Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls

In the Linux kernel, the following vulnerability has been resolved: ASoC: wm_adsp: Fix NULL dereference when removing firmware controls In wm_adsp_control_remove() check that the priv pointer is not NULL before attempting to cleanup what it points to. When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that wm_adsp can create its own private control data. There are two cases where private data is not created: 1. The control is a SYSTEM control, so an ALSA control is not created. 2. The codec driver has registered a control_add() callback that hides the control, so wm_adsp_control_add() is not called. When cs_dsp_remove destroys its control list it calls wm_adsp_control_remove() for each control. But wm_adsp_control_remove() was attempting to cleanup the private data pointed to by cs_ctl->priv without checking the pointer for NULL.

Affected products

Linux
  • =<*
  • <2f1be283aa777d655525d000d16474b7e7d015ea
  • <6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7
  • =<6.12.*
  • <5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3
  • <10def23b67b42679d5b1a356e1a6f3498bd188c3
  • =<6.1.*
  • =<6.6.*
  • <5.16
  • <12e579b889624ec54a201d98fdff975de556c731
  • <7d3fb78b550301e43fdc60312aed733069694426
  • =<6.18.*
  • =<7.0.*
  • ==5.16
Dismissed
(no matching packages found)
Permalink CVE-2026-54428
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

Affected products

org.apache.httpcomponents.core5:httpcore5-h2
  • =<5.5-beta1
  • =<5.4.2
Dismissed
(no matching packages found)
Permalink CVE-2026-20217
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
ClamAV PESpin File Format Processing Out-of-Bounds Memory Corruption Vulnerability

A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in PESpin files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PESpin content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Affected products

Cisco Secure Endpoint
  • ==1.15.1
  • ==1.24.1
  • ==1.21.3
  • ==1.20.2
  • ==8.1.7.21512
  • ==1.19.0
  • ==8.4.2.30317
  • ==7.5.21.21732
  • ==6.2.1
  • ==1.27.1
  • ==1.12.4
  • ==1.15.6
  • ==7.5.5
  • ==8.2.1.21612
  • ==1.7.0
  • ==7.4.3.20679
  • ==8.4.5.30483
  • ==1.16.1
  • ==7.5.7
  • ==1.12.7
  • ==7.4.1
  • ==1.12.5
  • ==8.0.1.21164
  • ==1.15.5
  • ==1.24.0
  • ==6.2.5
  • ==7.1.5
  • ==7.5.3
  • ==8.4.0
  • ==6.2.9
  • ==1.12.3
  • ==1.23.1
  • ==7.5.1.20813
  • ==1.16.3
  • ==1.21.2
  • ==8.4.1.30307
  • ==1.15.0
  • ==1.9.0
  • ==8.2.1.21650
  • ==1.18.0
  • ==1.12.2
  • ==1.23.0
  • ==6.3.3
  • ==1.20.8
  • ==7.5.11
  • ==8.2.3.30119
  • ==1.17.0
  • ==8.4.1.30298
  • ==1.15.3
  • ==7.3.13
  • ==1.20.0
  • ==6.3.7
  • ==8.4.4.30419
  • ==6.2.19
  • ==1.25.1
  • ==1.16.0
  • ==1.22.3
  • ==8.1.3.21242
  • ==1.26.0
  • ==1.27.0
  • ==7.3.15
  • ==1.16.2
  • ==8.2.4.30130
  • ==1.11.1
  • ==1.17.1
  • ==7.3.5
  • ==8.1.3
  • ==7.5.9
  • ==8.4.4.30467
  • ==1.24.3
  • ==1.10.1
  • ==7.2.5
  • ==1.14.1
  • ==1.12.0
  • ==1.9.1
  • ==1.18.1
  • ==7.2.13
  • ==1.20.5
  • ==7.5.13.21598
  • ==1.13.0
  • ==6.3.5
  • ==7.4.5
  • ==1.10.2
  • ==1.22.0
  • ==1.27.2
  • ==8.1.7
  • ==7.4.1.20425
  • ==1.11.0
  • ==1.20.6
  • ==6.1.9
  • ==1.14.0
  • ==7.5.17.21680
  • ==1.6.0
  • ==1.24.4
  • ==1.20.3
  • ==1.25.0
  • ==7.5.20
  • ==6.3.1
  • ==7.2.3
  • ==1.13.1
  • ==8.1.5.21322
  • ==1.25.2
  • ==7.5.13.21586
  • ==7.1.1
  • ==7.2.11
  • ==1.21.1
  • ==1.22.1
  • ==1.22.4
  • ==7.0.5
  • ==7.4.1.20439
  • ==1.17.2
  • ==7.2.7
  • ==1.12.1
  • ==7.4.3
  • ==6.1.7
  • ==1.15.2
  • ==1.20.4
  • ==1.8.4
  • ==7.3.3
  • ==1.12.6
  • ==7.3.9
  • ==7.3.1
  • ==6.2.3
  • ==8.0.1.21160
  • ==6.0.7
  • ==1.21.0
  • ==1.20.7
  • ==6.0.9
  • ==1.15.4
  • ==1.13.2
  • ==1.20.1
  • ==8.1.7.21417
  • ==1.26.1
  • ==8.1.7.21585
  • ==6.1.5
  • ==1.22.2
  • ==1.10.0
  • ==1.8.0
  • ==1.8.1
  • ==7.5.19
  • ==7.5.1.20833
  • ==7.5.15.21611
  • ==8.1.5
  • ==1.24.5
  • ==8.4.3
  • ==1.24.2
Dismissed
(no matching packages found)
Permalink CVE-2026-11981
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
GiveWP <= 4.15.3 - Cross-Site Request Forgery

The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected products

GiveWP – Donation Plugin and Fundraising Platform
  • =<4.15.3
Dismissed
(no matching packages found)
Permalink CVE-2026-10750
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

References

Affected products

Royal MCP
  • <1.4.26
Dismissed
(no matching packages found)
Permalink CVE-2026-1239
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

Affected products

Ninja Forms – The Contact Form Builder That Grows With You
  • =<3.14.1
Dismissed
(no matching packages found)
Permalink CVE-2025-23350
9.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
NVIDIA ConnectX and BlueField contain a vulnerability in the command …

NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.

Affected products

ConnectX GA
  • ==All versions prior to 46.3008
BlueField GA
  • ==All versions prior to 46.3008
ConnectX LTS22
  • ==All versions prior to 35.8002
ConnectX LTS23
  • ==All versions prior to 39.8002
ConnectX LTS24
  • ==All versions prior to 43.8002
BlueField LTS22
  • ==All versions prior to 35.8002
BlueField LTS23
  • ==All versions prior to 39.8002
BlueField LTS24
  • ==All versions prior to 43.8002
Dismissed
(no matching packages found)
Permalink CVE-2026-57723
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.12 - CSRF to Arbitrary File Deletion vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal. This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.

Affected products

vikbooking
  • =<1.8.12
Dismissed
(no matching packages found)
Permalink CVE-2026-34103
9.3 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Guardian Language-System Unauthenticated SQL Injection via id Parameter in subtitles.php

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in subtitles.php (line 16): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

Affected products

language-system
  • =<e42c395ec4b03fe62973a669c9209a673838b8a4
Dismissed
(no matching packages found)
Permalink CVE-2026-54756
6.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 2 weeks, 1 day ago Activity log
  • Created & dismissed (no matching packages found) suggestion
Jodit Editor: Prototype pollution via Jodit.configure() / ConfigMerge

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.

Affected products

jodit
  • ==< 4.12.18