Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-32052
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 1 month, 2 weeks ago
Libsoup: heap buffer overflow in sniff_unknown()

A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read.

References

Affected products

libsoup
  • <3.6.1
  • *
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.libsoup_2_4

HTTP client/server library for GNOME

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-3155
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Yelp: arbitrary file read

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

References

Affected products

yelp
  • <42.2-8
  • *
yelp-xsl
  • *

Matching in nixpkgs

pkgs.yelp

Help viewer for GNOME

  • nixos-unstable -

pkgs.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

  • nixos-unstable -

pkgs.yelp-tools

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-32053
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 1 month, 2 weeks ago
Libsoup: heap buffer overflows in sniff_feed_or_html() and skip_insignificant_space()

A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.

References

Affected products

libsoup
  • <3.6.1
  • *
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

  • nixos-unstable -

pkgs.libsoup_2_4

HTTP client/server library for GNOME

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-30673
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
Sub::HandlesVia for Perl allows untrusted code to be included from the current working directory

Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. Sub::HandlesVia uses Mite to produce the affected code section due to CVE-2025-30672

References

Affected products

Sub-HandlesVia
  • <0.050002

Matching in nixpkgs

Permalink CVE-2025-31784
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
WordPress Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more Plugin <= 1.4.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Rudy Susanto Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more allows Cross Site Request Forgery. This issue affects Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more: from n/a through 1.4.0.

References

Affected products

embed-extended
  • =<1.4.0

Matching in nixpkgs

Permalink CVE-2025-31787
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
WordPress Cue by AudioTheme.com plugin <= 2.4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brady Vercher Cue allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cue: from n/a through 2.4.4.

References

Affected products

cue
  • =<2.4.4

Matching in nixpkgs

pkgs.cue

Data constraint language which aims to simplify tasks involving defining and using data

  • nixos-unstable -

pkgs.mkcue

Generates CUE sheets from a CD TOC

  • nixos-unstable -
    • nixpkgs-unstable 1

pkgs.cuelsp

Language Server implementation for CUE, with built-in support for Dagger

  • nixos-unstable -

pkgs.cuetsy

Experimental CUE->TypeScript exporter

  • nixos-unstable -

pkgs.libcue

CUE Sheet Parser Library

  • nixos-unstable -

pkgs.cuetools

Set of utilities for working with cue files and toc files

  • nixos-unstable -

pkgs.ddrescue

GNU ddrescue, a data recovery tool

  • nixos-unstable -

pkgs.mrrescue

Arcade-style fire fighting game

  • nixos-unstable -

pkgs.myrescue

Hard disk recovery tool that reads undamaged regions first

  • nixos-unstable -

pkgs.dd_rescue

Tool to copy data from a damaged block device

pkgs.rescuetime

Helps you understand your daily habits so you can focus and be more productive

pkgs.ddrescueview

Tool to graphically examine ddrescue mapfiles

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31846
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
WordPress Theater for WordPress plugin <= 0.18.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theater for WordPress: from n/a through 0.18.7.

References

Affected products

theatre
  • =<0.18.7

Matching in nixpkgs

Permalink CVE-2025-31446
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress WP Cleaner plugin <= 1.1.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner allows Reflected XSS. This issue affects WP Cleaner: from n/a through 1.1.5.

References

Affected products

wpcleaner
  • =<1.1.5

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-31557
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress OSM – OpenStreetMap plugin <= 6.1.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MiKa OSM – OpenStreetMap allows DOM-Based XSS. This issue affects OSM – OpenStreetMap: from n/a through 6.1.6.

References

Affected products

osm
  • =<6.1.6

Matching in nixpkgs

pkgs.josm

Extensible editor for OpenStreetMap

  • nixos-unstable -

pkgs.osmo

Handy personal organizer

  • nixos-unstable -

pkgs.mosml

Light-weight implementation of Standard ML

  • nixos-unstable -

pkgs.osmid

Lightweight, portable, easy to use tool to convert MIDI to OSC and OSC to MIDI

  • nixos-unstable -

pkgs.erosmb

SMB network scanner

  • nixos-unstable -

pkgs.gosmee

Command line server and client for webhooks deliveries (and https://smee.io)

