Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-3641
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Moodle: authenticated remote code execution risk in the moodle lms dropbox repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

References

Affected products

moodle
  • <4.1.18
  • <4.5.4
  • <4.3.12
  • <4.4.8

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-3628
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Moodle: moodle assignment submission search leaks anonymous student identities

A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.

References

Affected products

moodle
  • <4.5.4

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

  • nixos-unstable -

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-46421
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 1 month, 2 weeks ago
Libsoup: information disclosure may leads libsoup client sends authorization header to a different host when being redirected by a server

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

References

Affected products

libsoup
  • <3.6.5
  • *
libsoup3
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.libsoup_2_4

HTTP client/server library for GNOME

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-46420
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 1 month, 2 weeks ago
Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c

A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.

References

Affected products

libsoup
  • *
  • <3.6.3
libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.libsoup_2_4

HTTP client/server library for GNOME

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-46483
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Peadig’s Google +1 Button <= 0.1.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Moss Peadig’s Google +1 Button allows DOM-Based XSS. This issue affects Peadig’s Google +1 Button: from n/a through 0.1.2.

References

Affected products

google-1
  • =<0.1.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-46400
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
fig2dev segmentation fault in read_arcobject

Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via read_arcobject function.

References

Affected products

xfig
  • =<3.2.9a
fig2dev
  • ==3.2.9a
transfig

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-46399
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
fig2dev segmentation fault in genge_itp_spline

Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via genge_itp_spline function.

References

Affected products

xfig
  • =<3.2.9a
fig2dev
  • ==3.2.9a
transfig

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-46397
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
fig2dev stack-overflow

Stack-overflow in fig2dev in version 3.2.9a allows an attacker possible code execution via local input manipulation via bezier_spline function.

References

Affected products

xfig
  • =<3.2.9a
fig2dev
  • ==3.2.9a
transfig
  • *

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-46398
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
fig2dev stack-overflow via read_objects

Stack-overflow in fig2dev in version 3.2.9a allows an attacker possible code execution via local input manipulation via read_objects function.

References

Affected products

xfig
  • =<3.2.9a
fig2dev
  • ==3.2.9a
transfig

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-39580
5.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
WordPress Dashi <= 3.1.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8.

References

Affected products

dashi
  • =<3.1.8

Matching in nixpkgs

pkgs.dashing

Dash Generator Script for Any HTML

  • nixos-unstable -

Package maintainers