Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-3214
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.

Affected products

CAPTCHA
  • <1.17.0
  • <2.0.10

Matching in nixpkgs

pkgs.haskellPackages.hs-captcha

Generate images suitable for use as CAPTCHAs in online web-form security

  • nixos-unstable 1.0
    • nixpkgs-unstable 1.0
    • nixos-unstable-small 1.0
  • nixos-25.11 1.0
    • nixos-25.11-small 1.0
    • nixpkgs-25.11-darwin 1.0

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25360
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.

Affected products

vex
  • =<< 1.2.9

Matching in nixpkgs

pkgs.survex

Free Software/Open Source software package for mapping caves

pkgs.vexctl

Tool to create, transform and attest VEX metadata

pkgs.vex-tui

Beautiful, fast, and feature-rich terminal-based Excel and CSV viewer built with Go

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25358
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2.

Affected products

meloo
  • =<< 2.8.2

Matching in nixpkgs

pkgs.timeloop

Chip modeling/mapping benchmarking framework

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-24989
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress SUMO Affiliates Pro plugin < 11.4.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0.

Affected products

affs
  • =<< 11.4.0

Matching in nixpkgs

pkgs.unyaffs

Tool to extract files from a YAFFS2 file system image

  • nixos-unstable 0.9
    • nixpkgs-unstable 0.9
    • nixos-unstable-small 0.9
  • nixos-25.11 0.9
    • nixos-25.11-small 0.9
    • nixpkgs-25.11-darwin 0.9

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25460
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1.

Affected products

ave-core
  • =<<= 2.9.1

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-28890
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    13 packages
    • xcodes
    • xcodegen
    • xcode-install
    • rubyPackages.xcodeproj
    • rubyPackages_3_1.xcodeproj
    • rubyPackages_3_2.xcodeproj
    • rubyPackages_3_3.xcodeproj
    • rubyPackages_3_4.xcodeproj
    • rubyPackages_4_0.xcodeproj
    • darwin.xcodeProjectCheckHook
    • python312Packages.latexcodec
    • python313Packages.latexcodec
    • python314Packages.latexcodec
    2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
An out-of-bounds read was addressed with improved bounds checking. This …

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination.

Affected products

Xcode
  • <26.4
Ignored packages (13)

pkgs.xcodes

Command-line tool to install and switch between multiple versions of Xcode

pkgs.darwin.xcodeProjectCheckHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-32499
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress ChatBot plugin <= 7.7.9 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9.

Affected products

chatbot
  • =<<= 7.7.9

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable 25
    • nixpkgs-unstable 25
    • nixos-unstable-small 25
  • nixos-25.11 22
    • nixos-25.11-small 22
    • nixpkgs-25.11-darwin 22

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-22510
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Melody theme <= 1.6.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.

Affected products

melodyschool
  • =<<= 1.6.3

Matching in nixpkgs

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-32540
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Bookly plugin <= 26.7 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.This issue affects Bookly: from n/a through <= 26.7.

Affected products

bookly-responsive-appointment-booking-tool
  • =<<= 26.7

Matching in nixpkgs

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-22514
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Unica theme <= 1.4.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.

Affected products

unica
  • =<<= 1.4.1

Matching in nixpkgs

pkgs.unicap

Universal video capture API

pkgs.gnomeExtensions.server-communicator

Send API requests to servers or mount them at a click of a button. Copies and shows response in a dialog.

  • nixos-unstable 6
    • nixpkgs-unstable 6
    • nixos-unstable-small 6
  • nixos-25.11 6
    • nixos-25.11-small 6
    • nixpkgs-25.11-darwin 6

Package maintainers