Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for a revision.

Permalink CVE-2025-1390
updated 11 months, 2 weeks ago by @fpletz Activity log
  • Created automatic suggestion 11 months, 2 weeks ago
  • @fpletz dismissed 11 months, 2 weeks ago
pam_cap: Fix potential configuration parsing error

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

Affected products

libcap
  • ==2.73;0

Matching in nixpkgs

pkgs.libcap

Library for working with POSIX capabilities

pkgs.libcap_ng

Library for working with POSIX capabilities

pkgs.libcaption

Free open-source CEA608 / CEA708 closed-caption encoder/decoder

Package maintainers

Permalink CVE-2025-22654
updated 11 months, 2 weeks ago by @fpletz Activity log
  • Created automatic suggestion 11 months, 2 weeks ago
  • @fpletz dismissed 11 months, 2 weeks ago
WordPress Simplified Plugin Plugin <= 1.0.6 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified allows Using Malicious Files. This issue affects Simplified: from n/a through 1.0.6.

Affected products

simplified
  • =<1.0.6

Matching in nixpkgs

pkgs.gnomeExtensions.net-speed-simplified

A Net Speed extension With Loads of Customization. Fork of simplenetspeed

  • nixos-unstable 43
    • nixpkgs-unstable 43
    • nixos-unstable-small 43

pkgs.haskellPackages.phonetic-languages-simplified-base

A basics of the phonetic-languages functionality that can be groupped

pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common

Common functionality for 'with-tuples' and old version of properties

Package maintainers

Permalink CVE-2025-23987
updated 1 year ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year ago
  • @fricklerhandwerk dismissed 1 year ago
WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0.

Affected products

designer
  • =<1.6.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-1786
updated 1 year ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year ago
  • @fricklerhandwerk dismissed 1 year ago
sensitive data exposure in cloud-init logs

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

Affected products

cloud-init
  • <23.1.2

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

Package maintainers

Permalink CVE-2020-11936
updated 1 year ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year ago
  • @fricklerhandwerk dismissed 1 year ago
gdbus setgid privilege escalation

gdbus setgid privilege escalation

Affected products

apport
  • <2.20.11-0ubuntu27.6

Matching in nixpkgs

pkgs.haskellPackages.apportionment

Round a set of numbers while maintaining its sum

Package maintainers

Permalink CVE-2023-0092
updated 1 year ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year ago
  • @fricklerhandwerk dismissed 1 year ago
An authenticated user who has read access to the juju …

An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.

Affected products

juju
  • <3.0.3
  • <2.9.38

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

Package maintainers

Permalink CVE-2022-28653
updated 1 year ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year ago
  • @fricklerhandwerk dismissed 1 year ago
Users can consume unlimited disk space in /var/crash

Users can consume unlimited disk space in /var/crash

Affected products

apport
  • <2.21.0

Matching in nixpkgs

pkgs.haskellPackages.apportionment

Round a set of numbers while maintaining its sum

Package maintainers

Permalink CVE-2025-23684
updated 1 year ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year ago
  • @fricklerhandwerk dismissed 1 year ago
WordPress Debug Tool plugin <= 2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.

Affected products

debug-tool
  • =<2.2

Matching in nixpkgs

pkgs.python311Packages.django-debug-toolbar

Configurable set of panels that display debug information about the current request/response

pkgs.python312Packages.django-debug-toolbar

Configurable set of panels that display debug information about the current request/response

pkgs.python311Packages.django-graphiql-debug-toolbar

Django Debug Toolbar for GraphiQL IDE

pkgs.python312Packages.django-graphiql-debug-toolbar

Django Debug Toolbar for GraphiQL IDE

Package maintainers

Permalink CVE-2025-23886
updated 1 year ago by @Erethon Activity log
  • Created automatic suggestion 1 year ago
  • @Erethon accepted 1 year ago
  • @Erethon dismissed 1 year ago
WordPress Annie plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie allows Stored XSS.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers

Permalink CVE-2025-23892
updated 1 year ago by @Erethon Activity log
  • Created automatic suggestion 1 year ago
  • @Erethon accepted 1 year ago
  • @Erethon dismissed 1 year ago
WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.

Affected products

progress-tracker
  • =<0.9.3

Matching in nixpkgs

pkgs.progress-tracker

Simple kanban-style task organiser

Package maintainers