Nixpkgs security tracker

Permalink CVE-2026-29789

10.0 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month, 1 week ago

Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification

Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.

References

https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76 x_refsource_CONFIRM
https://github.com/vitodeploy/vito/pull/1036 x_refsource_MISC
https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326 x_refsource_MISC
https://github.com/vitodeploy/vito/releases/tag/3.20.3 x_refsource_MISC

Affected products

vito

==< 3.20.3

Matching in nixpkgs

pkgs.ovito

Scientific visualization and analysis software for atomistic and particle simulation data

nixos-unstable 3.14.1
- nixpkgs-unstable 3.14.1
- nixos-unstable-small 3.14.1
nixos-25.11 3.14.1
- nixos-25.11-small 3.14.1
- nixpkgs-25.11-darwin 3.14.1

pkgs.nvitop

Interactive NVIDIA-GPU process viewer, the one-stop solution for GPU process management

nixos-unstable 1.6.2
- nixpkgs-unstable 1.6.2
- nixos-unstable-small 1.6.2
nixos-25.11 1.6.0
- nixos-25.11-small 1.6.0
- nixpkgs-25.11-darwin 1.6.0

pkgs.python312Packages.devito

Code generation framework for automated finite difference computation

nixos-25.11 4.8.19
- nixos-25.11-small 4.8.19
- nixpkgs-25.11-darwin 4.8.19

pkgs.python313Packages.devito

Code generation framework for automated finite difference computation

nixos-unstable 4.8.20
- nixpkgs-unstable 4.8.20
- nixos-unstable-small 4.8.20
nixos-25.11 4.8.19
- nixos-25.11-small 4.8.19
- nixpkgs-25.11-darwin 4.8.19

pkgs.python314Packages.devito

Code generation framework for automated finite difference computation

nixos-unstable 4.8.20
- nixpkgs-unstable 4.8.20
- nixos-unstable-small 4.8.20

Package maintainers

@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
@twhitehead Tyson Whitehead <twhitehead@gmail.com>
@CHN-beta Haonan Chen <chn@chn.moe>
@AtilaSaraiva Átila Saraiva <atilasaraiva@gmail.com>

Permalink CVE-2025-24022

8.6 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 3 months ago

iTop server vulnerable to portal code injection

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.