Nixpkgs Security Tracker

CVE-2025-54724

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 3 days, 11 hours ago

WordPress Golo Theme <= 1.7.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo allows Reflected XSS. This issue affects Golo: from n/a through 1.7.1.

Affected products

golo

=<1.7.1

Matching in nixpkgs

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

nixos-25.05 ???
- nixos-25.05-small 0.8.1
nixos-25.11 0.8.2
- nixpkgs-25.11-darwin 0.8.2
nixos-unstable 0.8.1
- nixos-unstable-small 0.8.2
- nixpkgs-unstable 0.8.2

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

nixos-25.05 ???
- nixos-25.05-small 0.5.4
nixos-25.11 0.6.0
- nixpkgs-25.11-darwin 0.6.0
nixos-unstable 0.5.4
- nixos-unstable-small 0.6.0
- nixpkgs-unstable 0.5.3

pkgs.ligolo-ng.x86_64-linux

Tunneling/pivoting tool that uses a TUN interface

nixos-unstable ???
- nixos-unstable-small 0.6.2

pkgs.ligolo-ng.aarch64-linux

Tunneling/pivoting tool that uses a TUN interface

nixos-unstable ???
- nixos-unstable-small 0.6.2

pkgs.ligolo-ng.x86_64-darwin

Tunneling/pivoting tool that uses a TUN interface

nixos-unstable ???
- nixos-unstable-small 0.6.2

pkgs.ligolo-ng.aarch64-darwin

Tunneling/pivoting tool that uses a TUN interface

nixos-unstable ???
- nixos-unstable-small 0.6.2

Package maintainers: 3

@bobby285271 Bobby Rong <rjl931189261@126.com>
@romildo José Romildo Malaquias <malaquias@gmail.com>
@muscaln Mustafa Çalışkan <muscaln@protonmail.com>

CVE-2025-54670

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 3 days, 12 hours ago

WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.

Affected products

oik

=<4.15.2

Matching in nixpkgs

pkgs.libvoikko

Finnish language processing library

nixos-25.05 ???
- nixos-25.05-small 4.3.2
nixos-25.11 4.3.3
- nixpkgs-25.11-darwin 4.3.3
nixos-unstable 4.3.3
- nixos-unstable-small 4.3.2
- nixpkgs-unstable 4.3.3

pkgs.voikko-fi

Description of Finnish morphology written for libvoikko

nixos-25.11 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.libvoikko.x86_64-linux

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

pkgs.libvoikko.aarch64-linux

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

pkgs.libvoikko.x86_64-darwin

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

pkgs.libvoikko.aarch64-darwin

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

Package maintainers: 2

@Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com>
@lajp Luukas Pörtfors <lajp@iki.fi>

CVE-2025-49436

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 3 days, 12 hours ago

WordPress Custom Menu plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thiudis Custom Menu allows Stored XSS. This issue affects Custom Menu: from n/a through 1.8.

Affected products

custom-menu

=<1.8

Matching in nixpkgs

pkgs.gnomeExtensions.custom-menu

Custom application menu with JSON configuration. Launch apps with specific profiles or execute toggle commands (e.g., for mounted drives) directly from your GNOME menu.

nixos-25.05 ???
- nixos-25.05-small 2
nixos-25.11 3
- nixpkgs-25.11-darwin 3
nixos-unstable 2
- nixos-unstable-small 2
- nixpkgs-unstable 2

pkgs.gnomeExtensions.custom-menu-panel

Quick custom menu for launching your favorite applications

nixos-25.11 6
- nixpkgs-25.11-darwin 6

Package maintainers: 1

@honnip Jung seungwoo <me@honnip.page>

CVE-2025-54671

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 days, 12 hours ago

WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2.

Affected products

oik

=<4.15.2

Matching in nixpkgs

pkgs.libvoikko

Finnish language processing library

nixos-25.05 ???
- nixos-25.05-small 4.3.2
nixos-25.11 4.3.3
- nixpkgs-25.11-darwin 4.3.3
nixos-unstable 4.3.2
- nixos-unstable-small 4.3.2
- nixpkgs-unstable 4.3.3

pkgs.voikko-fi

Description of Finnish morphology written for libvoikko

nixos-25.11 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.libvoikko.x86_64-linux

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

pkgs.libvoikko.aarch64-linux

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

pkgs.libvoikko.x86_64-darwin

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

pkgs.libvoikko.aarch64-darwin

Finnish language processing library

nixos-unstable ???
- nixos-unstable-small 4.3.2

Package maintainers: 2

@Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com>
@lajp Luukas Pörtfors <lajp@iki.fi>

CVE-2025-55716

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 days, 12 hours ago

WordPress WP Statistics Plugin <= 14.15 - Broken Access Control Vulnerability

Missing Authorization vulnerability in VeronaLabs WP Statistics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Statistics: from n/a through 14.15.

