
    • paper-plane
    • invoiceplane
    • m2-mesoplanet
    • crossplane-cli
    • biplanes-revival
    • planetary_annihilation
    • perlPackages.MathPlanePath
    • perl5Packages.MathPlanePath
    • dprint-plugins.g-plane-malva
    • python312Packages.crossplane
    • python313Packages.crossplane
    • python314Packages.crossplane
    • perl538Packages.MathPlanePath
    • perl540Packages.MathPlanePath
    • dprint-plugins.g-plane-markup_fmt
    • dprint-plugins.g-plane-pretty_yaml
    • gnomeExtensions.sane-airplane-mode
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • python312Packages.planetary-computer
    • python313Packages.planetary-computer
    • python314Packages.planetary-computer
    • dprint-plugins.g-plane-pretty_graphql
    • haskellPackages.amazonka-iot-dataplane
    • python313Packages.greenplanet-energy-api
    • python314Packages.greenplanet-energy-api
    • haskellPackages.amazonka-iot-jobs-dataplane
    • vscode-extensions.gplane.wasm-language-tools
    • haskellPackages.amazonka-mediastore-dataplane
    • tests.home-assistant-component-tests.green_planet_energy
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Plane: Unauthenticated Workspace Member Information Disclosure

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.

References

Affected products

plane
  • ==< 1.2.2
Ignored packages (35)

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

pkgs.gnomeExtensions.sane-airplane-mode

Make airplane mode sane again! This extension gives you better control over the airplane mode and lets you turn off the annoying "Bluetooth gets turned on when I disable airplane mode" behaviour.

Not in nixpkgs
Permalink CVE-2026-30242
8.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    35 packages
    • xplanet
    • freeplane
    • m2-planet
    • crossplane
    • microplane
    • paper-plane
    • invoiceplane
    • m2-mesoplanet
    • crossplane-cli
    • biplanes-revival
    • planetary_annihilation
    • perlPackages.MathPlanePath
    • perl5Packages.MathPlanePath
    • dprint-plugins.g-plane-malva
    • python312Packages.crossplane
    • python313Packages.crossplane
    • python314Packages.crossplane
    • perl538Packages.MathPlanePath
    • perl540Packages.MathPlanePath
    • dprint-plugins.g-plane-markup_fmt
    • dprint-plugins.g-plane-pretty_yaml
    • gnomeExtensions.sane-airplane-mode
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • python312Packages.planetary-computer
    • python313Packages.planetary-computer
    • python314Packages.planetary-computer
    • dprint-plugins.g-plane-pretty_graphql
    • haskellPackages.amazonka-iot-dataplane
    • python313Packages.greenplanet-energy-api
    • python314Packages.greenplanet-energy-api
    • haskellPackages.amazonka-iot-jobs-dataplane
    • vscode-extensions.gplane.wasm-language-tools
    • haskellPackages.amazonka-mediastore-dataplane
    • tests.home-assistant-component-tests.green_planet_energy
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.

References

Affected products

plane
  • ==< 1.2.3
Ignored packages (35)

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

pkgs.gnomeExtensions.sane-airplane-mode

Make airplane mode sane again! This extension gives you better control over the airplane mode and lets you turn off the annoying "Bluetooth gets turned on when I disable airplane mode" behaviour.

Not in nixpkgs
Permalink CVE-2026-30230
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Flare: Password‑Protected Thumbnail Bypass

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.

References

Affected products

Flare
  • ==< 1.7.2

Matching in nixpkgs

Package maintainers

Not in nixpkgs
Permalink CVE-2026-30231
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    27 packages
    • flare
    • flarectl
    • photoflare
    • cloudflared
    • flare-floss
    • gotlsaflare
    • flare-signal
    • flaresolverr
    • cloudflare-cli
    • cloudflare-ddns
    • cloudflare-warp
    • cloudflare-utils
    • cloudflare-dyndns
    • speed-cloudflare-cli
    • cloudflare-dynamic-dns
    • octodns-providers.cloudflare
    • python312Packages.cloudflare
    • python313Packages.cloudflare
    • python314Packages.cloudflare
    • prometheus-cloudflare-exporter
    • terraform-providers.cloudflare
    • gnomeExtensions.cloudflare-warp-toggle
    • home-assistant-component-tests.cloudflare
    • terraform-providers.cloudflare_cloudflare
    • tests.home-assistant-component-tests.cloudflare
    • tests.home-assistant-component-tests.cloudflare_r2
    • haskellPackages.hs-opentelemetry-instrumentation-cloudflare
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Flare: Private File IDOR via raw/direct endpoints

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched in version 1.7.2.

References

Affected products

Flare
  • ==< 1.7.2
Ignored packages (27) 
Not in nixpkgs
Permalink CVE-2026-28047
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    9 packages
    • vlagent
    • vmagent
    • victor-mono
    • victorialogs
    • victoriatraces
    • victoriametrics
    • nerd-fonts.victor-mono
    • grafanaPlugins.victoriametrics-logs-datasource
    • grafanaPlugins.victoriametrics-metrics-datasource
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Victo theme <= 1.4.16 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Victo victo allows PHP Local File Inclusion.This issue affects Victo: from n/a through <= 1.4.16.

References

Affected products

victo
  • =<<= 1.4.16
Ignored packages (9) 
Not present in nixpkgs
Permalink CVE-2026-22476
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    2 packages
    • sketchybar
    • sketchybar-app-font
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Etchy theme <= 1.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0.

References

Affected products

etchy
  • =<<= 1.0
Ignored packages (2) 
not present in nixpkgs