Nixpkgs security tracker

Permalink CVE-2025-15366

created 4 months ago Activity log

Created suggestion 4 months ago

IMAP command injection in user-controlled commands

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

References

https://github.com/python/cpython/issues/143921 issue-tracking
https://github.com/python/cpython/pull/143922 patch
https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7… vendor-advisory
https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b… patch

Affected products

CPython

<3.15.0
<3.15.0a6

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>

Permalink CVE-2026-0908

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 4 months ago Activity log

Created suggestion 4 months ago

Use after free in ANGLE in Google Chrome prior to …

Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

References

Affected products

Chrome

<144.0.7559.59

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

pkgs.chromedriver

WebDriver server for running Selenium tests on Chrome

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.mkchromecast

Cast macOS and Linux Audio/Video to your Google Cast and Sonos Devices

nixos-unstable 2022-10-31
- nixpkgs-unstable 2022-10-31
- nixos-unstable-small 2022-10-31

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4

pkgs.google-chrome

Freeware web browser developed by Google

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.chrome-token-signing

Chrome and Firefox extension for signing with your eID on the web

nixos-unstable 1.1.5
- nixpkgs-unstable 1.1.5
- nixos-unstable-small 1.1.5

pkgs.chrome-pak-customizer

Simple batch tool to customize pak files in chrome or chromium-based browser

nixos-unstable 2.0-unstable-2021-06-24
- nixpkgs-unstable 2.0-unstable-2021-06-24
- nixos-unstable-small 2.0-unstable-2021-06-24

pkgs.curl-impersonate-chrome

Special build of curl that can impersonate Chrome & Firefox

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.undetected-chromedriver

Custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.electron-chromedriver_33

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_34

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_35

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_36

WebDriver server for running Selenium tests on Chrome

nixos-unstable 36.9.5
- nixpkgs-unstable 36.9.5
- nixos-unstable-small 36.9.5

pkgs.electron-chromedriver_37

WebDriver server for running Selenium tests on Chrome

nixos-unstable 37.10.2
- nixpkgs-unstable 37.10.2
- nixos-unstable-small 37.10.2

pkgs.electron-chromedriver_38

WebDriver server for running Selenium tests on Chrome

nixos-unstable 38.7.1
- nixpkgs-unstable 38.7.1
- nixos-unstable-small 38.7.1

pkgs.electron-chromedriver_39

WebDriver server for running Selenium tests on Chrome

nixos-unstable 39.2.3
- nixpkgs-unstable 39.2.3
- nixos-unstable-small 39.2.3

pkgs.xorg.xf86videoopenchrome

None

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.ocamlPackages.chrome-trace

Chrome trace event generation library

nixos-unstable 3.20.2
- nixpkgs-unstable 3.20.2
- nixos-unstable-small 3.20.2

pkgs.noto-fonts-monochrome-emoji

Monochrome emoji font

nixos-unstable 3.000
- nixpkgs-unstable 3.000
- nixos-unstable-small 3.000

pkgs.python312Packages.pychromecast

Library for Python to communicate with the Google Chromecast

nixos-unstable 14.0.9
- nixpkgs-unstable 14.0.9
- nixos-unstable-small 14.0.9

pkgs.python313Packages.pychromecast

Library for Python to communicate with the Google Chromecast

nixos-unstable 14.0.9
- nixpkgs-unstable 14.0.9
- nixos-unstable-small 14.0.9

pkgs.python312Packages.undetected-chromedriver

Python library for the custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 3.5.5
- nixpkgs-unstable 3.5.5
- nixos-unstable-small 3.5.5

pkgs.python313Packages.undetected-chromedriver

Python library for the custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 3.5.5
- nixpkgs-unstable 3.5.5
- nixos-unstable-small 3.5.5

pkgs.grafanaPlugins.ventura-psychrometric-panel

Grafana plugin to display air conditions on a psychrometric chart

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@bdesham Benjamin Esham <benjamin@esham.io>
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
@mmahut Marek Mahut <marek.mahut@gmail.com>
@emilylange Emily Lange <nix@emilylange.de>
@networkException networkException <nix@nwex.de>
@GGG-KILLER GGG <github@ggg.dev>
@liam-murphy14 Liam Murphy <liam.murphy137@gmail.com>
@yayayayaka Yaya <github@uwu.is>
@zi3m5f zi3m5f <k7n3o3a6f@mozmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@Shou Benedict Aas <x+g@shou.io>
@roberth Robert Hensing <nixpkgs@roberthensing.nl>
@nicoonoclaste nicoo <nicoo@debian.org>
@abbradar Nikolay Amiantov <ab@fmap.me>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Permalink CVE-2026-0902

