Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-68458
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    6 packages
    • perlPackages.MojoliciousPluginWebpack
    • python312Packages.django-webpack-loader
    • python313Packages.django-webpack-loader
    • python314Packages.django-webpack-loader
    • perl538Packages.MojoliciousPluginWebpack
    • perl540Packages.MojoliciousPluginWebpack
    2 months, 3 weeks ago
  • @LeSuisse dismissed 2 months, 2 weeks ago
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

Affected products

webpack
  • ==>= 5.49.0, < 5.104.1

Matching in nixpkgs

pkgs.nodePackages.webpack

Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

pkgs.nodePackages_latest.webpack

Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Ignored packages (6)

Package maintainers

Current stable was never impacted.

https://github.com/NixOS/nixpkgs/commit/a94dc905b34f1d2cac0c6145311ec8699293c277
Permalink CVE-2020-37014
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @jopejoe1 ignored package tryton 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tryton 5.4 - Persistent Cross-Site Scripting

Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.

Affected products

Tryton
  • =<5.4

Matching in nixpkgs

pkgs.trytond

Server of the Tryton application platform

Ignored packages (1)

pkgs.tryton

Client of the Tryton application platform

Package maintainers

Current stable was never impacted

https://github.com/NixOS/nixpkgs/commit/218c8509c6ce25945c2c253d15e9542033d4de44
Permalink CVE-2021-47908
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @jopejoe1 ignored
    6 packages
    • nnd
    • nim1
    • nim2
    • nim-2_0
    • lixStatic
    • nixStatic
    2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions.

Affected products

Unknown
  • ==4.4
Ignored packages (6)

pkgs.nim1

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

pkgs.nim2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

  • nixos-unstable 2.2.4
    • nixpkgs-unstable 2.2.4
    • nixos-unstable-small 2.2.4
  • nixos-25.11 -
    • nixos-25.11-small 2.2.4

pkgs.nim-2_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

Not present in nixpkgs
Permalink CVE-2026-2181
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @jopejoe1 ignored package go-crx3 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tenda RX3 openSchedWifi stack-based overflow

A security flaw has been discovered in Tenda RX3 16.03.13.11. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

Affected products

RX3
  • ==16.03.13.11
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-2192
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @jopejoe1 ignored package vimPlugins.nvim-treesitter-parsers.kconfig 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tenda AC9 formGetRebootTimer stack-based overflow

A security vulnerability has been detected in Tenda AC9 15.03.06.42_multi. Affected by this vulnerability is the function formGetRebootTimer. Such manipulation of the argument sys.schedulereboot.start_time/sys.schedulereboot.end_time leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

Affected products

AC9
  • ==15.03.06.42_multi
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-2187
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tenda RX3 formSetQosBand set_qosMib_list stack-based overflow

A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Affected products

RX3
  • ==16.03.13.11

Matching in nixpkgs

Package maintainers

Not present in nixpkgs
Permalink CVE-2026-2191
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tenda AC9 formGetDdosDefenceList stack-based overflow

A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Affected products

AC9
  • ==15.03.06.42_multi

Matching in nixpkgs

Not present in nixpkgs
Permalink CVE-2026-2185
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @jopejoe1 ignored package go-crx3 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tenda RX3 MAC Filtering Configuration Endpoint setBlackRule set_device_name stack-based overflow

A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Affected products

RX3
  • ==16.03.13.11
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-2180
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @LeSuisse ignored package go-crx3 2 months, 2 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Tenda RX3 fast_setting_wifi_set stack-based overflow

A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.

Affected products

RX3
  • ==16.03.13.11
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2025-47397
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 2 weeks ago by @jopejoe1 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @jopejoe1 dismissed 2 months, 2 weeks ago
Improper Release of Memory Before Removing Last Reference in Graphics

Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors.

