Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-31538
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Checklist plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in checklistcom Checklist allows Stored XSS. This issue affects Checklist: from n/a through 1.1.9.

References

Affected products

checklist
  • =<1.1.9

Matching in nixpkgs

Permalink CVE-2024-13939
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829

References

Affected products

String-Compare-ConstantTime
  • =<0.321

Matching in nixpkgs

Permalink CVE-2025-22523
9.3 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress Schedule Plugin <= 1.0.0 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Schedule allows Blind SQL Injection. This issue affects Schedule: from n/a through 1.0.0.

References

Affected products

schedule
  • =<1.0.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-31163
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 6 months ago
fig2dev segmentation fault

Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via put_patternarc function.

References

Affected products

fig2dev
  • ==3.2.9a

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31162
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 6 months ago
fig2dev float point exception

Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function.

References

Affected products

fig2dev
  • ==3.2.9a

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31164
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 6 months ago
fig2dev heap-buffer overflow

heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via  create_line_with_spline.

References

Affected products

fig2dev
  • ==3.2.9a

Matching in nixpkgs

pkgs.fig2dev

Tool to convert Xfig files to other formats

  • nixos-unstable -

pkgs.transfig

Tool to convert Xfig files to other formats

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-1860
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Data::Entropy for Perl uses insecure rand() function for cryptographic functions

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

References

Affected products

Data-Entropy
  • <0.008

Matching in nixpkgs

Permalink CVE-2025-31181
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Gnuplot: gnuplot segmentation fault on x11_graphics

A flaw was found in gnuplot. The X11_graphics() function may lead to a segmentation fault and cause a system crash.

References

Affected products

gnuplot
  • <6.1

Matching in nixpkgs

pkgs.gnuplot

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.gnuplot_qt

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.feedgnuplot

General purpose pipe-oriented plotting tool

  • nixos-unstable -

pkgs.gnuplot_aquaterm

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-30896
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress WP ERP plugin <= 1.13.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP ERP: from n/a through 1.13.4.

References

Affected products

erp
  • =<1.13.4

Matching in nixpkgs

pkgs.lerpn

Curses RPN calculator written in straight Python

pkgs.serpl

Simple terminal UI for search and replace, ala VS Code

  • nixos-unstable -

pkgs.sherpa

Monte Carlo event generator for the Simulation of High-Energy Reactions of PArticles

  • nixos-unstable -

pkgs.makerpm

Clean, simple RPM packager reimplemented completely from scratch

  • nixos-unstable -

pkgs.serpent

Compiler for the Serpent language for Ethereum

pkgs.overpass

Font heavily inspired by Highway Gothic

  • nixos-unstable -

pkgs.overpush

Self-hosted, drop-in replacement for Pushover that can use XMPP

  • nixos-unstable -

pkgs.powerpipe

Dynamically query your cloud, code, logs & more with SQL

  • nixos-unstable -

pkgs.featherpad

Lightweight Qt5 Plain-Text Editor for Linux

  • nixos-unstable -

pkgs.filterpath

Retrieve a valid path from a messy piped line

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.ciderpress2

File archive utility for Apple II disk images and file archives

  • nixos-unstable -

pkgs.letterpress

Create beautiful ASCII art

  • nixos-unstable -

pkgs.pufferpanel

Free, open source game management panel

  • nixos-unstable -

pkgs.fingerprintx

Standalone utility for service discovery on open ports

  • nixos-unstable -

pkgs.hyperpotamus

YAML based HTTP script processing engine

  • nixos-unstable -

pkgs.etherpad-lite

Modern really-real-time collaborative document editor

  • nixos-unstable -

pkgs.open-interpreter

OpenAI's Code Interpreter in your terminal, running locally

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31180
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Gnuplot: gnuplot segmentation fault on canvas_text

A flaw was found in gnuplot. The CANVAS_text() function may lead to a segmentation fault and cause a system crash.

References

Affected products

gnuplot
  • <6.0

Matching in nixpkgs

pkgs.gnuplot

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.gnuplot_qt

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.feedgnuplot

General purpose pipe-oriented plotting tool

  • nixos-unstable -

pkgs.gnuplot_aquaterm

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

Package maintainers