Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2019-25328
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse dismissed 2 months, 1 week ago
XnConvert 1.82 - Denial of Service

XnConvert 1.82 contains a denial of service vulnerability in its registration code input field that allows attackers to crash the application. Attackers can generate a 9000-byte buffer of repeated characters and paste it into the registration code field to trigger an application crash.

Affected products

XnConvert
  • ==1.82

Matching in nixpkgs

Package maintainers

Current stable branch was never impacted.
Permalink CVE-2019-25337
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package owncloud-client 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
OwnCloud 8.1.8 - Username Disclosure

OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.

Affected products

OwnCloud
  • ==8.1.8
Ignored packages (1)

pkgs.owncloud-client

Synchronise your ownCloud with your computer using this desktop client

Not present in nixpkgs
Permalink CVE-2025-59051
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    11 packages
    • rubyPackages.indieweb-endpoints
    • rubyPackages_3_1.indieweb-endpoints
    • rubyPackages_3_2.indieweb-endpoints
    • rubyPackages_3_3.indieweb-endpoints
    • rubyPackages_3_4.indieweb-endpoints
    • rubyPackages_4_0.indieweb-endpoints
    • python313Packages.alibabacloud-endpoint-util
    • python314Packages.alibabacloud-endpoint-util
    • python312Packages.azure-synapse-managedprivateendpoints
    • python313Packages.azure-synapse-managedprivateendpoints
    • python314Packages.azure-synapse-managedprivateendpoints
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
FreePBX Endpoint Manager command injection via Network Scanning feature

The FreePBX Endpoint Manager module includes a Network Scanning feature that provides web-based access to nmap functionality for network device discovery. In Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6, insufficiently sanitized user-supplied input allows authenticated OS command execution as the asterisk user. Authentication with a known username is required. Updating to Endpoint Manager 16.0.92 or 17.0.6 addresses the issue.

Affected products

endpoint
  • ==>= 17.0.0, < 17.0.6
  • ==< 16.0.92
security-reporting
  • ==>= 17.0.0, < 17.0.6
  • ==< 16.0.92
Ignored packages (11) 
Not present in nixpkgs
Permalink CVE-2025-67513
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    11 packages
    • rubyPackages.indieweb-endpoints
    • rubyPackages_3_1.indieweb-endpoints
    • rubyPackages_3_2.indieweb-endpoints
    • rubyPackages_3_3.indieweb-endpoints
    • rubyPackages_3_4.indieweb-endpoints
    • rubyPackages_4_0.indieweb-endpoints
    • python313Packages.alibabacloud-endpoint-util
    • python314Packages.alibabacloud-endpoint-util
    • python312Packages.azure-synapse-managedprivateendpoints
    • python313Packages.azure-synapse-managedprivateendpoints
    • python314Packages.azure-synapse-managedprivateendpoints
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
FreePBX Endpoint Manager's Weak Default Password Allows Unauthenticated Access in Endpoint Module REST API

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.

Affected products

endpoint
  • ==< 16.0.96
  • ==>= 17.0.1, < 17.0.10
security-reporting
  • ==< 16.0.96
  • ==>= 17.0.1, < 17.0.10
Ignored packages (11) 
Not present in nixpkgs
Permalink CVE-2025-57819
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    11 packages
    • rubyPackages.indieweb-endpoints
    • rubyPackages_3_1.indieweb-endpoints
    • rubyPackages_3_2.indieweb-endpoints
    • rubyPackages_3_3.indieweb-endpoints
    • rubyPackages_3_4.indieweb-endpoints
    • rubyPackages_4_0.indieweb-endpoints
    • python313Packages.alibabacloud-endpoint-util
    • python314Packages.alibabacloud-endpoint-util
    • python312Packages.azure-synapse-managedprivateendpoints
    • python313Packages.azure-synapse-managedprivateendpoints
    • python314Packages.azure-synapse-managedprivateendpoints
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

Affected products

endpoint
  • ==< 16.0.89
  • ==< 17.0.3
  • ==< 15.0.66
security-reporting
  • ==< 16.0.89
  • ==< 17.0.3
  • ==< 15.0.66
Ignored packages (11) 
Not present in nixpkgs
Permalink CVE-2026-26273
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    11 packages
    • nim
    • nnd
    • nim1
    • nim2
    • nim-1_0
    • nim-2_0
    • nim-2_2
    • lixStatic
    • nixStatic
    • haskellPackages.ssh-known-hosts
    • haskellPackages.ghc-typelits-knownnat
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
Known affected by Account Takeover via Password Reset Token Leakage

Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.

Affected products

known
  • ==< 1.6.3
Ignored packages (11)

pkgs.nim

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

  • nixos-unstable -
    • nixpkgs-unstable 2.2.4
    • nixos-unstable-small 2.2.4

pkgs.nim1

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim-1_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

  • nixos-unstable -

pkgs.nim-2_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim-2_2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

  • nixos-unstable -
    • nixpkgs-unstable 2.2.4
    • nixos-unstable-small 2.2.4 
Not present in nixpkgs
Permalink CVE-2025-61675
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    11 packages
    • rubyPackages.indieweb-endpoints
    • rubyPackages_3_1.indieweb-endpoints
    • rubyPackages_3_2.indieweb-endpoints
    • rubyPackages_3_3.indieweb-endpoints
    • rubyPackages_3_4.indieweb-endpoints
    • rubyPackages_4_0.indieweb-endpoints
    • python313Packages.alibabacloud-endpoint-util
    • python314Packages.alibabacloud-endpoint-util
    • python312Packages.azure-synapse-managedprivateendpoints
    • python313Packages.azure-synapse-managedprivateendpoints
    • python314Packages.azure-synapse-managedprivateendpoints
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
FreePBX Endpoint Manager vulnerable to authenticated SQL injection in multiple configuration parameters

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.