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 4 months ago Activity log

Created suggestion 4 months ago

Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 …

Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome

<144.0.7559.59

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

pkgs.chromedriver

WebDriver server for running Selenium tests on Chrome

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.mkchromecast

Cast macOS and Linux Audio/Video to your Google Cast and Sonos Devices

nixos-unstable 2022-10-31
- nixpkgs-unstable 2022-10-31
- nixos-unstable-small 2022-10-31

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4

pkgs.google-chrome

Freeware web browser developed by Google

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.chrome-token-signing

Chrome and Firefox extension for signing with your eID on the web

nixos-unstable 1.1.5
- nixpkgs-unstable 1.1.5
- nixos-unstable-small 1.1.5

pkgs.chrome-pak-customizer

Simple batch tool to customize pak files in chrome or chromium-based browser

nixos-unstable 2.0-unstable-2021-06-24
- nixpkgs-unstable 2.0-unstable-2021-06-24
- nixos-unstable-small 2.0-unstable-2021-06-24

pkgs.curl-impersonate-chrome

Special build of curl that can impersonate Chrome & Firefox

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.undetected-chromedriver

Custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.electron-chromedriver_33

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_34

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_35

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_36

WebDriver server for running Selenium tests on Chrome

nixos-unstable 36.9.5
- nixpkgs-unstable 36.9.5
- nixos-unstable-small 36.9.5

pkgs.electron-chromedriver_37

WebDriver server for running Selenium tests on Chrome

nixos-unstable 37.10.2
- nixpkgs-unstable 37.10.2
- nixos-unstable-small 37.10.2

pkgs.electron-chromedriver_38

WebDriver server for running Selenium tests on Chrome

nixos-unstable 38.7.1
- nixpkgs-unstable 38.7.1
- nixos-unstable-small 38.7.1

pkgs.electron-chromedriver_39

WebDriver server for running Selenium tests on Chrome

nixos-unstable 39.2.3
- nixpkgs-unstable 39.2.3
- nixos-unstable-small 39.2.3

pkgs.xorg.xf86videoopenchrome

None

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.ocamlPackages.chrome-trace

Chrome trace event generation library

nixos-unstable 3.20.2
- nixpkgs-unstable 3.20.2
- nixos-unstable-small 3.20.2

pkgs.noto-fonts-monochrome-emoji

Monochrome emoji font

nixos-unstable 3.000
- nixpkgs-unstable 3.000
- nixos-unstable-small 3.000

pkgs.python312Packages.pychromecast

Library for Python to communicate with the Google Chromecast

nixos-unstable 14.0.9
- nixpkgs-unstable 14.0.9
- nixos-unstable-small 14.0.9

pkgs.python313Packages.pychromecast

Library for Python to communicate with the Google Chromecast

nixos-unstable 14.0.9
- nixpkgs-unstable 14.0.9
- nixos-unstable-small 14.0.9

pkgs.python312Packages.undetected-chromedriver

Python library for the custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 3.5.5
- nixpkgs-unstable 3.5.5
- nixos-unstable-small 3.5.5

pkgs.python313Packages.undetected-chromedriver

Python library for the custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 3.5.5
- nixpkgs-unstable 3.5.5
- nixos-unstable-small 3.5.5

pkgs.grafanaPlugins.ventura-psychrometric-panel

Grafana plugin to display air conditions on a psychrometric chart

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@bdesham Benjamin Esham <benjamin@esham.io>
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
@mmahut Marek Mahut <marek.mahut@gmail.com>
@emilylange Emily Lange <nix@emilylange.de>
@networkException networkException <nix@nwex.de>
@GGG-KILLER GGG <github@ggg.dev>
@liam-murphy14 Liam Murphy <liam.murphy137@gmail.com>
@yayayayaka Yaya <github@uwu.is>
@zi3m5f zi3m5f <k7n3o3a6f@mozmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@Shou Benedict Aas <x+g@shou.io>
@roberth Robert Hensing <nixpkgs@roberthensing.nl>
@nicoonoclaste nicoo <nicoo@debian.org>
@abbradar Nikolay Amiantov <ab@fmap.me>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Permalink CVE-2026-0672

created 4 months ago Activity log

Created suggestion 4 months ago

Header injection in http.cookies.Morsel

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

References

Affected products

CPython

<3.13.12
<3.15.0
<3.15.0a6
<3.14.3

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>

Permalink CVE-2026-0865

created 4 months ago Activity log

Created suggestion 4 months ago

wsgiref.headers.Headers allows header newline injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

