Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-23987
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @fricklerhandwerk dismissed 1 year, 2 months ago
WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0.

Affected products

designer
  • =<1.6.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-1786
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 year, 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @fricklerhandwerk dismissed 1 year, 2 months ago
sensitive data exposure in cloud-init logs

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

References

Affected products

cloud-init
  • <23.1.2

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

  • nixos-unstable 24.2
    • nixpkgs-unstable 24.2
    • nixos-unstable-small 24.2

Package maintainers

Permalink CVE-2020-11936
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 year, 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @fricklerhandwerk dismissed 1 year, 2 months ago
gdbus setgid privilege escalation

gdbus setgid privilege escalation

Affected products

apport
  • <2.20.11-0ubuntu27.6

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-0092
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 year, 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @fricklerhandwerk dismissed 1 year, 2 months ago
An authenticated user who has read access to the juju …

An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.

Affected products

juju
  • <3.0.3
  • <2.9.38

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

Package maintainers

Permalink CVE-2022-28653
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 year, 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @fricklerhandwerk dismissed 1 year, 2 months ago
Users can consume unlimited disk space in /var/crash

Users can consume unlimited disk space in /var/crash

Affected products

apport
  • <2.21.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-23684
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 year, 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @fricklerhandwerk dismissed 1 year, 2 months ago
WordPress Debug Tool plugin <= 2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.

Affected products

debug-tool
  • =<2.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-23886
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 2 months ago by @Erethon Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
  • @Erethon dismissed 1 year, 2 months ago
WordPress Annie plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie allows Stored XSS.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers

Permalink CVE-2025-23892
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 2 months ago by @Erethon Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
  • @Erethon dismissed 1 year, 2 months ago
WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.

Affected products

progress-tracker
  • =<0.9.3

Matching in nixpkgs

Package maintainers

Permalink CVE-2022-45836
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 2 months ago by @Erethon Activity log
  • Created automatic suggestion 1 year, 3 months ago
  • @Erethon accepted 1 year, 2 months ago
  • @Erethon dismissed 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
  • @Erethon dismissed 1 year, 2 months ago
WordPress Download Manager Plugin <= 3.2.59 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions.

Affected products

download-manager
  • =<3.2.59

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-27456
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19.

Affected products

total
  • =<2.1.19

Matching in nixpkgs

pkgs.autotalent

Real-time pitch correction LADSPA plugin (no MIDI control)

  • nixos-unstable 0.2
    • nixpkgs-unstable 0.2
    • nixos-unstable-small 0.2

Package maintainers