Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    4 packages
    • speedify
    • hiddify-app
    • gomodifytags
    • haskellPackages.swizzle-modify
  • @LeSuisse dismissed
Dify - Stored XSS in chat

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

Affected products

dify
  • ==< 1.11.2
Ignored packages (4)

pkgs.hiddify-app

Multi-platform auto-proxy client, supporting Sing-box, X-ray, TUIC, Hysteria, Reality, Trojan, SSH etc

Not present in nixpkgs
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    6 packages
    • typstPackages.efilrst
    • typstPackages.efilrst_0_1_0
    • typstPackages.efilrst_0_2_0
    • typstPackages.efilrst_0_3_0
    • typstPackages.efilrst_0_3_1
    • typstPackages.efilrst_0_3_2
  • @LeSuisse dismissed
Improper access control vulnerability has been discovered in OpenText™ Filr.

Missing Authorization vulnerability in OpenText™ Filr allows Authentication Bypass. The vulnerability could allow unauthenticated users to get XSRF token and do RPC with carefully crafted programs. This issue affects Filr: through 25.1.2.

Affected products

Filr
  • =<25.1.2
Ignored packages (6)
Not present in nixpkgs
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    4 packages
    • perlPackages.HTTPRequestAsCGI
    • perl5Packages.HTTPRequestAsCGI
    • perl538Packages.HTTPRequestAsCGI
    • perl540Packages.HTTPRequestAsCGI
  • @LeSuisse dismissed
Application User custom defined accounts are not properly password protected in Brocade ASCG 3.4.0

Authentication bypass in Brocade ASCG 3.4.0 Could allow an unauthorized user to perform ASCG operations related to Brocade Support Link(BSL) and streaming configuration. and could even disable the ASCG application or disable use of BSL data collection on Brocade switches within the fabric.

Affected products

ASCG
  • ==3.4.0
Ignored packages (4)
Not present in nixpkgs
Permalink CVE-2026-25906
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    9 packages
    • pngoptimizer
    • meshoptimizer
    • openorbitaloptimizer
    • haskellPackages.amazonka-compute-optimizer
    • python312Packages.mypy-boto3-compute-optimizer
    • python313Packages.mypy-boto3-compute-optimizer
    • python314Packages.mypy-boto3-compute-optimizer
    • python312Packages.types-aiobotocore-compute-optimizer
    • python313Packages.types-aiobotocore-compute-optimizer
  • @LeSuisse dismissed
Dell Optimizer, versions prior to 6.3.1, contain an Improper Link …

Dell Optimizer, versions prior to 6.3.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Affected products

Optimizer
  • <6.3.1.0
Ignored packages (9)
Not present in nixpkgs
updated 2 weeks, 5 days ago by @mweinelt Activity log
  • Created automatic suggestion
  • @mweinelt removed
    39 packages
    • firefoxpwa
    • faust2firefox
    • firefox_decrypt
    • pkgsRocm.firefox
    • firefox-unwrapped
    • firefox-gnome-theme
    • firefox-sync-client
    • pkgsRocm.firefoxpwa
    • pkgsRocm.thunderbird
    • firefox-esr-unwrapped
    • pkgsRocm.firefox-beta
    • thunderbird-unwrapped
    • firefox-beta-unwrapped
    • pkgsRocm.firefox-mobile
    • firefox-esr-140-unwrapped
    • thunderbird-128-unwrapped
    • thunderbird-140-unwrapped
    • thunderbird-esr-unwrapped
    • pkgsRocm.firefox-unwrapped
    • pkgsRocm.firefox-devedition
    • pkgsRocm.thunderbird-latest
    • firefox-devedition-unwrapped
    • thunderbird-latest-unwrapped
    • pkgsRocm.thunderbird-unwrapped
    • pkgsRocm.firefox-beta-unwrapped
    • thunderbirdPackages.thunderbird
    • gnomeExtensions.firefox-profiles
    • roundcubePlugins.thunderbird_labels
    • thunderbirdPackages.thunderbird-128
    • thunderbirdPackages.thunderbird-140
    • thunderbirdPackages.thunderbird-esr
    • pkgsRocm.firefox-devedition-unwrapped
    • pkgsRocm.thunderbird-latest-unwrapped
    • thunderbirdPackages.thunderbird-latest
    • pkgsRocm.thunderbirdPackages.thunderbird
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • pkgsRocm.thunderbirdPackages.thunderbird-latest
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
  • @mweinelt dismissed
Spoofing issue in the WebAuthn component in Firefox for Android

Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 148 and Thunderbird < 148.

