Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-32446
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.

Affected products

wpforms-lite
  • =<<= 1.9.9.3

Matching in nixpkgs

Permalink CVE-2025-12453
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
Improper neutralization of input during web page generation vulnerability has been discovered in OpenText™ Vertica.

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ Vertica allows Reflected XSS.  The vulnerability could lead to Reflected XSS attack of cross-site scripting in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X, from 25.1.0 through 25.1.X, from 25.2.0 through 25.2.X, from 25.3.0 through 25.3.X.

Affected products

Vertica
  • =<25.1.x
  • =<25.3.x
  • =<23.x
  • =<11.x
  • =<25.2.x
  • =<10.x
  • =<12.x
  • =<24.x

Matching in nixpkgs

pkgs.gnomeExtensions.vertical-workspaces

V-Shell is designed to enhance and customize the user experience by providing flexible workspace orientations and a variety of interface adjustments, including application grid customization and productivity improvements.

  • nixos-unstable 108
    • nixpkgs-unstable 108
    • nixos-unstable-small 108
  • nixos-25.11 100
    • nixos-25.11-small 100
    • nixpkgs-25.11-darwin 100

Package maintainers

Permalink CVE-2026-3082
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

pkgs.ocamlPackages.gstreamer

Bindings for the GStreamer library which provides functions for playning and manipulating multimedia streams

Package maintainers

Permalink CVE-2026-29776
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
FreeRDP has an Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.

Affected products

FreeRDP
  • ==< 3.24.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-32388
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
WordPress GLB theme <= 1.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in linethemes GLB glb allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GLB: from n/a through <= 1.2.2.

Affected products

glb
  • =<<= 1.2.2

Matching in nixpkgs

pkgs.glbinding

C++ binding for the OpenGL API, generated using the gl.xml specification

Package maintainers

Permalink CVE-2026-32376
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
WordPress Kalon theme <= 1.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in raratheme Kalon kalon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalon: from n/a through <= 1.2.9.

Affected products

kalon
  • =<<= 1.2.9

Matching in nixpkgs

pkgs.askalono

Tool to detect open source licenses from texts

Package maintainers

Permalink CVE-2026-3084
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability

GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910.

References

Affected products

GStreamer
  • ==1c6e163aa33962f5ee4a87d29319ccdd5cb67612

Matching in nixpkgs

pkgs.ocamlPackages.gstreamer

Bindings for the GStreamer library which provides functions for playning and manipulating multimedia streams

Package maintainers

Permalink CVE-2026-32720
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
Improper Access Control in github.com/ctfer-io/monitoring

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). Prior to 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This vulnerability is fixed in 0.2.1.

Affected products

monitoring
  • ==< 0.2.1

Matching in nixpkgs

pkgs.perlPackages.MonitoringPlugin

A family of perl modules to streamline writing Naemon, Nagios, Icinga or Shinken (and compatible) plugins

  • nixos-unstable 0.40
    • nixpkgs-unstable 0.40
    • nixos-unstable-small 0.40
  • nixos-25.11 0.40
    • nixos-25.11-small 0.40
    • nixpkgs-25.11-darwin 0.40

pkgs.perl5Packages.MonitoringPlugin

A family of perl modules to streamline writing Naemon, Nagios, Icinga or Shinken (and compatible) plugins

  • nixos-unstable 0.40
    • nixpkgs-unstable 0.40
    • nixos-unstable-small 0.40

Package maintainers

Permalink CVE-2026-31897
0.0 NONE
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
FreeRDP has an out-of-bounds read in `freerdp_bitmap_decompress_planar`

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.

Affected products

FreeRDP
  • ==< 3.24.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-32415
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
WordPress Squeeze plugin <= 1.7.7 - Directory Traversal vulnerability

Path Traversal: '.../...//' vulnerability in Bogdan Bendziukov Squeeze squeeze allows Path Traversal.This issue affects Squeeze: from n/a through <= 1.7.7.

Affected products

squeeze
  • =<<= 1.7.7

Matching in nixpkgs

Package maintainers