Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-48797
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 3 weeks ago
Gimp: multiple heap buffer overflows in tga parser

A flaw was found in GIMP when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.

Affected products

gimp
  • *
  • <3.0.0
gimp:2.8
  • *
gimp:2.8/gimp

Matching in nixpkgs

pkgs.zigimports

Automatically remove unused imports and globals from Zig files

pkgs.gimpPlugins.bimp

Batch Image Manipulation Plugin for GIMP

pkgs.gimpPlugins.gmic

GIMP plugin for the G'MIC image processing framework

pkgs.gimp3Plugins.gimp

GNU Image Manipulation Program

pkgs.gimp3Plugins.gmic

GIMP plugin for the G'MIC image processing framework

pkgs.gimp3-with-plugins

GNU Image Manipulation Program

pkgs.gimpPlugins.fourier

GIMP plug-in to do the fourier transform

pkgs.gimpPlugins.lightning

  • nixos-25.05 ???
    • nixos-25.05-small
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

pkgs.gimp3Plugins.lightning

  • nixos-25.05 ???
    • nixos-25.05-small
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

Package maintainers: 3

CVE-2025-23394
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 3 weeks ago
daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

Affected products

cyrus-imapd
  • <3.8.4-2.1

Matching in nixpkgs

Package maintainers: 2

CVE-2025-32286
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 3 weeks ago
WordPress Butcher <= 2.40 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Butcher allows PHP Local File Inclusion. This issue affects Butcher: from n/a through 2.40.

Affected products

butcher
  • =<2.40

Matching in nixpkgs

pkgs.haskellPackages.butcher

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.x86_64-linux

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.aarch64-linux

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.x86_64-darwin

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.aarch64-darwin

Chops a command or program invocation into digestable pieces

CVE-2025-46448
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months, 3 weeks ago
WordPress Document Management System <= 1.24 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reifsnyderb Document Management System allows Reflected XSS. This issue affects Document Management System: from n/a through 1.24.

Affected products

dms
  • =<1.24

Matching in nixpkgs

pkgs.dms

UPnP DLNA Digital Media Server with basic video transcoding

pkgs.haskellPackages.amazonka-dms

Amazon Database Migration Service SDK

pkgs.azure-cli-extensions.dms-preview

Support for new Database Migration Service scenarios

pkgs.python313Packages.mypy-boto3-dms

Type annotations for boto3 dms

pkgs.home-assistant-component-tests.dlna_dms

Open source home automation that puts local control and privacy first

pkgs.python311Packages.types-aiobotocore-dms

Type annotations for aiobotocore dms

pkgs.python312Packages.types-aiobotocore-dms

Type annotations for aiobotocore dms

pkgs.python313Packages.types-aiobotocore-dms

Type annotations for aiobotocore dms

pkgs.python312Packages.ndms2-client.x86_64-linux

Keenetic NDMS 2.x and 3.x client

pkgs.python312Packages.ndms2-client.aarch64-linux

Keenetic NDMS 2.x and 3.x client

pkgs.python312Packages.ndms2-client.x86_64-darwin

Keenetic NDMS 2.x and 3.x client

pkgs.python312Packages.mypy-boto3-dms.x86_64-linux

Type annotations for boto3 dms

pkgs.python312Packages.ndms2-client.aarch64-darwin

Keenetic NDMS 2.x and 3.x client

pkgs.python312Packages.mypy-boto3-dms.aarch64-linux

Type annotations for boto3 dms

pkgs.python312Packages.mypy-boto3-dms.x86_64-darwin

Type annotations for boto3 dms

pkgs.python312Packages.mypy-boto3-dms.aarch64-darwin

Type annotations for boto3 dms

pkgs.python312Packages.types-aiobotocore-dms.x86_64-linux

Type annotations for aiobotocore dms

pkgs.python312Packages.types-aiobotocore-dms.aarch64-linux

Type annotations for aiobotocore dms

pkgs.python312Packages.types-aiobotocore-dms.x86_64-darwin

Type annotations for aiobotocore dms

pkgs.python312Packages.types-aiobotocore-dms.aarch64-darwin

Type annotations for aiobotocore dms

Package maintainers: 9

CVE-2025-32293
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 3 weeks ago
WordPress Finance Consultant <= 2.8 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Finance Consultant allows Object Injection. This issue affects Finance Consultant: from n/a through 2.8.

Affected products

finance
  • =<2.8

Matching in nixpkgs

pkgs.python311Packages.yfinance

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.yfinance

Module to doiwnload Yahoo! Finance market data

pkgs.python313Packages.yfinance

Module to doiwnload Yahoo! Finance market data

pkgs.python311Packages.mplfinance

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python312Packages.mplfinance

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python313Packages.mplfinance

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python311Packages.finvizfinance

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance

Finviz Finance information downloader

pkgs.python313Packages.finvizfinance

Finviz Finance information downloader

pkgs.python312Packages.yfinance.x86_64-linux

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.yfinance.aarch64-linux

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.yfinance.x86_64-darwin

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.mplfinance.x86_64-linux

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python312Packages.yfinance.aarch64-darwin

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.mplfinance.aarch64-linux

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python312Packages.mplfinance.x86_64-darwin

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python312Packages.mplfinance.aarch64-darwin

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python312Packages.finvizfinance.x86_64-linux

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance.aarch64-linux

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance.x86_64-darwin

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance.aarch64-darwin

Finviz Finance information downloader

Package maintainers: 2

CVE-2024-22309
8.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months, 3 weeks ago
WordPress ChatBot Plugin <= 5.1.0 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0.

Affected products

chatbot
  • =<5.1.0

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that uses openrouter.ai services - a platform/marketplace that offers APIs to talk to LLMs. Some of these APIs are free to use, including the one used by default in the extension: Llama 3.1 8B.

Package maintainers: 1

CVE-2023-52125
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months, 3 weeks ago
WordPress iFrame Plugin <= 4.8 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly iframe allows Stored XSS.This issue affects iframe: from n/a through 4.8.

Affected products

iframe
  • =<4.8

Matching in nixpkgs

CVE-2025-31423
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 3 weeks ago
WordPress Umberto <= 1.2.8 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection. This issue affects Umberto: from n/a through 1.2.8.

Affected products

umberto
  • =<1.2.8

Matching in nixpkgs

pkgs.vimPlugins.vim-numbertoggle.x86_64-linux

pkgs.vimPlugins.vim-numbertoggle.aarch64-linux

pkgs.vimPlugins.vim-numbertoggle.x86_64-darwin

pkgs.vimPlugins.vim-numbertoggle.aarch64-darwin

CVE-2025-32285
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months, 3 weeks ago
WordPress Butcher theme <= 2.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Butcher allows Reflected XSS. This issue affects Butcher: from n/a through 2.40.

Affected products

butcher
  • =<2.40

Matching in nixpkgs

pkgs.haskellPackages.butcher

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.x86_64-linux

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.aarch64-linux

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.x86_64-darwin

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.aarch64-darwin

Chops a command or program invocation into digestable pieces

CVE-2025-5024
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months, 3 weeks ago
Gnome-remote-desktop: uncontrolled resource consumption due to malformed rdp pdus

A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop listens for RDP connections, an unauthenticated attacker can exhaust system resources and repeatedly crash the process. There may be a resource leak after many attacks, which will also result in gnome-remote-desktop no longer being able to open files even after it is restarted via systemd.

Affected products

gnome-remote-desktop
  • *

Matching in nixpkgs

pkgs.gnome-remote-desktop

GNOME Remote Desktop server

Package maintainers: 4