Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-31638
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months, 1 week ago
WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.

Affected products

spare
  • =<1.7

Matching in nixpkgs

pkgs.asciiquarium-transparent

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.gnomeExtensions.transparent-top-bar

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.

pkgs.vimPlugins.transparent-nvim.x86_64-linux

pkgs.gnomeExtensions.transparent-window-moving

Makes the window semi-transparent when moving or resizing

pkgs.vimPlugins.transparent-nvim.aarch64-linux

pkgs.vimPlugins.transparent-nvim.x86_64-darwin

pkgs.vimPlugins.transparent-nvim.aarch64-darwin

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar

Package maintainers: 4

CVE-2025-39476
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
WordPress Revo theme <= 4.0.26 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Revo allows PHP Local File Inclusion. This issue affects Revo: from n/a through 4.0.26.

Affected products

revo
  • =<4.0.26

Matching in nixpkgs

pkgs.prevo

offline version of the Esperanto dictionary Reta Vortaro

pkgs.adminerevo

Database management in a single PHP file

pkgs.prevo-tools

CLI tools for the offline version of the Esperanto dictionary Reta Vortaro

pkgs.revolt-desktop

Open source user-first chat platform

pkgs.python311Packages.pyrevolve

Python library to manage checkpointing for adjoints

pkgs.python312Packages.pyrevolve

Python library to manage checkpointing for adjoints

pkgs.revolt-desktop.x86_64-linux

Open source user-first chat platform

pkgs.revolt-desktop.aarch64-linux

Open source user-first chat platform

pkgs.revolt-desktop.x86_64-darwin

Open source user-first chat platform

pkgs.revolt-desktop.aarch64-darwin

Open source user-first chat platform

pkgs.python312Packages.brevo-python

Fully-featured Python API client to interact with Brevo

pkgs.python313Packages.brevo-python

Fully-featured Python API client to interact with Brevo

Package maintainers: 8

CVE-2025-28945
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
WordPress Valen - Sport, Fashion WooCommerce WordPress Theme <= 2.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through 2.4.

Affected products

valen
  • =<2.4

Matching in nixpkgs

pkgs.haskellPackages.equivalence

Maintaining an equivalence relation implemented as union-find using STT

pkgs.sbclPackages.cl-prevalence.x86_64-linux

pkgs.haskellPackages.equivalence.x86_64-linux

Maintaining an equivalence relation implemented as union-find using STT

pkgs.sbclPackages.cl-prevalence.aarch64-linux

pkgs.sbclPackages.cl-prevalence.x86_64-darwin

pkgs.haskellPackages.equivalence.aarch64-linux

Maintaining an equivalence relation implemented as union-find using STT

pkgs.haskellPackages.equivalence.x86_64-darwin

Maintaining an equivalence relation implemented as union-find using STT

pkgs.sbclPackages.cl-prevalence.aarch64-darwin

pkgs.haskellPackages.equivalence.aarch64-darwin

Maintaining an equivalence relation implemented as union-find using STT

pkgs.vscode-extensions.valentjn.vscode-ltex.x86_64-linux

pkgs.vscode-extensions.valentjn.vscode-ltex.aarch64-linux

pkgs.vscode-extensions.valentjn.vscode-ltex.x86_64-darwin

pkgs.vscode-extensions.valentjn.vscode-ltex.aarch64-darwin

Package maintainers: 7

CVE-2025-31396
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
WordPress FLAP - Business WordPress Theme <= 1.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.

Affected products

flap
  • =<1.5

Matching in nixpkgs

pkgs.jflap

GUI tool for experimenting with formal languages topics

Package maintainers: 2

CVE-2025-5917
2.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months, 1 week ago
Libarchive: off by one error in build_ustar_entry_name() at archive_write_set_format_pax.c

A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

pkgs.python311Packages.libarchive-c

Python interface to libarchive

pkgs.python312Packages.libarchive-c

Python interface to libarchive

pkgs.python313Packages.libarchive-c

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive.x86_64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.aarch64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.x86_64-darwin

Haskell interface to libarchive

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.haskellPackages.libarchive.aarch64-darwin

Haskell interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-darwin

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-darwin

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit.x86_64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.x86_64-darwin

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-darwin

Read many archive formats with libarchive and conduit

Package maintainers: 10

CVE-2025-32291
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
WordPress SUMO Affiliates Pro <= 10.7.0 - Arbitrary File Upload Vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in FantasticPlugins SUMO Affiliates Pro allows Using Malicious Files. This issue affects SUMO Affiliates Pro: from n/a through 10.7.0.

Affected products

affs
  • =<10.7.0

Matching in nixpkgs

pkgs.unyaffs

Tool to extract files from a YAFFS2 file system image

Package maintainers: 2

CVE-2025-47711
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months, 1 week ago
Nbdkit: nbdkit-server: off-by-one error when processing block status may lead to a denial of service

There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.

Affected products

nbdkit
  • <1.42.3
  • <1.40.6
  • <1.38.6
virt:av/nbdkit
virt:8.2/nbdkit
virt:rhel/nbdkit

Matching in nixpkgs

pkgs.nbdkit

NBD server with stable plugin ABI and permissive license

Package maintainers: 1

CVE-2025-5916
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months, 1 week ago
Libarchive: integer overflow while reading warc files at archive_read_support_format_warc.c

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

pkgs.python311Packages.libarchive-c

Python interface to libarchive

pkgs.python312Packages.libarchive-c

Python interface to libarchive

pkgs.python313Packages.libarchive-c

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive.x86_64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.aarch64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.x86_64-darwin

Haskell interface to libarchive

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.haskellPackages.libarchive.aarch64-darwin

Haskell interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-darwin

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-darwin

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit.x86_64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.x86_64-darwin

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-darwin

Read many archive formats with libarchive and conduit

Package maintainers: 10

CVE-2025-31061
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months, 1 week ago
WordPress Wishlist plugin <= 2.1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 2.1.0.

Affected products

wishlist
  • =<2.1.0

Matching in nixpkgs

Package maintainers: 2

CVE-2025-47712
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months, 1 week ago
CISA ADP Vulnrichment

None

Affected products

nbdkit
  • <1.42.3
  • <1.40.6
  • <1.38.6
virt:av/nbdkit
virt:8.2/nbdkit
virt:rhel/nbdkit

Matching in nixpkgs

pkgs.nbdkit

NBD server with stable plugin ABI and permissive license

Package maintainers: 1