Affected products

wp-statistics

=<14.15

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wp-statistics

nixos-25.05 ???
- nixos-25.05-small 14.13.1
nixos-25.11 14.13.1
- nixpkgs-25.11-darwin 14.13.1
nixos-unstable 14.13.1
- nixos-unstable-small 14.13.1
- nixpkgs-unstable 14.13.1

CVE-2025-49052

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 days, 12 hours ago

WordPress Netease Music plugin <= 3.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Dariolee Netease Music allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Netease Music: from n/a through 3.2.1.

Affected products

netease-music

=<3.2.1

Matching in nixpkgs

pkgs.emacsPackages.netease-music

nixos-unstable 20210411.603
- nixos-unstable-small 20210411.603
- nixpkgs-unstable 20210411.603

CVE-2025-28975

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 3 days, 12 hours ago

WordPress Alike - WordPress Custom Post Comparison <= 3.0.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Alike - WordPress Custom Post Comparison allows Reflected XSS. This issue affects Alike - WordPress Custom Post Comparison: from n/a through 3.0.1.

Affected products

alike

=<3.0.1

Matching in nixpkgs

pkgs.soundalike

Find duplicate audio files using acoustic fingerprints

nixos-25.05 ???
- nixos-25.05-small 0.1.2
nixos-25.11 0.1.2
- nixpkgs-25.11-darwin 0.1.2
nixos-unstable 0.1.2
- nixos-unstable-small 0.1.2
- nixpkgs-unstable 0.1.2

pkgs.typstPackages.latex-lookalike

LaTeX style for Typst

nixos-25.11 0.1.4

pkgs.typstPackages.latex-lookalike_0_1_0

LaTeX style for Typst

nixos-25.11 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.typstPackages.latex-lookalike_0_1_1

LaTeX style for Typst

nixos-25.11 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.typstPackages.latex-lookalike_0_1_2

LaTeX style for Typst

nixos-25.11 0.1.2
- nixpkgs-25.11-darwin 0.1.2

pkgs.typstPackages.latex-lookalike_0_1_3

LaTeX style for Typst

nixos-25.11 0.1.3
- nixpkgs-25.11-darwin 0.1.3

pkgs.typstPackages.latex-lookalike_0_1_4

LaTeX style for Typst

nixos-25.11 0.1.4
- nixpkgs-25.11-darwin 0.1.4

pkgs.gnomeExtensions.compiz-alike-magic-lamp-effect

Magic lamp effect inspired by the Compiz ones

nixos-25.05 ???
- nixos-25.05-small 21
nixos-25.11 22
- nixpkgs-25.11-darwin 22
nixos-unstable 21
- nixos-unstable-small 21
- nixpkgs-unstable 20

Package maintainers: 3

@honnip Jung seungwoo <me@honnip.page>
@atar13 Anthony Tarbinian <atar137h@gmail.com>
@cherrypiejam Gongqi Huang

CVE-2024-1979

3.5 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 2 weeks, 1 day ago

Quarkus: information leak in annotation

A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.

Affected products

quarkus

<3.2.11

io.quarkus/quarkus-openshift

io.quarkus/quarkus-kubernetes-deployment

*

Matching in nixpkgs

pkgs.quarkus

Quarkus is a Kubernetes-native Java framework tailored for GraalVM and HotSpot, crafted from best-of-breed Java libraries and standards

nixos-25.05 ???
- nixos-25.05-small 3.22.2
nixos-unstable 3.24.5
- nixos-unstable-small 3.17.3
- nixpkgs-unstable 3.24.5

pkgs.quarkus.x86_64-linux

Quarkus is a Kubernetes-native Java framework tailored for GraalVM and HotSpot, crafted from best-of-breed Java libraries and standards

nixos-unstable 3.17.3

pkgs.quarkus.aarch64-linux

Quarkus is a Kubernetes-native Java framework tailored for GraalVM and HotSpot, crafted from best-of-breed Java libraries and standards

nixos-unstable 3.17.3

pkgs.quarkus.x86_64-darwin

Quarkus is a Kubernetes-native Java framework tailored for GraalVM and HotSpot, crafted from best-of-breed Java libraries and standards

nixos-unstable 3.17.3

pkgs.quarkus.aarch64-darwin

Quarkus is a Kubernetes-native Java framework tailored for GraalVM and HotSpot, crafted from best-of-breed Java libraries and standards

nixos-unstable 3.17.3

Package maintainers: 1

@vinetos vinetos <vinetosdev@gmail.com>

CVE-2021-4472

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 6 days, 1 hour ago by @fricklerhandwerk Activity log

Created automatic suggestion 2 weeks, 1 day ago
@fricklerhandwerk removed package mistralclient 6 days, 1 hour ago

Python-mistralclient: mistral-dashboard: local file inclusion through the 'create workbook' feature

The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.