References

Affected products

CPython

<3.13.12
<3.15.0
<3.15.0a6
<3.14.3

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>

Permalink CVE-2025-15282

created 4 months ago Activity log

Created suggestion 4 months ago

Header injection via newlines in data URL mediatype

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

References

Affected products

CPython

<3.13.12
<3.15.0
<3.15.0a6
<3.14.3

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>

Permalink CVE-2025-60062

9.4 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

created 4 months ago Activity log

Created suggestion 4 months ago

WordPress tPlayer plugin <= 1.2.1.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a through <= 1.2.1.6.

References

Affected products

tplayer-html5-audio-player-with-playlist

=<<= 1.2.1.6

Matching in nixpkgs

pkgs.rustplayer

Local audio player and network m3u8 radio player using a terminal interface

nixos-unstable 1.1.2-unstable-2024-07-14
- nixpkgs-unstable 1.1.2-unstable-2024-07-14
- nixos-unstable-small 1.1.2-unstable-2024-07-14

Package maintainers

@oluceps oluceps <nixos@oluceps.uk>

Permalink CVE-2026-0901

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 4 months ago Activity log

Created suggestion 4 months ago

Inappropriate implementation in Blink in Google Chrome on Android prior …

Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome

<144.0.7559.59

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

pkgs.chromedriver

WebDriver server for running Selenium tests on Chrome

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.mkchromecast

Cast macOS and Linux Audio/Video to your Google Cast and Sonos Devices

nixos-unstable 2022-10-31
- nixpkgs-unstable 2022-10-31
- nixos-unstable-small 2022-10-31

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4

pkgs.google-chrome

Freeware web browser developed by Google

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.chrome-token-signing

Chrome and Firefox extension for signing with your eID on the web

nixos-unstable 1.1.5
- nixpkgs-unstable 1.1.5
- nixos-unstable-small 1.1.5

pkgs.chrome-pak-customizer

Simple batch tool to customize pak files in chrome or chromium-based browser

nixos-unstable 2.0-unstable-2021-06-24
- nixpkgs-unstable 2.0-unstable-2021-06-24
- nixos-unstable-small 2.0-unstable-2021-06-24

pkgs.curl-impersonate-chrome

Special build of curl that can impersonate Chrome & Firefox

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.undetected-chromedriver

Custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 142.0.7444.175
- nixpkgs-unstable 142.0.7444.175
- nixos-unstable-small 142.0.7444.175

pkgs.electron-chromedriver_33

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_34

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_35

WebDriver server for running Selenium tests on Chrome

pkgs.electron-chromedriver_36

WebDriver server for running Selenium tests on Chrome

nixos-unstable 36.9.5
- nixpkgs-unstable 36.9.5
- nixos-unstable-small 36.9.5

pkgs.electron-chromedriver_37

WebDriver server for running Selenium tests on Chrome

nixos-unstable 37.10.2
- nixpkgs-unstable 37.10.2
- nixos-unstable-small 37.10.2

pkgs.electron-chromedriver_38

WebDriver server for running Selenium tests on Chrome

nixos-unstable 38.7.1
- nixpkgs-unstable 38.7.1
- nixos-unstable-small 38.7.1

pkgs.electron-chromedriver_39

WebDriver server for running Selenium tests on Chrome

nixos-unstable 39.2.3
- nixpkgs-unstable 39.2.3
- nixos-unstable-small 39.2.3

pkgs.xorg.xf86videoopenchrome

None

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.ocamlPackages.chrome-trace

Chrome trace event generation library

nixos-unstable 3.20.2
- nixpkgs-unstable 3.20.2
- nixos-unstable-small 3.20.2

pkgs.noto-fonts-monochrome-emoji

Monochrome emoji font

nixos-unstable 3.000
- nixpkgs-unstable 3.000
- nixos-unstable-small 3.000

pkgs.python312Packages.pychromecast

Library for Python to communicate with the Google Chromecast

nixos-unstable 14.0.9
- nixpkgs-unstable 14.0.9
- nixos-unstable-small 14.0.9

pkgs.python313Packages.pychromecast

Library for Python to communicate with the Google Chromecast

nixos-unstable 14.0.9
- nixpkgs-unstable 14.0.9
- nixos-unstable-small 14.0.9

pkgs.python312Packages.undetected-chromedriver

Python library for the custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 3.5.5
- nixpkgs-unstable 3.5.5
- nixos-unstable-small 3.5.5

