Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-31178
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Gnuplot: gnuplot segmentation fault on getannotatestring

A flaw was found in gnuplot. The GetAnnotateString() function may lead to a segmentation fault and cause a system crash.

References

Affected products

gnuplot
  • <6.0

Matching in nixpkgs

pkgs.gnuplot

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.gnuplot_qt

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.feedgnuplot

General purpose pipe-oriented plotting tool

  • nixos-unstable -

pkgs.gnuplot_aquaterm

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31179
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Gnuplot: gnuplot segmentation fault on xstrftime

A flaw was found in gnuplot. The xstrftime() function may lead to a segmentation fault, causing a system crash.

References

Affected products

gnuplot
  • <6.0

Matching in nixpkgs

pkgs.gnuplot

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.gnuplot_qt

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.feedgnuplot

General purpose pipe-oriented plotting tool

  • nixos-unstable -

pkgs.gnuplot_aquaterm

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-31176
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Gnuplot: gnuplot segmentation fault on plot3d_points

A flaw was found in gnuplot. The plot3d_points() function may lead to a segmentation fault and cause a system crash.

References

Affected products

gnuplot
  • <6.0

Matching in nixpkgs

pkgs.gnuplot

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.gnuplot_qt

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

pkgs.feedgnuplot

General purpose pipe-oriented plotting tool

  • nixos-unstable -

pkgs.gnuplot_aquaterm

Portable command-line driven graphing utility for many platforms

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-28916
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Docpro plugin <= 2.0.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Docpro allows PHP Local File Inclusion. This issue affects Docpro: from n/a through 2.0.1.

References

Affected products

docpro
  • =<2.0.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-28855
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Teleport plugin <= 1.2.4 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Teleport allows Reflected XSS. This issue affects Teleport: from n/a through 1.2.4.

References

Affected products

teleport
  • =<1.2.4

Matching in nixpkgs

pkgs.teleport_16

Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

pkgs.teleport_17

Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

  • nixos-unstable -

pkgs.teleport_18

Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-28873
8.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress Shuffle plugin <= 0.5 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Shuffle allows Blind SQL Injection. This issue affects Shuffle: from n/a through 0.5.

References

Affected products

shuffle
  • =<0.5

Matching in nixpkgs

pkgs.ashuffle

Automatic library-wide shuffle for mpd

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-47516
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Pagure: argument injection in pagurerepo.log()

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance.

References

Affected products

pagure
  • ==5.14.1

Matching in nixpkgs

Permalink CVE-2022-1804
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Accountsservice incorrectly drops privileges

accountsservice no longer drops permissions when writting .pam_environment

References

Affected products

accountsservice
  • <22.07.5-2ubuntu1.3

Matching in nixpkgs

pkgs.accountsservice

D-Bus interface for user account query and manipulation

Package maintainers

Permalink CVE-2025-30617
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
WordPress Rewrite - <= <= 0.2.1 Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in takien Rewrite allows Cross Site Request Forgery. This issue affects Rewrite: from n/a through 0.2.1.

References

Affected products

rewrite
  • =<0.2.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-30566
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Clink - <= <= 1.2.2 Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aryan Themes Clink allows DOM-Based XSS. This issue affects Clink: from n/a through 1.2.2.

References

Affected products

clink
  • =<1.2.2

Matching in nixpkgs