Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2025-69127
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.

Affected products

plumbing-parts
  • =<1.6

Matching in nixpkgs

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2025-69171
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
WordPress Orpheus theme <= 1.3 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions.

Affected products

orpheus
  • =<1.3

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2025-69120
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
WordPress Dazzle theme <= 1.0.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.

Affected products

dazzle
  • =<1.0.0

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-39559
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
WordPress Uppercase theme < 1.2.2 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.

Affected products

uppercase
  • <1.2.2

Matching in nixpkgs

pkgs.gnomeExtensions.uppercase-input-source-indicator

Makes the current input source (language) indicator uppercase. Works with IBus input method editors, too.

  • nixos-unstable 3
    • nixpkgs-unstable 3
    • nixos-unstable-small 3
  • nixos-26.05 3
    • nixos-26.05-small 3
    • nixpkgs-26.05-darwin 3

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2025-69106
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
WordPress Imba theme <= 1.5.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions.

Affected products

imba
  • =<1.5.0

Matching in nixpkgs

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-32652
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
Dell AIOps Collector versions prior to 1.18.3 contain a "Use …

Dell AIOps Collector versions prior to 1.18.3 contain a "Use of Default Credentials" vulnerability. A low privileged attacker with console access could potentially exploit this vulnerability to gain Filesystem access. This vulnerability only affects fresh installations of Collector versions earlier than 1.18.3. Systems that have been upgraded (either manually or automatically) to version 1.18.3 or later are not impacted, even if they were originally installed on an earlier version.

Affected products

AIOps
  • <1.18.3 or later

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2024-52488
9.9 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability

Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions.

Affected products

grip
  • =<1.0.9

Matching in nixpkgs

pkgs.grip

GTK-based audio CD player/ripper

pkgs.go-grip

Preview Markdown files locally before committing them

pkgs.regrippy

Modern Python-3-based alternative to RegRipper

pkgs.grip-grab

Fast, more lightweight ripgrep alternative for daily use cases

pkgs.grip-search

None

  • nixos-unstable 0.8
    • nixos-unstable-small 0.8
  • nixos-26.05 0.8
    • nixos-26.05-small 0.8
    • nixpkgs-26.05-darwin 0.8
Permalink CVE-2026-12440
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed 2 days, 6 hours ago
Use after free in DigitalCredentials in Google Chrome on Windows …

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Affected products

Chrome
  • <149.0.7827.155

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Not for us, Windows
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-12515
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
Katello: missing repository authorization in content_uploads exposes cross-product content existence

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.

References

Affected products

ctags
katello
rubygem-katello
satellite:el8/katello
satellite:el8/rubygem-katello

Matching in nixpkgs

pkgs.ctags

Tool for fast source code browsing (exuberant ctags)

  • nixos-unstable 816
    • nixpkgs-unstable 816
    • nixos-unstable-small 816
  • nixos-26.05 816
    • nixos-26.05-small 816
    • nixpkgs-26.05-darwin 816

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-48988
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 days, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 2 days, 10 hours ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 days, 6 hours ago
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

Affected products

markdown-it
  • ==< 14.2.0

Matching in nixpkgs