Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-23987
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0.

References

Affected products

designer
  • =<1.6.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2020-11936
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
gdbus setgid privilege escalation

gdbus setgid privilege escalation

References

Affected products

apport
  • <2.20.11-0ubuntu27.6

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-0092
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
An authenticated user who has read access to the juju …

An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.

References

Affected products

juju
  • <2.9.38
  • <3.0.3

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

  • nixos-unstable -

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

  • nixos-unstable -

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

  • nixos-unstable -
Permalink CVE-2022-28653
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Users can consume unlimited disk space in /var/crash

Users can consume unlimited disk space in /var/crash

References

Affected products

apport
  • <2.21.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-0750
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 6 months ago
Cri-o: cri-o path traversal in log handling functions allows arbitrary unmounting

A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

References

Affected products

cri-o
  • <1.33.1
  • *
rhcos

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-23684
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
WordPress Debug Tool plugin <= 2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.

References

Affected products

debug-tool
  • =<2.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-23592
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress dForms plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound dForms allows Reflected XSS. This issue affects dForms: from n/a through 1.0.

References

Affected products

dforms
  • =<1.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-11218
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Podman: buildah: container breakout by using --jobs=2 and a race condition when building a malicious containerfile

A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

References

Affected products

rhcos
  • *
podman
  • *
buildah
  • <1.33.12
  • <1.38.1
  • <1.35.5
  • *
  • <1.37.6
container-tools:rhel8
  • *
container-tools:rhel8/podman
container-tools:rhel8/buildah

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-23892
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.

References

Affected products

progress-tracker
  • =<0.9.3

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-23884
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

References

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

  • nixos-unstable -

Package maintainers