Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2015-7559
created 2 months ago Activity log
  • Created suggestion 2 months ago
It was found that the Apache ActiveMQ client before 5.14.5 …

It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

Affected products

ActiveMQ
  • ==5.15.5

Matching in nixpkgs

pkgs.activemq

Messaging and Integration Patterns server written in Java

Package maintainers

Permalink CVE-2015-2793
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 …

Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi.

Affected products

ikiwiki
  • ==before 3.20150329

Matching in nixpkgs

Package maintainers

Permalink CVE-2014-2370
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site scripting (XSS) vulnerability in the web application on Omron …

Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data.

Affected products

NS5
  • <8.68x
NS8
  • <8.68x
n/a
  • ==n/a
NS10
  • <8.68x
NS12
  • <8.68x
NS15
  • <8.68x

Matching in nixpkgs

Permalink CVE-2014-3591
created 2 months ago Activity log
  • Created suggestion 2 months ago
Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement …

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

Affected products

GnuPG
  • ==before 1.4.19
Libgcrypt
  • ==before 1.6.3

Matching in nixpkgs

pkgs.gnupg

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.gnupg1

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv

pkgs.gnupg24

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-25.11 0.4
    • nixos-25.11-small 0.4
    • nixpkgs-25.11-darwin 0.4

pkgs.gnupg1compat

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv

Permalink CVE-2013-3246
created 2 months ago Activity log
  • Created suggestion 2 months ago
Stack-based buffer overflow in xnview.exe in XnView before 2.03 allows …

Stack-based buffer overflow in xnview.exe in XnView before 2.03 allows remote attackers to execute arbitrary code via a crafted image layer in an XCF file.

Affected products

XnView
  • ==before 2.03

Matching in nixpkgs

pkgs.xnviewmp

Efficient multimedia viewer, browser and converter

Package maintainers

Permalink CVE-2019-25355
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
Genivia gSOAP 2.8 - 'gSOAP' Path Traversal

gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. Attackers can retrieve sensitive files like /etc/passwd by sending crafted GET requests with multiple '../' directory traversal sequences.

Affected products

gSOAP
  • ==2.8

Matching in nixpkgs

Package maintainers

Permalink CVE-2013-4572
created 2 months ago Activity log
  • Created suggestion 2 months ago
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, …

The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.

Affected products

MediaWiki
  • ==1.20.x before 1.20.8
  • ==1.21.x before 1.21.3
  • ==before 1.19.9

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2661
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months ago Activity log
  • Created suggestion 2 months ago
Squirrel sqobject.h operator heap-based overflow

A security flaw has been discovered in Squirrel up to 3.2. This affects the function SQObjectPtr::operator in the library squirrel/sqobject.h. The manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

Squirrel
  • ==3.1
  • ==3.2
  • ==3.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2014-1423
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
Online Accounts Signon daemon gives out all oauth tokens to any app

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

Affected products

signon
  • <8.57+15.04.20141127.1-0ubuntu1

Matching in nixpkgs

pkgs.libsignon-glib

Library for managing single signon credentials which can be used from GLib applications

  • nixos-unstable 2.1
    • nixpkgs-unstable 2.1
    • nixos-unstable-small 2.1
  • nixos-25.11 2.1
    • nixos-25.11-small 2.1
    • nixpkgs-25.11-darwin 2.1

Package maintainers

Permalink CVE-2015-1809
created 2 months ago Activity log
  • Created suggestion 2 months ago
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 …

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.

References

Affected products

Jenkins
  • ==before 1.600
Jenkins LTS
  • ==before 1.596.1

Matching in nixpkgs

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git