pkgs.python313Packages.undetected-chromedriver

Python library for the custom Selenium ChromeDriver that passes all bot mitigation systems

nixos-unstable 3.5.5
- nixpkgs-unstable 3.5.5
- nixos-unstable-small 3.5.5

pkgs.grafanaPlugins.ventura-psychrometric-panel

Grafana plugin to display air conditions on a psychrometric chart

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@bdesham Benjamin Esham <benjamin@esham.io>
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
@mmahut Marek Mahut <marek.mahut@gmail.com>
@emilylange Emily Lange <nix@emilylange.de>
@networkException networkException <nix@nwex.de>
@GGG-KILLER GGG <github@ggg.dev>
@liam-murphy14 Liam Murphy <liam.murphy137@gmail.com>
@yayayayaka Yaya <github@uwu.is>
@zi3m5f zi3m5f <k7n3o3a6f@mozmail.com>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@Shou Benedict Aas <x+g@shou.io>
@roberth Robert Hensing <nixpkgs@roberthensing.nl>
@nicoonoclaste nicoo <nicoo@debian.org>
@abbradar Nikolay Amiantov <ab@fmap.me>
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>

Permalink CVE-2025-11266

6.6 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): High (H)

created 4 months ago Activity log

Created suggestion 4 months ago

Grassroots DICOM (GDCM) Out-of-bounds Write

An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.

References

Affected products

medInria

=<4.0

SimpleITK

=<2.5.2

DICOM (GDCM)

=<3.0.24

Matching in nixpkgs

pkgs.simpleitk

Simplified interface to ITK

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3

pkgs.pkgsRocm.simpleitk

Simplified interface to ITK

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3

pkgs.python312Packages.simpleitk

Simplified interface to ITK

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3

pkgs.python313Packages.simpleitk

Simplified interface to ITK

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3

pkgs.pkgsRocm.python3Packages.simpleitk

Simplified interface to ITK

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3

Package maintainers

@bcdarwin Ben Darwin <bcdarwin@gmail.com>

Permalink CVE-2025-15367

created 4 months ago Activity log

Created suggestion 4 months ago

POP3 command injection in user-controlled commands

The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

References

https://github.com/python/cpython/pull/143924 patch
https://github.com/python/cpython/issues/143923 issue-tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBO… vendor-advisory
https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874… patch

Affected products

CPython

<3.15.0
<3.15.0a6

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>

Automatically generated suggestions

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.cpython

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.netflix

pkgs.chromedriver

pkgs.mkchromecast

pkgs.chrome-export

pkgs.go-chromecast

pkgs.google-chrome

pkgs.chrome-token-signing

pkgs.chrome-pak-customizer

pkgs.curl-impersonate-chrome

pkgs.undetected-chromedriver

pkgs.electron-chromedriver_33

pkgs.electron-chromedriver_34

pkgs.electron-chromedriver_35

pkgs.electron-chromedriver_36

pkgs.electron-chromedriver_37

pkgs.electron-chromedriver_38

pkgs.electron-chromedriver_39

pkgs.xorg.xf86videoopenchrome

pkgs.ocamlPackages.chrome-trace

pkgs.noto-fonts-monochrome-emoji

pkgs.python312Packages.pychromecast

pkgs.python313Packages.pychromecast

pkgs.python312Packages.undetected-chromedriver

pkgs.python313Packages.undetected-chromedriver

pkgs.grafanaPlugins.ventura-psychrometric-panel

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.netflix

pkgs.chromedriver

pkgs.mkchromecast

pkgs.chrome-export

pkgs.go-chromecast

pkgs.google-chrome

pkgs.chrome-token-signing

pkgs.chrome-pak-customizer

pkgs.curl-impersonate-chrome

pkgs.undetected-chromedriver

pkgs.electron-chromedriver_33

pkgs.electron-chromedriver_34

pkgs.electron-chromedriver_35

pkgs.electron-chromedriver_36

pkgs.electron-chromedriver_37

pkgs.electron-chromedriver_38

pkgs.electron-chromedriver_39

pkgs.xorg.xf86videoopenchrome

pkgs.ocamlPackages.chrome-trace

pkgs.noto-fonts-monochrome-emoji

pkgs.python312Packages.pychromecast

pkgs.python313Packages.pychromecast

pkgs.python312Packages.undetected-chromedriver

pkgs.python313Packages.undetected-chromedriver

pkgs.grafanaPlugins.ventura-psychrometric-panel

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.cpython

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.cpython

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.cpython

Package maintainers

References