  • nixos-unstable -

pkgs.imposm

Imports OpenStreetMap data into PostGIS

  • nixos-unstable -

pkgs.qosmic

Cosmic recursive flame fractal editor

  • nixos-unstable -

pkgs.cosmocc

Compilers for Cosmopolitan C/C++ programs

  • nixos-unstable -

pkgs.readosm

Open source library to extract valid data from within an Open Street Map input file

  • nixos-unstable -

pkgs.osmo-bsc

GSM Base Station Controller

  • nixos-unstable -

pkgs.osmo-bts

Osmocom GSM Base Transceiver Station (BTS)

  • nixos-unstable -

pkgs.osmo-hlr

Osmocom implementation of 3GPP Home Location Registr (HLR)

  • nixos-unstable -

pkgs.osmo-iuh

Osmocom IuH library

  • nixos-unstable -

pkgs.osmo-mgw

Osmocom Media Gateway (MGW). speaks RTP and E1 as well as MGCP

  • nixos-unstable -

pkgs.osmo-msc

Osmocom implementation of 3GPP Mobile Swtiching Centre (MSC)

  • nixos-unstable -

pkgs.osmo-pcu

Osmocom Packet control Unit (PCU): Network-side GPRS (RLC/MAC); BTS- or BSC-colocated

  • nixos-unstable -

pkgs.libosmium

Fast and flexible C++ library for working with OpenStreetMap data

  • nixos-unstable -

pkgs.osm2pgsql

OpenStreetMap data to PostgreSQL converter

  • nixos-unstable -

pkgs.osmctools

Command line tools for transforming Open Street Map files

  • nixos-unstable -

pkgs.osmo-ggsn

Osmocom Gateway GPRS Support Node (GGSN), successor of OpenGGSN

  • nixos-unstable -

pkgs.osmo-sgsn

Osmocom implementation of the 3GPP Serving GPRS Support Node (SGSN)

  • nixos-unstable -

pkgs.osmo-hnbgw

Osmocom Home NodeB Gateway, for attaching femtocells to the 3G CN (OsmoMSC, OsmoSGSN)

  • nixos-unstable -

pkgs.libosmscout

Simple, high-level interfaces for offline location and POI lokup, rendering and routing functionalities based on OpenStreetMap (OSM) data

pkgs.osm-gps-map

GTK widget for displaying OpenStreetMap tiles

  • nixos-unstable -

pkgs.osmium-tool

Multipurpose command line tool for working with OpenStreetMap data based on the Osmium library

  • nixos-unstable -

pkgs.osmo-hnodeb

Upper layers implementation of HomeNodeB for 3G/UMTS

  • nixos-unstable -

pkgs.cosmopolitan

Your build-once run-anywhere c library

  • nixos-unstable -

pkgs.libosmo-netif

Osmocom network / socket interface library

  • nixos-unstable -

pkgs.cosmic-ext-ctl

CLI for COSMIC Desktop configuration management

  • nixos-unstable -

pkgs.libosmo-sigtran

SCCP + SIGTRAN (SUA/M3UA) libraries as well as OsmoSTP

  • nixos-unstable -

pkgs.osmscout-server

Maps server providing tiles, geocoder, and router

  • nixos-unstable -

pkgs.rtl-sdr-osmocom

Software to turn the RTL2832U into a SDR receiver

  • nixos-unstable -

pkgs.libcosmicAppHook

Setup hook for configuring and wrapping applications based on libcosmic

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.osmo-sip-connector

This implements an interface between the MNCC (Mobile Network Call Control) interface of OsmoMSC (and also previously OsmoNITB) and SIP

  • nixos-unstable -

pkgs.python312Packages.osmnx

Package to easily download, construct, project, visualize, and analyze complex street networks from OpenStreetMap with NetworkX

  • nixos-unstable -

pkgs.python313Packages.osmnx

Package to easily download, construct, project, visualize, and analyze complex street networks from OpenStreetMap with NetworkX

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31549
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Fusion plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Inc. Fusion allows DOM-Based XSS. This issue affects Fusion: from n/a through 1.6.3.

References

Affected products

fusion
  • =<1.6.3

Matching in nixpkgs

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

  • nixos-unstable -

pkgs.finalfusion-utils

Utility for converting, quantizing, and querying word embeddings

  • nixos-unstable -

Package maintainers