Affected products

endpoint
  • ==>= 17.0.0, < 17.0.6
  • ==< 16.0.92
security-reporting
  • ==>= 17.0.0, < 17.0.6
  • ==< 16.0.92
Ignored packages (11) 
Not present in nixpkgs
Permalink CVE-2025-67736
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    54 packages
    • tts
    • freetts
    • marytts
    • nanotts
    • picotts
    • piper-tts
    • pocket-tts
    • libgringotts
    • pkgsRocm.tts
    • tts-mod-vault
    • pkgsRocm.piper-tts
    • pkgsRocm.pocket-tts
    • python312Packages.gtts
    • python313Packages.gtts
    • python314Packages.gtts
    • python312Packages.pyttsx3
    • python312Packages.trainer
    • python313Packages.pyttsx3
    • python313Packages.trainer
    • python314Packages.pyttsx3
    • python314Packages.trainer
    • python312Packages.edge-tts
    • python313Packages.edge-tts
    • python314Packages.edge-tts
    • python312Packages.gtts-token
    • python313Packages.gtts-token
    • python313Packages.pocket-tts
    • python314Packages.gtts-token
    • python314Packages.pocket-tts
    • python312Packages.ttstokenizer
    • python313Packages.ttstokenizer
    • python314Packages.ttstokenizer
    • python312Packages.growattserver
    • python312Packages.pycsspeechtts
    • python313Packages.growattserver
    • python313Packages.pycsspeechtts
    • python314Packages.growattserver
    • python314Packages.pycsspeechtts
    • pkgsRocm.python3Packages.trainer
    • home-assistant-component-tests.tts
    • pkgsRocm.python3Packages.pocket-tts
    • python312Packages.brottsplatskartan
    • python313Packages.brottsplatskartan
    • python314Packages.brottsplatskartan
    • home-assistant-component-tests.marytts
    • home-assistant-component-tests.yandextts
    • tests.home-assistant-component-tests.tts
    • home-assistant-component-tests.clicksend_tts
    • tests.home-assistant-component-tests.marytts
    • tests.home-assistant-component-tests.yandextts
    • home-assistant-custom-components.elevenlabs_tts
    • home-assistant-component-tests.brottsplatskartan
    • tests.home-assistant-component-tests.clicksend_tts
    • tests.home-assistant-component-tests.brottsplatskartan
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
Authenticated SQL Injection in FreePBX tts (Text To Speech) module

The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authenticated users with administrative access to the Administrator Control Panel (ACP) can leverage this SQL injection vulnerability to extract sensitive information from the database and execute code on the system as the `asterisk` user with chained elevation to `root` privileges. Users should upgrade to version 16.0.5 or 17.0.5 to receive a fix.

Affected products

tts
  • ==< 16.0.5
  • ==>= 17.0.0, < 17.0.5
security-reporting
  • ==< 16.0.5
  • ==>= 17.0.0, < 17.0.5
Ignored packages (54)

pkgs.tts

Deep learning toolkit for Text-to-Speech, battle-tested in research and production

pkgs.freetts

Text to speech system based on Festival written in Java

pkgs.piper-tts

Fast, local neural text to speech system

pkgs.pocket-tts

Lightweight text-to-speech (TTS) application designed to run efficiently on CPUs

  • nixos-unstable -
    • nixpkgs-unstable 1.0.3
    • nixos-unstable-small 1.0.3

pkgs.libgringotts

Small library to encapsulate data in an encrypted structure

pkgs.pkgsRocm.tts

Deep learning toolkit for Text-to-Speech, battle-tested in research and production

pkgs.tts-mod-vault

Download and backup assets for your Tabletop Simulator mods

pkgs.pkgsRocm.pocket-tts

Lightweight text-to-speech (TTS) application designed to run efficiently on CPUs

  • nixos-unstable -
    • nixpkgs-unstable 1.0.3
    • nixos-unstable-small 1.0.3 
Not present in nixpkgs
Permalink CVE-2025-64328
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored
    2 packages
    • haskellPackages.filestore
    • haskellPackages.hakyll-filestore
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
FreePBX Administration GUI is Vulnerable to Authenticated Command Injection

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

Affected products

filestore
  • ==>= 17.0.2.36, < 17.0.3
security-reporting
  • ==>= 17.0.2.36, < 17.0.3
Ignored packages (2) 
Not present in nixpkgs
Permalink CVE-2018-1160
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse dismissed 2 months, 1 week ago
Netatalk before 3.1.12 is vulnerable to an out of bounds …

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

References

Affected products

Netatalk
  • ==Before 3.1.12

Matching in nixpkgs

Package maintainers

Current stable branch was never impacted

https://github.com/NixOS/nixpkgs/commit/e8897ab7f6e1c0f73ee552acaf3ac909553c8f91