Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Published issues

affected
created on 15 Dec 2025
NIXPKGS-2025-0024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kadesthemes WP Airdrop Manager allows Stored XSS. This issue affects WP Airdrop Manager: from n/a through 1.0.5.

Vulnerabilities

Related packages

affected
created on 15 Dec 2025
NIXPKGS-2025-0023

An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.

Vulnerabilities

Related packages

affected
created on 29 Oct 2025
NIXPKGS-2025-0022

A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

Vulnerabilities

Related packages

pkgs.podman

Program for managing pods, containers and container images

pkgs.buildah

Tool which facilitates building OCI images

pkgs.podman-tui

Podman Terminal UI

affected
created on 29 Oct 2025
NIXPKGS-2025-0021

Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.

Vulnerabilities

Related packages

pkgs.squid

Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more

pkgs.python311Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python313Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.x86_64-linux

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.aarch64-linux

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.x86_64-darwin

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.aarch64-darwin

More interactive weak supervision with FlyingSquid

affected
created on 2 Oct 2025
NIXPKGS-2025-0020

A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

Vulnerabilities

Related packages

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

affected
created on 26 Sep 2025
NIXPKGS-2025-0017

A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file.

Vulnerabilities

Related packages

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

pkgs.python311Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python312Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python313Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python312Packages.pylibjpeg-openjpeg.x86_64-linux

A J2K and JP2 plugin for pylibjpeg

affected
created on 26 Sep 2025
NIXPKGS-2025-0018

A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.

Vulnerabilities

Related packages

pkgs.squid

Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more

pkgs.python311Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python313Packages.flyingsquid

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.x86_64-linux

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.aarch64-linux

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.x86_64-darwin

More interactive weak supervision with FlyingSquid

pkgs.python312Packages.flyingsquid.aarch64-darwin

More interactive weak supervision with FlyingSquid

affected
created on 26 Sep 2025
NIXPKGS-2025-0016

A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service.

Vulnerabilities

Related packages

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

pkgs.python311Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python312Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python313Packages.pylibjpeg-openjpeg

A J2K and JP2 plugin for pylibjpeg

pkgs.python312Packages.pylibjpeg-openjpeg.x86_64-linux

A J2K and JP2 plugin for pylibjpeg

affected
created on 26 Sep 2025
NIXPKGS-2025-0019

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

Vulnerabilities

Related packages

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.python311Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-darwin

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-darwin

Provides access to the Keycloak API

affected
created on 25 Sep 2025
NIXPKGS-2025-0014

Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function.

Vulnerabilities

Related packages

pkgs.fig2dev

Tool to convert Xfig files to other formats