Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23728
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    2 months ago
  • @LeSuisse dismissed 2 months ago
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=DestinoControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

References

Affected products

WeGIA
  • ==< 3.6.2 
Package not available in nixpkgs
Permalink CVE-2025-24022
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    11 packages
    • nvitop
    • psitop
    • gitopper
    • weave-gitops
    • luaPackages.luabitop
    • lua51Packages.luabitop
    • lua52Packages.luabitop
    • luajitPackages.luabitop
    • tailscale-gitops-pusher
    • python312Packages.anitopy
    • python313Packages.anitopy
    2 months ago
  • @LeSuisse dismissed 2 months ago
iTop server vulnerable to portal code injection

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.

References

Affected products

iTop
  • ==>= 3.2.0, < 3.2.1
  • ==< 2.7.12
  • ==>= 3.0.0, < 3.1.3 
Package not shipped in nixpkgs
Permalink CVE-2026-23724
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • perlPackages.SnowballNorwegian
    • perl538Packages.SnowballNorwegian
    • perl540Packages.SnowballNorwegian
    2 months ago
  • @LeSuisse dismissed 2 months ago
WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

References

Affected products

WeGIA
  • ==< 3.6.2 
Package not available in nixpkgs
Permalink CVE-2026-0695
8.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    23 packages
    • mopsa
    • sipsak
    • sharpsat-td
    • purescript-psa
    • svndumpsanitizer
    • phpPackages.psalm
    • ocamlPackages.mopsa
    • php82Packages.psalm
    • php83Packages.psalm
    • php84Packages.psalm
    • haskellPackages.cpsa
    • python312Packages.tapsaff
    • python313Packages.tapsaff
    • nodePackages.purescript-psa
    • python312Packages.markupsafe
    • python312Packages.psautohint
    • terraform-providers.vpsfreecz_vpsadmin
    • python313Packages.types-markupsafe
    • python312Packages.types-markupsafe
    • nodePackages_latest.purescript-psa
    • terraform-providers.vpsadmin
    • python313Packages.psautohint
    • python313Packages.markupsafe
    2 months ago
  • @LeSuisse dismissed 2 months ago
Stored XSS in Time Entry Audit Trail

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

References

Affected products

PSA
  • ==All versions prior to 2026.1 
Does not impact a package available in nixpkgs
Permalink CVE-2025-14242
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse dismissed 2 months ago
Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

References

Affected products

vsftpd
  • *

Matching in nixpkgs

Package maintainers

Only impact a Red hat specific patch not shipped in nixpkgs

https://bugzilla.redhat.com/show_bug.cgi?id=2419826
Permalink CVE-2025-59029
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

References

Affected products

pdns-recursor
  • <5.3.2

Matching in nixpkgs

Package maintainers

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html

5.2.x branch is not impacted.
Permalink CVE-2025-62762
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @SigmaSquadron Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @SigmaSquadron removed package haskellPackages.smtp-mail 2 months, 1 week ago
  • @SigmaSquadron removed maintainer @mpscholten 2 months, 1 week ago
  • @SigmaSquadron accepted 2 months, 1 week ago
  • @SigmaSquadron dismissed 2 months, 1 week ago
WordPress SMTP Mail plugin <= 1.3.47 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47.

References

Affected products

smtp-mail
  • =<<= 1.3.47 
This is actually related to wordpressPackages.plugins.wp-mail-smtp, which has no maintainers, and it seems that the version in Nixpkgs is unaffected.
Permalink CVE-2025-67467
4.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @SigmaSquadron Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @SigmaSquadron dismissed 2 months, 1 week ago
WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.

References

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs

We do not package that specific WP plugin.
Permalink CVE-2025-66527
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @SigmaSquadron Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @SigmaSquadron dismissed 2 months, 1 week ago
WordPress Lobo theme <= 2.8.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.

References

Affected products

lobo
  • =<<= 2.8.6

Matching in nixpkgs

Package maintainers

We do not package the Lobo theme.
Permalink CVE-2025-58936
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed package catamaran 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Catamaran theme <= 1.15 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15.

References

Affected products

catamaran
  • =<<= 1.15 
WP theme not present in nixpkgs