Nixpkgs security tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-67996
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
WordPress Nestin theme < 1.2.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through < 1.2.6.

Affected products

nestin
  • =<< 1.2.6

Matching in nixpkgs

pkgs.nesting

Basic and opinionated daemon that sits in front of virtualization platforms

Package maintainers

Permalink CVE-2026-2858
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
wren-lang wren Source File wren_compiler.c peekChar out-of-bounds

A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. Such manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

wren
  • ==0.3
  • ==0.1
  • ==0.2
  • ==0.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2039
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
GFI Archiver MArc.Store Missing Authorization Authentication Bypass Vulnerability

GFI Archiver MArc.Store Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MArc.Store.Remoting.exe process, which listens on port 8018. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-28597.

References

Affected products

Archiver
  • ==15.10

Matching in nixpkgs

pkgs.xarchiver

GTK frontend to 7z,zip,rar,tar,bzip2, gzip,arj, lha, rpm and deb (open and extract only)

Package maintainers

Permalink CVE-2025-69299
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
WordPress Oxygen theme <= 6.0.8 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8.

Affected products

oxygen
  • =<<= 6.0.8

Matching in nixpkgs

pkgs.doxygen

Source code documentation generator tool

pkgs.doxygen-awesome-css

CSS theme for doxygen html-documentation with lots of customization parameters

Package maintainers

Permalink CVE-2025-52603
3.5 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
HCL Connections is vulnerable to information disclosure

HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.

Affected products

Connections
  • ==7.0, 8.0

Matching in nixpkgs

pkgs.gnome-connections

Remote desktop client for the GNOME desktop environment

  • nixos-unstable 49.0
    • nixpkgs-unstable 49.0
    • nixos-unstable-small 49.0

Package maintainers

Permalink CVE-2026-2036
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability

GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the MArc.Store.Remoting.exe process. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27936.

References

Affected products

Archiver
  • ==15.10

Matching in nixpkgs

pkgs.xarchiver

GTK frontend to 7z,zip,rar,tar,bzip2, gzip,arj, lha, rpm and deb (open and extract only)

Package maintainers

Permalink CVE-2025-69397
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
WordPress Tint theme <= 1.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7.

Affected products

tint
  • =<<= 1.7

Matching in nixpkgs

pkgs.tint

Command-line tool to recolor images using theme palettes

pkgs.tint2

Simple panel/taskbar unintrusive and light (memory, cpu, aestetic)

pkgs.tinty

Base16 and base24 color scheme manager

pkgs.tintin

Free MUD client for macOS, Linux and Windows

pkgs.gnomeExtensions.tinted-shell

Tints GNOME Shell elements with the system accent color while preserving the original visual style.

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5

Package maintainers

Permalink CVE-2025-68843
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
WordPress FeedWordPress Advanced Filters plugin <= 0.6.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordPress Advanced Filters: from n/a through <= 0.6.2.

Affected products

faf
  • =<<= 0.6.2

Matching in nixpkgs

Permalink CVE-2025-67980
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.

Affected products

hara
  • =<<= 1.2.17

Matching in nixpkgs

pkgs.charasay

Future of cowsay - Colorful characters saying something

pkgs.gnome-characters

Simple utility application to find and insert unusual characters

  • nixos-unstable 49.1
    • nixpkgs-unstable 49.1
    • nixos-unstable-small 49.1
Permalink CVE-2026-2033
created 3 months, 4 weeks ago Activity log
  • Created suggestion 3 months, 4 weeks ago
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

References

Affected products

MLflow
  • ==3.1.1 and 5b9c01925c2e2a8cf0951f155a6a468ff99cfe0f

Matching in nixpkgs

pkgs.mlflow-server

Open source platform for the machine learning lifecycle

Package maintainers