Affected products

python-mistralclient

rhosp13/openstack-zaqar

rhosp13/openstack-ec2-api

rhosp13/openstack-horizon

rhosp13/openstack-tempest

rhosp13/openstack-aodh-api

rhosp13/openstack-collectd

rhosp13/openstack-heat-all

rhosp13/openstack-heat-api

rhosp13/openstack-keystone

rhosp13/openstack-nova-api

rhosp13/openstack-aodh-base

rhosp13/openstack-heat-base

rhosp13/openstack-nova-base

rhosp13/openstack-panko-api

rhosp13/openstack-cinder-api

rhosp13/openstack-glance-api

rhosp13/openstack-ironic-api

rhosp13/openstack-ironic-pxe

rhosp13/openstack-manila-api

rhosp13/openstack-panko-base

rhosp13/openstack-sahara-api

rhosp13/openstack-swift-base

rhosp13/openstack-cinder-base

rhosp13/openstack-glance-base

rhosp13/openstack-gnocchi-api

rhosp13/openstack-heat-engine

rhosp13/openstack-ironic-base

rhosp13/openstack-manila-base

rhosp13/openstack-mistral-api

rhosp13/openstack-octavia-api

rhosp13/openstack-sahara-base

rhosp-rhel8/openstack-heat-all

rhosp-rhel8/openstack-heat-api

rhosp-rhel9/openstack-heat-all

rhosp-rhel9/openstack-heat-api

rhosp13/openstack-barbican-api

rhosp13/openstack-dependencies

rhosp13/openstack-gnocchi-base

rhosp13/openstack-heat-api-cfn

rhosp13/openstack-horizon-base

rhosp13/openstack-manila-share

rhosp13/openstack-mistral-base

rhosp13/openstack-neutron-base

rhosp13/openstack-nova-compute

rhosp13/openstack-octavia-base

rhosp13/openstack-swift-object

rhosp-rhel8/openstack-heat-base

rhosp-rhel9/openstack-heat-base

rhosp13/openstack-aodh-listener

rhosp13/openstack-aodh-notifier

rhosp13/openstack-barbican-base

rhosp13/openstack-cinder-backup

rhosp13/openstack-cinder-volume

rhosp13/openstack-keystone-base

rhosp13/openstack-sahara-engine

rhosp13/openstack-swift-account

rhosp13/openstack-aodh-evaluator

rhosp13/openstack-gnocchi-statsd

rhosp13/openstack-mistral-engine

rhosp13/openstack-neutron-server

rhosp13/openstack-nova-conductor

rhosp13/openstack-nova-scheduler

rhosp13/openstack-octavia-worker

rhosp-rhel8/openstack-heat-engine

rhosp-rhel8/openstack-mistral-api

rhosp-rhel9/openstack-heat-engine

rhosp13/openstack-barbican-worker

rhosp13/openstack-ceilometer-base

rhosp13/openstack-ceilometer-ipmi

rhosp13/openstack-gnocchi-metricd

rhosp13/openstack-nova-novncproxy

rhosp13/openstack-swift-container

rhosp-rhel8/openstack-heat-api-cfn

rhosp-rhel8/openstack-mistral-base

rhosp-rhel9/openstack-heat-api-cfn

rhosp13/openstack-cinder-scheduler

rhosp13/openstack-ironic-conductor

rhosp13/openstack-ironic-inspector

rhosp13/openstack-manila-scheduler

rhosp13/openstack-mistral-executor

rhosp13/openstack-neutron-l3-agent

rhosp13/openstack-nova-consoleauth

rhosp-rhel8/openstack-tripleoclient

rhosp-rhel9/openstack-tripleoclient

rhosp-rhel8/openstack-mistral-engine

rhosp-rhel8/openstack-nova-scheduler

rhosp13/openstack-ceilometer-central

rhosp13/openstack-ceilometer-compute

rhosp13/openstack-neutron-dhcp-agent

rhosp13/openstack-neutron-server-ovn

rhosp13/openstack-nova-placement-api

rhosp13/openstack-swift-proxy-server

rhosp13/openstack-neutron-sriov-agent

rhosp13/openstack-nova-compute-ironic

rhosp-rhel8/openstack-mistral-executor

rhosp13/openstack-ironic-neutron-agent

rhosp13/openstack-mistral-event-engine

rhosp13/openstack-octavia-housekeeping

rhosp13/openstack-neutron-metadata-agent

