Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2018-25211
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 1 month, 4 weeks ago
Allok Video Splitter 3.1.1217 Buffer Overflow via License Name

Allok Video Splitter 3.1.1217 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service or execute arbitrary code by supplying an oversized string in the License Name field. Attackers can craft a malicious payload exceeding 780 bytes, paste it into the License Name registration field, and trigger the overflow when the Register button is clicked.

Affected products

Splitter
  • ==3.1.1217

Matching in nixpkgs

pkgs.zlsplitter

Versatile splitter plugin for VST3, LV2 and standalone

pkgs.mkgmap-splitter

Utility for splitting OpenStreetMap maps into tiles

  • nixos-unstable 654
    • nixpkgs-unstable 654
    • nixos-unstable-small 654
  • nixos-25.11 654
    • nixos-25.11-small 654
    • nixpkgs-25.11-darwin 654

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33326
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2.

Affected products

keystone
  • ==< 6.5.2

Matching in nixpkgs

pkgs.keystone

Lightweight multi-platform, multi-architecture assembler framework

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25339
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.

Affected products

wpforms-lite
  • =<<= 1.9.8.7

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25350
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Miti theme < 1.5.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Miti miti allows Reflected XSS.This issue affects Miti: from n/a through < 1.5.3.

Affected products

miti
  • =<< 1.5.3

Matching in nixpkgs

pkgs.commitizen

Tool to create committing rules for projects, auto bump versions, and generate changelogs

pkgs.commitizen-go

Command line utility to standardize git commit messages, golang version

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-23973
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Golo theme < 1.7.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo golo allows Reflected XSS.This issue affects Golo: from n/a through < 1.7.5.

Affected products

golo
  • =<< 1.7.5

Matching in nixpkgs

pkgs.gigolo

Frontend to easily manage connections to remote filesystems

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

Package maintainers

Permalink CVE-2026-30975
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    2 packages
    • home-assistant-component-tests.sonarr
    • tests.home-assistant-component-tests.sonarr
    2 months ago
  • @LeSuisse dismissed 2 months ago
Sonarr Authentication Bypass vulnerability

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

Affected products

Sonarr
  • ==< 4.0.16.2942

Matching in nixpkgs

Ignored packages (2)

Package maintainers

Current stable branch was never impacted: https://github.com/NixOS/nixpkgs/commit/e9a6f320c08199693a03a00662141897cd3c79ce
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-27051
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Golo theme <= 1.7.0 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0.

Affected products

golo
  • =<<= 1.7.0

Matching in nixpkgs

pkgs.gigolo

Frontend to easily manage connections to remote filesystems

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25354
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Reebox theme < 1.4.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Reebox reebox allows Reflected XSS.This issue affects Reebox: from n/a through < 1.4.8.

Affected products

reebox
  • =<< 1.4.8

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-34085
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    5 packages
    • ocamlPackages.fontconfig
    • ocamlPackages_latest.fontconfig
    • python312Packages.python-fontconfig
    • python313Packages.python-fontconfig
    • python314Packages.python-fontconfig
    2 months ago
  • @LeSuisse dismissed 2 months ago
fontconfig before 2.17.1 has an off-by-one error in allocation during …

fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.

Affected products

fontconfig
  • <2.17.1

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Current stable branch was never impacted: https://github.com/NixOS/nixpkgs/commit/027094de97fd6dfe9ba1fa44c57d75701b5f1c35
Dismissed
(not in Nixpkgs)
Permalink CVE-2025-69347
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress WPSubscription plugin <= 1.8.10 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSubscription: from n/a through <= 1.8.10.

Affected products

subscription
  • =<<= 1.8.10

Matching in nixpkgs

pkgs.python313Packages.mypy-boto3-license-manager-user-subscriptions

Type annotations for boto3 license-manager-user-subscriptions

pkgs.python313Packages.mypy-boto3-license-manager-linux-subscriptions

Type annotations for boto3 license-manager-linux-subscriptions

Package maintainers