Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-23919
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella van Durpe Slides & Presentations allows Code Injection.This issue affects Slides & Presentations: from n/a through 0.0.39.

References

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

  • nixos-unstable -

pkgs.openslide

C library that provides a simple interface to read whole-slide images

  • nixos-unstable -

pkgs.manim-slides

Tool for live presentations using manim

  • nixos-unstable -

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

  • nixos-unstable -
    • nixpkgs-unstable 13

Package maintainers

Permalink CVE-2025-23886
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Annie plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie allows Stored XSS.This issue affects Annie: from n/a through 2.1.1.

References

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-23760
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.

References

Affected products

chatter
  • =<1.0.1

Matching in nixpkgs

pkgs.typstPackages.chatter_0_1_0

Write dialog between any number of characters quickly and cleanly. Great for translations or short assignments

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-11029
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Freeipa: administrative user data leaked through systemd journal

A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal database. In the worst-case scenario, where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

References

Affected products

ipa
  • *
freeipa
  • ==4.12.2
idm:DL1/ipa
idm:client/ipa

Matching in nixpkgs

pkgs.ipam

Cli based IPAM written in Go with PowerDNS support

pkgs.tipa

Phonetic font for TeX

  • nixos-unstable -

pkgs.nipap

Neat IP Address Planner

  • nixos-unstable -

pkgs.freeipa

Identity, Policy and Audit system

  • nixos-unstable -

pkgs.ipafont

Japanese font package with Mincho and Gothic fonts

  • nixos-unstable -

pkgs.ipatool

Command-line tool that allows searching and downloading app packages (known as ipa files) from the iOS App Store

  • nixos-unstable -

pkgs.codipack

Fast gradient evaluation in C++ based on Expression Templates

  • nixos-unstable -

pkgs.gruut-ipa

Library for manipulating pronunciations using the International Phonetic Alphabet (IPA)

  • nixos-unstable -

pkgs.iniparser

Free standalone ini file parsing library

  • nixos-unstable -

pkgs.ipaexfont

Japanese font package with Mincho and Gothic fonts

  • nixos-unstable -

pkgs.multipass

Ubuntu VMs on demand for any workstation

  • nixos-unstable -

pkgs.nipap-cli

Neat IP Address Planner CLI

  • nixos-unstable -

pkgs.nipap-www

Neat IP Address Planner CLI, web UI

  • nixos-unstable -

pkgs.uriparser

Strictly RFC 3986 compliant URI parsing library

  • nixos-unstable -

pkgs.frangipanni

Convert lines of text into a tree structure

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-22751
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Partners Plugin <= 0.2.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mighty Digital Partners allows Reflected XSS.This issue affects Partners: from n/a through 0.2.0.

References

Affected products

partners
  • =<0.2.0

Matching in nixpkgs

Permalink CVE-2025-0502
created 6 months ago
Transmission of Private Resources into a New Sphere in Crafter Engine

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

References

Affected products

Engine
  • <4.1.6
  • <4.0.8

Matching in nixpkgs

Permalink CVE-2024-12084
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Rsync: heap buffer overflow in rsync due to improper checksum length handling

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

References

Affected products

rhcos
rsync
  • ==3.3.0
  • ==3.2.7
  • *

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

  • nixos-unstable -

pkgs.grsync

Synchronize folders, files and make backups

  • nixos-unstable -

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

  • nixos-unstable -

pkgs.rsyncy

Progress bar wrapper for rsync

  • nixos-unstable -

pkgs.librsync

Implementation of the rsync remote-delta algorithm

  • nixos-unstable -

pkgs.diskrsync

Rsync for block devices and disk images

  • nixos-unstable -

pkgs.ethersync

Real-time co-editing of local text files

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-12086
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Rsync: rsync server leaks arbitrary client files

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

References

Affected products

rhcos
rsync
  • =<3.3.0

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

  • nixos-unstable -

pkgs.grsync

Synchronize folders, files and make backups

  • nixos-unstable -

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

  • nixos-unstable -

pkgs.rsyncy

Progress bar wrapper for rsync

  • nixos-unstable -

pkgs.librsync

Implementation of the rsync remote-delta algorithm

  • nixos-unstable -

pkgs.diskrsync

Rsync for block devices and disk images

  • nixos-unstable -

pkgs.ethersync

Real-time co-editing of local text files

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-12085
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Rsync: info leak via uninitialized stack contents

A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

References

Affected products

rhcos
  • *
rsync
  • =<3.3.0
  • *
openshift-logging/vector-rhel9
  • *
openshift-logging/fluentd-rhel9
  • *
openshift4/ose-operator-sdk-rhel9
  • *
openshift4/ose-helm-rhel9-operator
  • *
openshift-logging/eventrouter-rhel9
  • *
openshift-logging/logging-loki-rhel9
  • *
openshift-logging/loki-rhel9-operator
  • *
openshift-logging/opa-openshift-rhel9
  • *
openshift4/ose-ansible-rhel9-operator
  • *
openshift-logging/elasticsearch6-rhel9
  • *
openshift-logging/loki-operator-bundle
  • *
openshift-logging/logging-curator5-rhel9
  • *
openshift-logging/lokistack-gateway-rhel9
  • *
openshift-logging/elasticsearch-proxy-rhel9
  • *
openshift-logging/logging-view-plugin-rhel9
  • *
openshift-logging/elasticsearch-rhel9-operator
  • *
openshift-logging/elasticsearch-operator-bundle
  • *
openshift-logging/cluster-logging-rhel8-operator
openshift-logging/cluster-logging-rhel9-operator
  • *
openshift-logging/log-file-metric-exporter-rhel9
  • *
compliance/openshift-compliance-must-gather-rhel8
  • *
openshift-logging/cluster-logging-operator-bundle
  • *

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

  • nixos-unstable -

pkgs.grsync

Synchronize folders, files and make backups

  • nixos-unstable -

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

  • nixos-unstable -

pkgs.rsyncy

Progress bar wrapper for rsync

  • nixos-unstable -

pkgs.librsync

Implementation of the rsync remote-delta algorithm

  • nixos-unstable -

pkgs.diskrsync

Rsync for block devices and disk images

  • nixos-unstable -

pkgs.ethersync

Real-time co-editing of local text files

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-12747
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Rsync: race condition in rsync handling symbolic links

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

References

Affected products

rhcos
rsync
  • =<3.3.0
  • *
discovery/discovery-ui-rhel9
  • *
registry.redhat.io/discovery/discovery-ui-rhel9
  • *

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

  • nixos-unstable -

pkgs.grsync

Synchronize folders, files and make backups

  • nixos-unstable -

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

  • nixos-unstable -

pkgs.rsyncy

Progress bar wrapper for rsync

  • nixos-unstable -

pkgs.librsync

Implementation of the rsync remote-delta algorithm

  • nixos-unstable -

pkgs.diskrsync

Rsync for block devices and disk images

  • nixos-unstable -

pkgs.ethersync

Real-time co-editing of local text files

  • nixos-unstable -

Package maintainers