Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-1999-0059
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed package mairix 1 month ago
  • @LeSuisse dismissed 1 month ago
IRIX fam service allows an attacker to obtain a list …

IRIX fam service allows an attacker to obtain a list of all files on the server.

References

  • irix-fam(325) vdb-entry x_refsource_XF
  • 164 x_refsource_OSVDB vdb-entry
  • 353 vdb-entry x_refsource_BID
  • 164 x_refsource_OSVDB x_transferred vdb-entry
  • 353 x_transferred vdb-entry x_refsource_BID
  • irix-fam(325) x_transferred vdb-entry x_refsource_XF
  • 164 x_refsource_OSVDB vdb-entry
  • 353 vdb-entry x_refsource_BID
  • irix-fam(325) vdb-entry x_refsource_XF
  • 164 x_refsource_OSVDB x_transferred vdb-entry
  • 353 x_transferred vdb-entry x_refsource_BID
  • irix-fam(325) x_transferred vdb-entry x_refsource_XF

Affected products

n/a
  • ==n/a
irix
  • ==6.1
  • ==6.2
  • ==6.3
  • ==5.3 
Not present in nixpkgs. Old issue.
Permalink CVE-2026-0997
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    6 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    • mattermost
    • mattermostLatest
    1 month ago
  • @LeSuisse dismissed 1 month ago
Mattermost Zoom Plugin channel preference API lacks authorization checks

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558

References

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10 
Mattermost Zoom plugin is not present in nixpkgs
Permalink CVE-1999-0052
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    2 packages
    • netcat-openbsd
    • nagiosPlugins.openbsd_snmp3_check
    1 month ago
  • @LeSuisse dismissed 1 month ago
IP fragmentation denial of service in FreeBSD allows a remote …

IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

References

Affected products

n/a
  • ==n/a
bsd_os
  • ==4.0
freebsd
  • ==2.1.6
  • ==1.1.5.1
  • ==2.2.8
  • ==2.0
  • ==2.1.0
  • ==2.2.2
  • ==2.1.7.1
  • ==2.1.5
  • ==2.0.5
openbsd
  • ==2.4
  • ==2.3
  • ==2.2 
(Old) FreeBSD issue, not an issue for nixpkgs
Permalink CVE-2026-0998
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    6 packages
    • mattermost
    • mattermostLatest
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    1 month ago
  • @LeSuisse dismissed 1 month ago
Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534

References

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10 
Mattermost Zoom plugin is not present in nixpkgs
Permalink CVE-2007-6745
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse dismissed 1 month ago
clamav 0.91.2 suffers from a floating point exception when using …

clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.

References

Affected products

clamav
  • ==0.91.2

Matching in nixpkgs

pkgs.clamav

Antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats

Package maintainers

Current stable branch was never impacted

https://github.com/NixOS/nixpkgs/commit/8fbac5dbdca98d9d80fa3e654213e0b575834f68
Permalink CVE-2019-25373
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @jopejoe1 Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @jopejoe1 removed
    6 packages
    • prometheus-opnsense-exporter
    • python313Packages.pyopnsense
    • python312Packages.pyopnsense
    • python314Packages.pyopnsense
    • home-assistant-component-tests.opnsense
    • tests.home-assistant-component-tests.opnsense
    1 month, 1 week ago
  • @jopejoe1 dismissed 1 month, 1 week ago
OPNsense 19.1 Stored XSS via firewall_rules_edit.php

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute arbitrary JavaScript in the browsers of other users accessing firewall rule pages.

References

Affected products

OPNsense
  • ==19.1 
Not present in nixpkgs
Permalink CVE-2019-25368
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @jopejoe1 Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @jopejoe1 removed
    6 packages
    • tests.home-assistant-component-tests.opnsense
    • python314Packages.pyopnsense
    • python313Packages.pyopnsense
    • prometheus-opnsense-exporter
    • home-assistant-component-tests.opnsense
    • python312Packages.pyopnsense
    1 month, 1 week ago
  • @jopejoe1 dismissed 1 month, 1 week ago
OPNsense 19.1 Reflected XSS via diag_backup.php

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.

References

Affected products

OPNsense
  • ==19.1 
Not present in nixpkgs
Permalink CVE-2019-25377
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @jopejoe1 Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @jopejoe1 removed
    6 packages
    • prometheus-opnsense-exporter
    • python314Packages.pyopnsense
    • python313Packages.pyopnsense
    • python312Packages.pyopnsense
    • tests.home-assistant-component-tests.opnsense
    • home-assistant-component-tests.opnsense
    1 month, 1 week ago
  • @jopejoe1 dismissed 1 month, 1 week ago
OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.

References

Affected products

OPNsense
  • ==19.1 
Not present in nixpkgs
Permalink CVE-2019-25372
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @jopejoe1 Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @jopejoe1 removed
    6 packages
    • tests.home-assistant-component-tests.opnsense
    • python314Packages.pyopnsense
    • python313Packages.pyopnsense
    • prometheus-opnsense-exporter
    • home-assistant-component-tests.opnsense
    • python312Packages.pyopnsense
    1 month, 1 week ago
  • @jopejoe1 dismissed 1 month, 1 week ago
OPNsense 19.1 Reflected XSS via diag_traceroute.php

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session.

References

Affected products

OPNsense
  • ==19.1 
Not present in nixpkgs
Permalink CVE-2019-25375
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @jopejoe1 Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @jopejoe1 removed
    6 packages
    • prometheus-opnsense-exporter
    • python312Packages.pyopnsense
    • python313Packages.pyopnsense
    • python314Packages.pyopnsense
    • home-assistant-component-tests.opnsense
    • tests.home-assistant-component-tests.opnsense
    1 month, 1 week ago
  • @jopejoe1 dismissed 1 month, 1 week ago
OPNsense 19.1 Reflected XSS via monit interface

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.

References

Affected products

OPNsense
  • ==19.1 
Not present in nixpkgs