Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-23886
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 year, 4 months ago by @Erethon Activity log
  • Created suggestion 1 year, 4 months ago
  • @Erethon accepted 1 year, 4 months ago
  • @Erethon dismissed 1 year, 4 months ago
WordPress Annie plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie allows Stored XSS.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers

Permalink CVE-2025-23892
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 year, 4 months ago by @Erethon Activity log
  • Created suggestion 1 year, 4 months ago
  • @Erethon accepted 1 year, 4 months ago
  • @Erethon dismissed 1 year, 4 months ago
WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.

Affected products

progress-tracker
  • =<0.9.3

Matching in nixpkgs

Package maintainers

Permalink CVE-2022-45836
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 year, 4 months ago by @Erethon Activity log
  • Created suggestion 1 year, 4 months ago
  • @Erethon accepted 1 year, 4 months ago
  • @Erethon dismissed 1 year, 4 months ago
  • @Erethon accepted 1 year, 4 months ago
  • @Erethon dismissed 1 year, 4 months ago
WordPress Download Manager Plugin <= 3.2.59 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions.

Affected products

download-manager
  • =<3.2.59

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-27456
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19.

Affected products

total
  • =<2.1.19

Matching in nixpkgs

pkgs.autotalent

Real-time pitch correction LADSPA plugin (no MIDI control)

  • nixos-unstable 0.2
    • nixpkgs-unstable 0.2
    • nixos-unstable-small 0.2

Package maintainers

Permalink CVE-2024-54245
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
WordPress Clients plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Clients allows Stored XSS.This issue affects Clients: from n/a through 1.1.4.

Affected products

clients
  • =<1.1.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-45770
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
Pcp: pmpost symlink attack allows escalating pcp to root user

A vulnerability was found in Performance Co-Pilot (PCP). This flaw can only be exploited if an attacker has access to a compromised PCP system account. The issue is related to the pmpost tool, which is used to log messages in the system. Under certain conditions, it runs with high-level privileges.

References

Affected products

pcp
  • *

Matching in nixpkgs

pkgs.pcp

Command line peer-to-peer data transfer tool based on libp2p

pkgs.ncmpcpp

Featureful ncurses based MPD client inspired by ncmpc

  • nixos-unstable 0.10
    • nixpkgs-unstable 0.10
    • nixos-unstable-small 0.10

pkgs.libamqpcpp

Library for communicating with a RabbitMQ server

Package maintainers

Permalink CVE-2024-45769
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
Pcp: pmcd heap corruption through metric pmstore operations

A vulnerability was found in Performance Co-Pilot (PCP).  This flaw allows an attacker to send specially crafted data to the system, which could cause the program to misbehave or crash.

References

Affected products

pcp
  • *

Matching in nixpkgs

pkgs.pcp

Command line peer-to-peer data transfer tool based on libp2p

pkgs.ncmpcpp

Featureful ncurses based MPD client inspired by ncmpc

  • nixos-unstable 0.10
    • nixpkgs-unstable 0.10
    • nixos-unstable-small 0.10

pkgs.libamqpcpp

Library for communicating with a RabbitMQ server

Package maintainers

Permalink CVE-2024-7259
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
Ovirt-engine: potential exposure of cleartext provider passwords via web ui

A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.

References

Affected products

ovirt-engine
  • <4.5.7

Matching in nixpkgs

Permalink CVE-2024-5154
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @fricklerhandwerk accepted 1 year, 5 months ago
  • @fricklerhandwerk marked as untriaged 1 year, 5 months ago
  • @fricklerhandwerk accepted 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
Cri-o: malicious container can create symlink on host

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

References

Affected products

cri-o
  • <1.29.5
  • *
  • <1.28.7
  • <1.30.1
rhcos
  • *
conman
conmon
kernel
  • *
openshift
  • *
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers

Permalink CVE-2024-8418
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 year, 5 months ago by @LeSuisse Activity log
  • Created suggestion 1 year, 5 months ago
  • @LeSuisse accepted 1 year, 5 months ago
  • @LeSuisse dismissed 1 year, 5 months ago
Containers/aardvark-dns: tcp query handling flaw in aardvark-dns leading to denial of service

A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processing of TCP DNS queries. An attacker can exploit this flaw by keeping a TCP connection open indefinitely, causing the server to become unresponsive and resulting in other DNS queries timing out. This issue prevents legitimate users from accessing DNS services, thereby disrupting normal operations and causing service downtime.

Affected products

rhcos
aardvark-dns
  • *
containers-common
containers/aardvark-dns
  • ==1.12.1
  • ==1.12.0
container-tools:rhel8/aardvark-dns
container-tools:rhel8/containers-common

Matching in nixpkgs

Package maintainers