Affected products

Firefox
  • <148
Thunderbird
  • <148
Ignored packages (39)
Android only
updated 2 weeks, 5 days ago by @mweinelt Activity log
  • Created automatic suggestion
  • @mweinelt removed
    5 packages
    • python312Packages.pyqwikswitch
    • python313Packages.pyqwikswitch
    • python314Packages.pyqwikswitch
    • home-assistant-component-tests.qwikswitch
    • tests.home-assistant-component-tests.qwikswitch
  • @mweinelt dismissed
Qwik affected by unauthenticated RCE via server$ Deserialization

Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.

Affected products

qwik
  • ==< 1.19.1
Ignored packages (5)
Not in nixpkgs
Permalink CVE-2026-3389
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    3 packages
    • squirrel-sql
    • squirreldisk
    • vimPlugins.nvim-treesitter-parsers.squirrel
  • @LeSuisse dismissed
Squirrel sqstdrex.cpp sqstd_rex_newnode null pointer dereference

A vulnerability was determined in Squirrel up to 3.2. This vulnerability affects the function sqstd_rex_newnode in the library sqstdlib/sqstdrex.cpp. Executing a manipulation can lead to null pointer dereference. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

Squirrel
  • ==3.0
  • ==3.2
  • ==3.1
Ignored packages (3)
Not present in nixpkgs
Permalink CVE-2026-3388
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    3 packages
    • squirrel-sql
    • squirreldisk
    • vimPlugins.nvim-treesitter-parsers.squirrel
  • @LeSuisse dismissed
Squirrel sqcompiler.cpp UnaryOP recursion

A vulnerability was found in Squirrel up to 3.2. This affects the function SQCompiler::Factor/SQCompiler::UnaryOP of the file squirrel/sqcompiler.cpp. Performing a manipulation results in uncontrolled recursion. The attack needs to be approached locally. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

Squirrel
  • ==3.0
  • ==3.2
  • ==3.1
Ignored packages (3)
Not present in nixpkgs
Permalink CVE-2026-3390
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    20 packages
    • lilypond
    • lilypond-unstable
    • lilypond-with-fonts
    • openlilylib-fonts.ross
    • gnomeExtensions.lilypad
    • openlilylib-fonts.haydn
    • openlilylib-fonts.bravura
    • openlilylib-fonts.cadence
    • openlilylib-fonts.gonville
    • openlilylib-fonts.lilyjazz
    • openlilylib-fonts.paganini
    • openlilylib-fonts.profondo
    • openlilylib-fonts.beethoven
    • openlilylib-fonts.improviso
    • openlilylib-fonts.scorlatti
    • lilypond-unstable-with-fonts
    • openlilylib-fonts.lilyboulez
    • openlilylib-fonts.sebastiano
    • openlilylib-fonts.lv-goldenage
    • openlilylib-fonts.gutenberg1939
  • @LeSuisse dismissed
FascinatedBox lily Error Reporting lily_build_error.c patch_line_end out-of-bounds

A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

lily
  • ==2.1
  • ==2.0
  • ==2.2
  • ==2.3
Ignored packages (20)
Not present in nixpkgs
Permalink CVE-2026-3392
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    20 packages
    • lilypond
    • lilypond-unstable
    • lilypond-with-fonts
    • openlilylib-fonts.ross
    • gnomeExtensions.lilypad
    • openlilylib-fonts.haydn
    • openlilylib-fonts.bravura
    • openlilylib-fonts.cadence
    • openlilylib-fonts.gonville
    • openlilylib-fonts.lilyjazz
    • openlilylib-fonts.paganini
    • openlilylib-fonts.profondo
    • openlilylib-fonts.beethoven
    • openlilylib-fonts.improviso
    • openlilylib-fonts.scorlatti
    • lilypond-unstable-with-fonts
    • openlilylib-fonts.lilyboulez
    • openlilylib-fonts.sebastiano
    • openlilylib-fonts.lv-goldenage
    • openlilylib-fonts.gutenberg1939
  • @LeSuisse dismissed
FascinatedBox lily lily_emitter.c eval_tree null pointer dereference

A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

lily
  • ==2.1
  • ==2.0
  • ==2.2
  • ==2.3
Ignored packages (20)
Not present in nixpkgs