Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(no matching packages found)
Permalink CVE-2026-15516
2.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
MacCMS Pro Installation Index.php step5 authorization

A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. Upgrading to version 2022.1000.3025 is recommended to address this issue. Upgrading the affected component is recommended.

Affected products

MacCMS Pro
  • ==2022.1000.3005
  • ==2022.1000.3025
Dismissed
(no matching packages found)
Permalink CVE-2026-22099
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Missing authentication for Bluetooth communication

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.

References

Affected products

DC-80
  • <1.5.4
Dismissed
(no matching packages found)
Permalink CVE-2026-57413
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
WordPress Instant Image Generator plugin <= 2.1.4 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in bdthemes Instant Image Generator ai-image allows Server Side Request Forgery.This issue affects Instant Image Generator: from n/a through <= 2.1.4.

Affected products

ai-image
  • =<2.1.4
Dismissed
(no matching packages found)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK record and calls av_extend with that count plus one. A count of I32_MAX wraps the addition to a negative value. A crafted blob passed to thaw or retrieve triggers the overflow; av_extend receives the negative count and dies with a panic, terminating the deserialization.

Affected products

Storable
  • <3.41
Dismissed
(no matching packages found)
Permalink CVE-2026-15524
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
alioshr memory-bank-mcp list-project-files-validation-factory.ts path traversal

A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1. This affects an unknown part of the file list-project-files-validation-factory.ts. Such manipulation of the argument projectName leads to path traversal. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

memory-bank-mcp
  • ==3.1
  • ==3.0
  • ==0.2.0
  • ==0.2.1
Dismissed
(no matching packages found)
Permalink CVE-2026-57803
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
WordPress Struktur Core plugin <= 2.5.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through <= 2.5.1.

Affected products

struktur-core
  • =<2.5.1
Dismissed
(no matching packages found)
Permalink CVE-2026-62239
5.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
FlashAttention Symlink Attack via tarfile.extractall in hopper/setup.py

FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filtering tar members. A local attacker can pre-plant a symlink in the predictable cache directory to redirect extracted binaries to an attacker-chosen location, enabling arbitrary file write with victim privileges during build time.

References

Affected products

flash-attention
  • ==0816ef12f424c6ec94b057a72c275b14f6e6edb2
  • =<2.8.3.post1
Dismissed
(no matching packages found)
Permalink CVE-2026-15470
2.1 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Eleveo Call Recording Software group.jsp improper authorization

A vulnerability has been found in Eleveo Call Recording Software 9.7.0. Affected by this issue is some unknown functionality of the file /callrec/group.jsp. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

Call Recording Software
  • ==9.7.0
Dismissed
(no matching packages found)
Permalink CVE-2026-57695
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
WordPress Document Gallery plugin <= 5.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through <= 5.1.0.

Affected products

document-gallery
  • =<5.1.0
Dismissed
(no matching packages found)
Permalink CVE-2026-57377
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 day, 5 hours ago Activity log
  • Created & dismissed (no matching packages found) suggestion
WordPress WowAddons plugin <= 1.6.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPXPO WowAddons product-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowAddons: from n/a through <= 1.6.8.

Affected products

product-addons
  • =<1.6.8