Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-66533
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 days, 7 hours ago
WordPress GiveWP plugin <= 4.13.1 - Arbitrary Shortocde Execution vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs

CVE-2025-63070
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 days, 7 hours ago
WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32.

Affected products

download-manager
  • =<<= 3.3.32

Matching in nixpkgs

pkgs.lomiri.lomiri-download-manager

Performs uploads and downloads from a centralized location

pkgs.lomiri.lomiri-download-manager.x86_64-linux

Performs uploads and downloads from a centralized location

pkgs.lomiri.lomiri-download-manager.aarch64-linux

Performs uploads and downloads from a centralized location

Package maintainers: 1

CVE-2025-62762
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 days, 7 hours ago
WordPress SMTP Mail plugin <= 1.3.47 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47.

Affected products

smtp-mail
  • =<<= 1.3.47

Matching in nixpkgs

Package maintainers: 1

CVE-2025-67467
4.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 days, 7 hours ago
WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs

CVE-2025-67554
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 days, 7 hours ago
WordPress Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.5.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS.This issue affects Cookie Notice & Compliance for GDPR / CCPA: from n/a through <= 2.5.8.

Affected products

cookie-notice
  • =<<= 2.5.8

Matching in nixpkgs

CVE-2025-59029
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 3 days, 7 hours ago
Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

Affected products

pdns-recursor
  • <5.3.2

Matching in nixpkgs

Package maintainers: 1

CVE-2025-9375
created 3 days, 7 hours ago
xmltodict 0.14.2 - XML Injection

XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.

Affected products

xmltodict
  • <0.15.1

Matching in nixpkgs

pkgs.python311Packages.xmltodict

Makes working with XML feel like you are working with JSON

pkgs.python312Packages.xmltodict.x86_64-linux

Makes working with XML feel like you are working with JSON

pkgs.python312Packages.xmltodict.aarch64-linux

Makes working with XML feel like you are working with JSON

pkgs.python312Packages.xmltodict.x86_64-darwin

Makes working with XML feel like you are working with JSON

pkgs.python312Packages.xmltodict.aarch64-darwin

Makes working with XML feel like you are working with JSON

CVE-2025-7969
created 3 days, 7 hours ago
Markdown-it 14.1.0 - Cross-site scripting (XSS)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs. This issue affects markdown-it: 14.1.0.

Affected products

markdown-it
  • ==14.1.0

Matching in nixpkgs

pkgs.python311Packages.markdown-it-py

Markdown parser in Python

pkgs.python312Packages.markdown-it-py.x86_64-linux

Markdown parser in Python

pkgs.python312Packages.markdown-it-py.aarch64-linux

Markdown parser in Python

pkgs.python312Packages.markdown-it-py.x86_64-darwin

Markdown parser in Python

pkgs.python312Packages.markdown-it-py.aarch64-darwin

Markdown parser in Python

Package maintainers: 1

CVE-2023-0835
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 days, 7 hours ago
markdown-pdf version 11.0.0 allows an external attacker to remotely obtain …

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Affected products

markdown-pdf
  • ==11.0.0

Matching in nixpkgs

pkgs.vscode-extensions.yzane.markdown-pdf

Converts Markdown files to pdf, html, png or jpeg files

pkgs.vscode-extensions.yzane.markdown-pdf.x86_64-linux

Converts Markdown files to pdf, html, png or jpeg files

pkgs.vscode-extensions.yzane.markdown-pdf.aarch64-linux

Converts Markdown files to pdf, html, png or jpeg files

Package maintainers: 1

CVE-2025-58822
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 days, 9 hours ago
WordPress WP Mail Plugin <= 1.3 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail allows DOM-Based XSS. This issue affects WP Mail: from n/a through 1.3.

Affected products

wp-mail
  • =<1.3

Matching in nixpkgs