rhosp13/openstack-octavia-health-manager

rhosp13/openstack-ceilometer-notification

rhosp-rhel8/openstack-mistral-event-engine

rhosp13/openstack-neutron-openvswitch-agent

rhosp13/openstack-barbican-keystone-listener

rhosp13/openstack-neutron-metadata-agent-ovn

rhosp13/openstack-neutron-server-opendaylight

Matching in nixpkgs

pkgs.python311Packages.python-mistralclient

OpenStack Mistral Command-line Client

nixos-unstable 5.3.0
- nixos-unstable-small 5.3.0
- nixpkgs-unstable 5.3.0

pkgs.python312Packages.python-mistralclient

OpenStack Mistral Command-line Client

nixos-25.05 ???
- nixos-25.05-small 5.4.0
nixos-unstable 5.4.0
- nixos-unstable-small 5.4.0
- nixpkgs-unstable 5.4.0

pkgs.python313Packages.python-mistralclient

OpenStack Mistral Command-line Client

nixos-unstable 5.4.0
- nixos-unstable-small 5.4.0
- nixpkgs-unstable 5.4.0

Package maintainers: 3

@vinetos vinetos <vinetosdev@gmail.com>
@anthonyroussel Anthony Roussel <anthony@roussel.dev>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

CVE-2025-11935

created 2 weeks, 1 day ago

Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

Affected products

wolfssl

==v5.8.2
<5.8.4

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

nixos-25.05 ???
- nixos-25.05-small 5.8.2
nixos-unstable 5.7.6
- nixos-unstable-small 5.8.2
- nixpkgs-unstable 5.7.6

Package maintainers: 2

@vifino Adrian Pistol <vifino@tty.sh>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Automatically generated suggestions

Affected products

Matching in nixpkgs

pkgs.ligolo-ng

pkgs.xfce.gigolo

pkgs.ligolo-ng.x86_64-linux

pkgs.ligolo-ng.aarch64-linux

pkgs.ligolo-ng.x86_64-darwin

pkgs.ligolo-ng.aarch64-darwin

Package maintainers: 3

Affected products

Matching in nixpkgs

pkgs.libvoikko

pkgs.voikko-fi

pkgs.libvoikko.x86_64-linux

pkgs.libvoikko.aarch64-linux

pkgs.libvoikko.x86_64-darwin

pkgs.libvoikko.aarch64-darwin

Package maintainers: 2

Affected products

Matching in nixpkgs

pkgs.gnomeExtensions.custom-menu

pkgs.gnomeExtensions.custom-menu-panel

Package maintainers: 1

Affected products

Matching in nixpkgs

pkgs.libvoikko

pkgs.voikko-fi

pkgs.libvoikko.x86_64-linux

pkgs.libvoikko.aarch64-linux

pkgs.libvoikko.x86_64-darwin

pkgs.libvoikko.aarch64-darwin

Package maintainers: 2

Affected products

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wp-statistics

Affected products

Matching in nixpkgs

pkgs.emacsPackages.netease-music

Affected products

Matching in nixpkgs

pkgs.soundalike

pkgs.typstPackages.latex-lookalike

pkgs.typstPackages.latex-lookalike_0_1_0

pkgs.typstPackages.latex-lookalike_0_1_1

pkgs.typstPackages.latex-lookalike_0_1_2

pkgs.typstPackages.latex-lookalike_0_1_3

pkgs.typstPackages.latex-lookalike_0_1_4

pkgs.gnomeExtensions.compiz-alike-magic-lamp-effect

Package maintainers: 3

Affected products

Matching in nixpkgs

pkgs.quarkus

pkgs.quarkus.x86_64-linux

pkgs.quarkus.aarch64-linux

pkgs.quarkus.x86_64-darwin

pkgs.quarkus.aarch64-darwin

Package maintainers: 1

Affected products

Matching in nixpkgs

pkgs.python311Packages.python-mistralclient

pkgs.python312Packages.python-mistralclient

pkgs.python313Packages.python-mistralclient

Package maintainers: 3

Affected products

Matching in nixpkgs

pkgs.wolfssl

Package maintainers: 2