Affected products

Snapdragon
  • ==SA8155P
  • ==SW6100P
  • ==WCD9380
  • ==Snapdragon XR2+ Gen 1 Platform
  • ==QPA1086BD
  • ==Milos
  • ==SA8255P
  • ==QCA6696
  • ==WCD9390
  • ==WSA8845
  • ==QAM8255P
  • ==FastConnect 6900
  • ==SM6225P
  • ==SM8750P
  • ==WCD9341
  • ==QXM1096
  • ==Snapdragon 460 Mobile Platform
  • ==Snapdragon 8 Gen 3 Mobile Platform
  • ==FastConnect 7800
  • ==Snapdragon AR1 Gen 1 Platform
  • ==QCM5430
  • ==QCS2290
  • ==SAR1250P
  • ==QMB715
  • ==WCD9335
  • ==SM6650P
  • ==Snapdragon 480+ 5G Mobile Platform
  • ==WCN3990
  • ==TalynPlus
  • ==WCD9385
  • ==WCN6755
  • ==QCS4490
  • ==SA7775P
  • ==SRV1M
  • ==SA9000P
  • ==Snapdragon 8 Gen 2 Mobile Platform
  • ==IQ6 Series Platform
  • ==QCM8838
  • ==Snapdragon 662 Mobile Platform
  • ==QCM2290
  • ==WCD9375
  • ==SD662
  • ==Snapdragon 7s Gen 3 Mobile Platform
  • ==Snapdragon 695 5G Mobile Platform
  • ==SM7675
  • ==WCN6650
  • ==QCA6574A
  • ==LeMans_AU_LGIT
  • ==QCN9012
  • ==Orne
  • ==SSG2115P
  • ==WCN7860
  • ==QCM8550
  • ==SD865 5G
  • ==WCN7881
  • ==QCA6688AQ
  • ==QCS8550
  • ==QCM6125
  • ==QRB5165N
  • ==Snapdragon W5+ Gen 1 Wearable Platform
  • ==SA8195P
  • ==Snapdragon XR2 5G Platform
  • ==QCA6595AU
  • ==Palawan25
  • ==WCN6450
  • ==SSG2125P
  • ==LeMansAU
  • ==QAM8295P
  • ==Snapdragon 7 Gen 4 Mobile Platform
  • ==QAMSRV1M
  • ==SXR2330P
  • ==WCN3910
  • ==SW5100P
  • ==QXM1095
  • ==WCD9395
  • ==Qualcomm Video Collaboration VC3 Platform
  • ==Vision Intelligence 400 Platform
  • ==QCS4290
  • ==Kalpeni
  • ==WCN3950
  • ==Snapdragon 8+ Gen 1 Mobile Platform
  • ==WCD9370
  • ==SW6100
  • ==QXM1093
  • ==SM8635
  • ==Snapdragon 685 4G Mobile Platform
  • ==SXR1230P
  • ==Robotics RB5 Platform
  • ==Pandeiro
  • ==Milos_IOT
  • ==QMB415
  • ==WSA8835
  • ==SAR2230P
  • ==QCA8695AU
  • ==QAMSRV1H
  • ==SA7255P
  • ==SA8620P
  • ==WCN3988
  • ==QCA6574
  • ==Themisto
  • ==WCD9378
  • ==IQ8 Series Platform
  • ==QCA6698AQ
  • ==WSA8845H
  • ==SDR753
  • ==Snapdragon 8 Gen 1 Mobile Platform
  • ==IQ9 Series Platform
  • ==Snapdragon 4 Gen 2 Mobile Platform
  • ==Snapdragon 6 Gen 4 Mobile Platform
  • ==Snapdragon 8 Elite Gen 5
  • ==G1 Gen 1
  • ==FastConnect 6200
  • ==QMP1000
  • ==SA6155P
  • ==SD 8 Gen1 5G
  • ==SXR2250P
  • ==QXM1094
  • ==WCN3980
  • ==Snapdragon 8+ Gen 2 Mobile Platform
  • ==SAR2130P
  • ==QLN1086BD
  • ==QCN9274
  • ==QCM4325
  • ==QCM4490
  • ==Flight RB5 5G Platform
  • ==FastConnect 6700
  • ==Snapdragon 680 4G Mobile Platform
  • ==QCA6574AU
  • ==Snapdragon 4 Gen 1 Mobile Platform
  • ==SRV1L
  • ==IQ10 Series
  • ==QCA6797AQ
  • ==QCM6490
  • ==WSA8815
  • ==SM8550P
  • ==SA8770P
  • ==SXR2350P
  • ==SRV1H
  • ==QAM8397P
  • ==SM7675P
  • ==Snapdragon 8 Elite
  • ==QCS6690
  • ==QCA6595
  • ==QCA6678AQ
  • ==Qualcomm Video Collaboration VC1 Platform
  • ==Snapdragon 480 5G Mobile Platform
  • ==Qualcomm Video Collaboration VC5 Platform
  • ==WSA8830
  • ==WSA8832
  • ==QAM8797P
  • ==SM8635P
  • ==WCN7880
  • ==WSA8840
  • ==G2 Gen 1
  • ==QCA6698AU
  • ==Monaco_IOT
  • ==QAM8620P
  • ==QPA1083BD
  • ==SM8650Q
  • ==QCA6391
  • ==SW5100
  • ==QLN1083BD
  • ==SA8295P
  • ==WCN7861
  • ==SXR2230P
  • ==WSA8810
  • ==QCN9011
  • ==SM7635P

Matching in nixpkgs

Not present in nixpkgs