Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-69248
updated 3 weeks, 6 days ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 6 days ago
  • @mweinelt removed
    16 packages
    • amf
    • bamf
    • amfora
    • ramfetch
    • cramfsswap
    • samfirm-js
    • amf-headers
    • cramfsprogs
    • ArchiSteamFarm
    • archisteamfarm
    • python312Packages.py3amf
    • python313Packages.py3amf
    • python314Packages.py3amf
    • python312Packages.dissect-cramfs
    • python313Packages.dissect-cramfs
    • python314Packages.dissect-cramfs
    3 weeks, 6 days ago
  • @mweinelt dismissed 3 weeks, 6 days ago
free5GC has Array Index Out of Bounds in AMF Leading to Denial of Service

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of free5GC's AMF service have a Buffer Overflow vulnerability leading to Denial of Service. Remote unauthenticated attackers can crash the AMF service by sending a specially crafted NAS Registration Request with a malformed 5GS Mobile Identity, causing complete denial of service for the 5G core network. All deployments of free5GC using the AMF component may be affected. Pull request 43 of the free5gc/nas repo contains a fix. No direct workaround is available at the application level. Applying the official patch is recommended.

References

Affected products

amf
  • ==<= 1.4.1
Ignored packages (16)

pkgs.ramfetch

Tool which displays memory information

Not in nixpkgs
Permalink CVE-2026-2686
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 3 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 6 days ago
  • @LeSuisse removed
    2 packages
    • tests.fetchFirefoxAddon.simple
    • tests.fetchFirefoxAddon.overridden-source
    3 weeks, 6 days ago
  • @LeSuisse dismissed 3 weeks, 6 days ago
SECCN Dingcheng G10 session_login.cgi qq os command injection

A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

References

Affected products

G10
  • ==3.1.0.181203
Ignored packages (2) 
Not present in nixpkgs
Permalink CVE-2026-3044
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 3 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 6 days ago
  • @LeSuisse removed package vimPlugins.nvim-treesitter-parsers.strace 3 weeks, 6 days ago
  • @LeSuisse dismissed 3 weeks, 6 days ago
Tenda AC8 Httpd Service UploadCfg webCgiGetUploadFile stack-based overflow

A vulnerability has been found in Tenda AC8 16.03.34.06. This affects the function webCgiGetUploadFile of the file /cgi-bin/UploadCfg of the component Httpd Service. The manipulation of the argument boundary leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References

Affected products

AC8
  • ==16.03.34.06
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2019-25432
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 weeks, 6 days ago by @mweinelt Activity log
  • Created automatic suggestion 1 month ago
  • @mweinelt dismissed 3 weeks, 6 days ago
Part-DB 0.4 Authentication Bypass via login.php

Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote followed by 'or' in the login form to bypass credential validation and gain unauthorized access to the application.

References

Affected products

Part-DB
  • ==0.4

Matching in nixpkgs

Package maintainers

Too old, fixed years ago
Permalink CVE-2019-13715
updated 1 month ago by @emilylange Activity log
  • Created automatic suggestion 1 month ago
  • @emilylange dismissed 1 month ago
Insufficient validation of untrusted input in Omnibox in Google Chrome …

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

References

Affected products

Chrome
  • <78.0.3904.70

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Old CVE, long fixed
Permalink CVE-2019-13752
updated 1 month ago by @emilylange Activity log
  • Created automatic suggestion 1 month ago
  • @emilylange dismissed 1 month ago
Out of bounds read in SQLite in Google Chrome prior …

Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

References

Affected products

Chrome
  • <79.0.3945.79

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Old CVE, long fixed
Permalink CVE-2019-13744
updated 1 month ago by @emilylange Activity log
  • Created automatic suggestion 1 month ago
  • @emilylange dismissed 1 month ago
Insufficient policy enforcement in cookies in Google Chrome prior to …

Insufficient policy enforcement in cookies in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

References

Affected products

Chrome
  • <79.0.3945.79

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Old CVE, long fixed
Permalink CVE-2019-13727
updated 1 month ago by @emilylange Activity log
  • Created automatic suggestion 1 month ago
  • @emilylange dismissed 1 month ago
Insufficient policy enforcement in WebSockets in Google Chrome prior to …

Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

References

Affected products

Chrome
  • <79.0.3945.79

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Old CVE, long fixed
Permalink CVE-2019-13763
updated 1 month ago by @emilylange Activity log
  • Created automatic suggestion 1 month ago
  • @emilylange dismissed 1 month ago
Insufficient policy enforcement in payments in Google Chrome prior to …

Insufficient policy enforcement in payments in Google Chrome prior to 79.0.3945.79 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

References

Affected products

Chrome
  • <79.0.3945.79

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Old CVE, long fixed
Permalink CVE-2019-13702
updated 1 month ago by @emilylange Activity log
  • Created automatic suggestion 1 month ago
  • @emilylange dismissed 1 month ago
Inappropriate implementation in installer in Google Chrome on Windows prior …

Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable.

References

Affected products

Chrome
  • <78.0.3904.70

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Old CVE, long fixed, Windows-only