Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-62068
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse removed package haskellPackages.line2pdf 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress e2pdf plugin <= 1.28.09 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf e2pdf e2pdf.This issue affects e2pdf: from n/a through <= 1.28.09.

References

Affected products

e2pdf
  • =<<= 1.28.09 
Software not present in nixpkgs
Permalink CVE-2025-62402
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 2 months ago
Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

References

Affected products

apache-airflow
  • <3.1.1

Matching in nixpkgs

Package maintainers

Only impact > 3.0
Permalink CVE-2025-66388
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse dismissed 2 months ago
Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

References

Affected products

apache-airflow
  • <3.1.4

Matching in nixpkgs

Package maintainers

Only impact the 3.1.x branch.
Permalink CVE-2025-68438
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse dismissed 2 months ago
Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

References

Affected products

apache-airflow
  • <3.1.6

Matching in nixpkgs

Package maintainers

Only impact the 3.1.x branch
Permalink CVE-2025-68924
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    32 packages
    • wordpressPackages.plugins.hcaptcha-for-forms-and-more
    • chickenPackages_5.chickenEggs.sxml-transforms
    • python313Packages.django-formset-js-improved
    • python312Packages.django-formset-js-improved
    • home-assistant-component-tests.modern_forms
    • wordpressPackages.plugins.wpforms-lite
    • nodePackages_latest.@tailwindcss/forms
    • python313Packages.django-crispy-forms
    • python312Packages.django-crispy-forms
    • python313Packages.wtforms-bootstrap5
    • python313Packages.wtforms-sqlalchemy
    • python312Packages.wtforms-sqlalchemy
    • python312Packages.wtforms-bootstrap5
    • python313Packages.permissionedforms
    • python312Packages.permissionedforms
    • inkscape-extensions.applytransforms
    • haskellPackages.unicode-transforms
    • python313Packages.craft-platforms
    • python312Packages.craft-platforms
    • python313Packages.aiomodernforms
    • python313Packages.beanhub-forms
    • python312Packages.aiomodernforms
    • python312Packages.beanhub-forms
    • haskellPackages.unsafeperformst
    • nodePackages.@tailwindcss/forms
    • python313Packages.transforms3d
    • python312Packages.transforms3d
    • python313Packages.nitransforms
    • python312Packages.nitransforms
    • python313Packages.wtforms
    • python312Packages.wtforms
    • platformsh
    2 months ago
  • @LeSuisse dismissed 2 months ago
In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply …

In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

References

Affected products

Forms
  • =<8.13.16 
Impacted software not present in nixpkgs
Permalink CVE-2025-62291
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    4 packages
    • strongswanNM
    • strongswanTNC
    • strongswanTPM
    • networkmanager_strongswan
    2 months ago
  • @LeSuisse dismissed 2 months ago
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a …

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow.

References

Affected products

strongSwan
  • <6.0.3

Matching in nixpkgs

Current stable branch has never been impacted.

https://github.com/NixOS/nixpkgs/commit/d8a0ae9d79b2914faf8864c94e552211284094c5
Permalink CVE-2025-66005
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse dismissed 2 months ago
Lack of Authentication in the InputManager D-Bus interface

Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.

References

Affected products

inputplumber
  • <0.63.0

Matching in nixpkgs

Package maintainers

Unstable and current stable branches are never been impacted by this issue.
Permalink CVE-2025-14338
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse dismissed 2 months ago
Polkit authentication dis isabled by default in inputplumber

Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.

References

Affected products

inputplumber
  • <0.63.0

Matching in nixpkgs

Package maintainers

Unstable and current stable branches are never been impacted by this issue.
Permalink CVE-2026-23744
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    29 packages
    • inspector
    • appium-inspector
    • rubyPackages.gh_inspector
    • perlPackages.ClassInspector
    • haskellPackages.hs-inspector
    • rubyPackages_3_1.gh_inspector
    • rubyPackages_3_2.gh_inspector
    • rubyPackages_3_3.gh_inspector
    • rubyPackages_3_4.gh_inspector
    • rubyPackages_3_5.gh_inspector
    • perl538Packages.ClassInspector
    • perl540Packages.ClassInspector
    • python312Packages.apkinspector
    • python313Packages.apkinspector
    • haskellPackages.amazonka-inspector
    • python312Packages.debian-inspector
    • python313Packages.debian-inspector
    • haskellPackages.amazonka-inspector2
    • kdePackages.accessibility-inspector
    • python312Packages.container-inspector
    • python313Packages.container-inspector
    • python312Packages.mypy-boto3-inspector
    • python313Packages.mypy-boto3-inspector
    • python312Packages.mypy-boto3-inspector2
    • python313Packages.mypy-boto3-inspector2
    • python312Packages.types-aiobotocore-inspector
    • python313Packages.types-aiobotocore-inspector
    • python312Packages.types-aiobotocore-inspector2
    • python313Packages.types-aiobotocore-inspector2
    2 months ago
  • @LeSuisse dismissed 2 months ago
REC in MCPJam inspector due to HTTP Endpoint exposes

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

References

Affected products

inspector
  • ==<= 1.4.2 
Impacted software not present in nixpkgs
Permalink CVE-2026-0696
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • python313Packages.markupsafe
    • python313Packages.psautohint
    • terraform-providers.vpsadmin
    • nodePackages_latest.purescript-psa
    • python312Packages.types-markupsafe
    • python313Packages.types-markupsafe
    • terraform-providers.vpsfreecz_vpsadmin
    2 months ago
  • @LeSuisse dismissed 2 months ago
Session Cookies Missing HttpOnly Attribute

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

References

Affected products

PSA
  • ==All versions prior to 2026.1 
Impacted software not present in nixpkgs