Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-25489
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

References

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1 
Not present in nixpkgs
Permalink CVE-2025-67480
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
list=allrevisions can be used to bypass Extension:Lockdown

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

References

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

Package maintainers

This extension does not seem present in nixpkgs
Permalink CVE-2019-25261
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
AnyDesk 5.4.0 - Unquoted Service Path

AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges.

References

Affected products

AnyDesk
  • ==5.4.0

Matching in nixpkgs

pkgs.anydesk

Desktop sharing application, providing remote support and online meetings

Package maintainers

Current stable branch was never impacted.
Permalink CVE-2026-24982
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    8 packages
    • spectra
    • spectral-language-server
    • python312Packages.spectra
    • python313Packages.spectra
    • python314Packages.spectra
    • python312Packages.spectral-cube
    • python313Packages.spectral-cube
    • python314Packages.spectral-cube
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Spectra plugin <= 2.19.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.

References

Affected products

ultimate-addons-for-gutenberg
  • =<<= 2.19.17 
WP plugin not present in nixpkgs
Permalink CVE-2026-25485
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.azure-mgmt-commerce
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

References

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1 
Not present in nixpkgs
Permalink CVE-2020-37105
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed package pmbootstrap 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
PMB 5.6 - 'logid' SQL Injection

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

References

Affected products

PMB
  • ==5.6 
Not present in nixpkgs
Permalink CVE-2026-25522
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

References

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2
  • ==>= 4.0.0-RC1, < 4.10.1 
Not present in nixpkgs
Permalink CVE-2026-25486
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    8 packages
    • python312Packages.azure-mgmt-commerce
    • python313Packages.azure-mgmt-commerce
    • python314Packages.azure-mgmt-commerce
    • python312Packages.mypy-boto3-marketplacecommerceanalytics
    • python313Packages.mypy-boto3-marketplacecommerceanalytics
    • python314Packages.mypy-boto3-marketplacecommerceanalytics
    • python312Packages.types-aiobotocore-marketplacecommerceanalytics
    • python313Packages.types-aiobotocore-marketplacecommerceanalytics
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.

References

Affected products

commerce
  • ==>= 5.0.0, < 5.5.2 
Not present in nixpkgs
Permalink CVE-2026-24052
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    6 packages
    • claude-code-acp
    • claude-code-bin
    • claude-code-router
    • gnomeExtensions.claude-code-switcher
    • vscode-extensions.anthropic.claude-code
    • gnomeExtensions.claude-code-usage-indicator
    1 month, 2 weeks ago
  • @LeSuisse added package claude-code-bin 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.

References

Affected products

claude-code
  • ==< 1.0.111

Matching in nixpkgs

pkgs.claude-code

An agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

pkgs.claude-code-bin

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

Package maintainers

Has never impacted current stable branch (https://github.com/NixOS/nixpkgs/commit/4813cea9a3fd5c084f993b1d1862a61c7430c7ff).
Permalink CVE-2025-64712
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    13 packages
    • unstructured-api
    • pkgsRocm.unstructured-api
    • python312Packages.unstructured-client
    • python313Packages.unstructured-client
    • python314Packages.unstructured-client
    • python312Packages.unstructured-api-tools
    • python312Packages.unstructured-inference
    • python313Packages.unstructured-api-tools
    • python313Packages.unstructured-inference
    • python314Packages.unstructured-api-tools
    • python314Packages.unstructured-inference
    • pkgsRocm.python3Packages.unstructured-inference
    • tests.devShellTools.unstructuredDerivationInputEnv
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write

The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.

References

Affected products

unstructured
  • ==< 0.18.18

Matching in nixpkgs

Package maintainers

Stable has never impacted (https://github.com/NixOS/nixpkgs/commit/af717cae2e2a3a0f01dd0fccf2bc2f2537f118cc)