Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-32600
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored package xml-security-c 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
xml-security is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

xml-security is a library that implements XML signatures and encryption. Prior to 2.3.1, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1.

Affected products

xml-security
  • ==< 2.3.1
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2025-12455
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • python312Packages.vertica-python
    • python313Packages.vertica-python
    • python314Packages.vertica-python
    • gnomeExtensions.vertical-app-grid
    • gnomeExtensions.vertical-workspaces
    • gnomeExtensions.vertical-window-list
    • obs-studio-plugins.obs-vertical-canvas
    • kakounePlugins.kakoune-vertical-selection
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
Username Enumeration Observable Response Discrepancy vulnerability has been discovered in OpenText™ Vertica.

Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing.   The vulnerability could lead to Password Brute Forcing in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X.

Affected products

Vertica
  • =<10.x
  • =<12.x
  • =<11.x
Ignored packages (8)

pkgs.gnomeExtensions.vertical-workspaces

V-Shell is designed to enhance and customize the user experience by providing flexible workspace orientations and a variety of interface adjustments, including application grid customization and productivity improvements.

  • nixos-unstable 108
    • nixpkgs-unstable 108
    • nixos-unstable-small 108
  • nixos-25.11 100
    • nixos-25.11-small 100
    • nixpkgs-25.11-darwin 100 
Not present in nixpkgs
Permalink CVE-2026-32332
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • ocamlPackages.easy-format
    • ocamlPackages_latest.easy-format
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Easy Form plugin <= 2.7.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.9.

Affected products

easy-form
  • =<<= 2.7.9
Ignored packages (2) 
WP plugin not present in nixpkgs
Permalink CVE-2026-32388
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored package glbinding 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress GLB theme <= 1.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in linethemes GLB glb allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GLB: from n/a through <= 1.2.2.

Affected products

glb
  • =<<= 1.2.2
Ignored packages (1)

pkgs.glbinding

C++ binding for the OpenGL API, generated using the gl.xml specification

WP theme not present in nixpkgs
Permalink CVE-2026-32415
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    14 packages
    • squeezelite
    • squeezelite-pulse
    • postgresqlPackages.pg_squeeze
    • python312Packages.pysqueezebox
    • python313Packages.pysqueezebox
    • python314Packages.pysqueezebox
    • postgresql13Packages.pg_squeeze
    • postgresql14Packages.pg_squeeze
    • postgresql15Packages.pg_squeeze
    • postgresql16Packages.pg_squeeze
    • postgresql17Packages.pg_squeeze
    • postgresql18Packages.pg_squeeze
    • home-assistant-component-tests.squeezebox
    • tests.home-assistant-component-tests.squeezebox
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Squeeze plugin <= 1.7.7 - Directory Traversal vulnerability

Path Traversal: '.../...//' vulnerability in Bogdan Bendziukov Squeeze squeeze allows Path Traversal.This issue affects Squeeze: from n/a through <= 1.7.7.

Affected products

squeeze
  • =<<= 1.7.7
Ignored packages (14) 
WP plugin not present in nixpkgs
Permalink CVE-2026-4179
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.smoke-zephyr
    • python313Packages.smoke-zephyr
    • python314Packages.smoke-zephyr
    • python312Packages.zephyr-python-api
    • python313Packages.zephyr-python-api
    • python314Packages.zephyr-python-api
    • python312Packages.zephyr-test-management
    • python313Packages.zephyr-test-management
    • python314Packages.zephyr-test-management
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
stm32: usb: Infinite while loop in Interrupt Handler

Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

Affected products

Zephyr
  • =<4.3
Ignored packages (9) 
Not present in nixpkgs
Permalink CVE-2026-0849
3.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.smoke-zephyr
    • python313Packages.smoke-zephyr
    • python314Packages.smoke-zephyr
    • python312Packages.zephyr-python-api
    • python313Packages.zephyr-python-api
    • python314Packages.zephyr-python-api
    • python312Packages.zephyr-test-management
    • python313Packages.zephyr-test-management
    • python314Packages.zephyr-test-management
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
crypto: ATAES132A response length allows stack buffer overflow

Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

Affected products

Zephyr
  • =<4.3
Ignored packages (9) 
Not present in nixpkgs
Permalink CVE-2026-4039
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Not Defined (X)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
OpenClaw Skill Env applySkillConfigenvOverrides code injection

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.

Affected products

OpenClaw
  • ==2026.2.21-beta.1
  • ==2026.2.19-2

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7

nixpkgs was never impacted, package was initialized at 2026.2.26
Permalink CVE-2026-32376
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    4 packages
    • askalono
    • python312Packages.pyaskalono
    • python313Packages.pyaskalono
    • python314Packages.pyaskalono
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Kalon theme <= 1.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in raratheme Kalon kalon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalon: from n/a through <= 1.2.9.

Affected products

kalon
  • =<<= 1.2.9
Ignored packages (4)

pkgs.askalono

Tool to detect open source licenses from texts

WP theme not present in nixpkgs
Permalink CVE-2026-3904
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 1 week ago by @pyrox0 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @pyrox0 ignored
    24 packages
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • getent
    • locale
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibcLocales
    • glibcLocalesUtf8
    • glibc_memusage
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • tests.hardeningFlags.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    2 months, 1 week ago
  • @pyrox0 dismissed 2 months, 1 week ago
Calling NSS-backed functions that support caching via nscd may call …

Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue.  However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well.  Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository. It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client.

Affected products

glibc
  • <2.37

Matching in nixpkgs

Ignored packages (24)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Does not apply to nixpkgs' packaged versions