Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23553
2.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @SigmaSquadron Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @SigmaSquadron dismissed 1 month, 3 weeks ago
x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

References

Affected products

Xen
  • ==consult Xen advisory XSA-479

Matching in nixpkgs

pkgs.xen

Type-1 hypervisor intended for embedded and hyperscale use cases

pkgs.xenomapper

Utility for post processing mapped reads that have been aligned to a primary genome and a secondary genome and binning reads into species specific, multimapping in each species, unmapped and unassigned bins

pkgs.nxengine-evo

Complete open-source clone/rewrite of the masterpiece jump-and-run platformer Doukutsu Monogatari (also known as Cave Story)

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

Package maintainers

Already fixed.
Permalink CVE-2025-55292
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @LeSuisse removed
    47 packages
    • python313Packages.ha-silabs-firmware-client
    • ghidra-extensions.ghidra-firmware-utils
    • azure-cli-extensions.firmwareanalysis
    • ath9k-htc-blobless-firmware-unstable
    • python313Packages.virt-firmware
    • python312Packages.virt-firmware
    • armTrustedFirmwareAllwinnerH6
    • armTrustedFirmwareAllwinnerH616
    • nitrokey-storage-firmware
    • armTrustedFirmwareAllwinner
    • ath9k-htc-blobless-firmware
    • raspberrypiWirelessFirmware
    • nitrokey-trng-rs232-firmware
    • armTrustedFirmwareRK3568
    • armTrustedFirmwareRK3588
    • armTrustedFirmwareRK3399
    • armTrustedFirmwareRK3328
    • sigrok-firmware-fx2lafw
    • nitrokey-start-firmware
    • b43Firmware_5_1_138
    • facetimehd-firmware
    • intel2200BGFirmware
    • xow_dongle-firmware
    • broadcom-bt-firmware
    • uefi-firmware-parser
    • nitrokey-pro-firmware
    • armTrustedFirmwareQemu
    • armTrustedFirmwareS905
    • libreelec-dvb-firmware
    • armTrustedFirmwareTools
    • b43Firmware_6_30_163_46
    • nitrokey-fido2-firmware
    • rtl8192su-firmware
    • system76-firmware
    • rtl8761b-firmware
    • klipper-firmware
    • firmware-updater
    • armbian-firmware
    • firmware-manager
    • zd1211fw
    • sof-firmware
    • alsa-firmware
    • ivsc-firmware
    • raspberrypifw
    • gnome-firmware
    • linux-firmware
    • rt5677-firmware
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
In Meshtastic, an attacker can spoof licensed amateur flag for a node

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

References

Affected products

firmware
  • ==<= 2.6.2 
Not present in nixpkgs
Permalink CVE-2026-23889
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @LeSuisse removed package pnpm-shell-completion 1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
pnpm has Windows-specific tarball Path Traversal

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.

References

Affected products

pnpm
  • ==< 10.28.1

Matching in nixpkgs

Package maintainers

No Windows support.
Permalink CVE-2025-64368
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package bombardier 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Bard theme <= 1.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes Bard bardwp allows Cross Site Request Forgery.This issue affects Bard: from n/a through <= 1.6.

References

Affected products

bardwp
  • =<<= 1.6 
WP theme not present in nixpkgs
Permalink CVE-2025-68508
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package brave 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Brave plugin <= 0.8.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brave Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brave: from n/a through <= 0.8.3.

References

Affected products

brave-popup-builder
  • =<<= 0.8.3 
WP plugin not present in nixpkgs
Permalink CVE-2025-62962
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    11 packages
    • python313Packages.types-aiobotocore-cloudsearchdomain
    • python312Packages.types-aiobotocore-cloudsearchdomain
    • python313Packages.types-aiobotocore-cloudsearch
    • python312Packages.types-aiobotocore-cloudsearch
    • python313Packages.mypy-boto3-cloudsearchdomain
    • python312Packages.mypy-boto3-cloudsearchdomain
    • haskellPackages.amazonka-cloudsearch-domains
    • python313Packages.mypy-boto3-cloudsearch
    • python312Packages.mypy-boto3-cloudsearch
    • haskellPackages.amazonka-cloudsearch
    • haskellPackages.gogol-cloudsearch
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress CloudSearch plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio CloudSearch cloud-search allows Stored XSS.This issue affects CloudSearch: from n/a through <= 3.0.0.

References

Affected products

cloud-search
  • =<<= 3.0.0 
WP plugin not present in nixpkgs
Permalink CVE-2021-47857
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • moodle-dl
    • moodle
    2 months ago
  • @LeSuisse dismissed 2 months ago
Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

References

Affected products

Moodle
  • ==3.10.3 
Current stable and unstable branches not impacted
Permalink CVE-2026-23524
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • hybridreverb2
    • dragonfly-reverb
    2 months ago
  • @LeSuisse dismissed 2 months ago
Laravel Redis Horizontal Scaling Insecure Deserialization

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

References

Affected products

reverb
  • ==< 1.7.0 
Not present in nixpkgs
Permalink CVE-2026-23975
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • ligolo-ng
    • xfce.gigolo
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.

References

Affected products

golo
  • =<< 1.7.5 
WP theme not packaged in nixpkgs
Permalink CVE-2025-68008
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package wordpressPackages.plugins.wp-mail-smtp 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.

References

Affected products

wp-mail
  • =<<= 1.3 
`wp-mail` plugin not packaged in nixpkgs