Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2015-5236
created 2 months ago Activity log
  • Created suggestion 2 months ago
It was discovered that the IcedTea-Web used codebase attribute of …

It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.

References

Affected products

Icedtea-web
  • ==Unkown

Matching in nixpkgs

Permalink CVE-2014-0148
created 2 months ago Activity log
  • Created suggestion 2 months ago
Qemu before 2.0 block driver for Hyper-V VHDX Images is …

Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.

Affected products

Qemu
  • ==before 2.0

Matching in nixpkgs

pkgs.qemu

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

Package maintainers

Permalink CVE-2026-26281
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.

Affected products

InvoicePlane
  • === 1.7.0

Matching in nixpkgs

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

Package maintainers

Permalink CVE-2015-5333
created 2 months ago Activity log
  • Created suggestion 2 months ago
Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 …

Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (memory consumption) via a large number of ASN.1 object identifiers in X.509 certificates.

Affected products

LibreSSL
  • ==before 2.3.1

Matching in nixpkgs

pkgs.netcat

Utility which reads and writes data across network connections — LibreSSL implementation

Package maintainers

Permalink CVE-2013-1811
created 2 months ago Activity log
  • Created suggestion 2 months ago
An access control issue in MantisBT before 1.2.13 allows users …

An access control issue in MantisBT before 1.2.13 allows users with "Reporter" permissions to change any issue to "New".

References

Affected products

mantis
  • ==1.2.13

Matching in nixpkgs

Permalink CVE-2026-25594
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
InvoicePlane has Stored XSS via Family Name in Product Form

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.

Affected products

InvoicePlane
  • ==<= 1.7.0

Matching in nixpkgs

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

Package maintainers

Permalink CVE-2015-7810
created 2 months ago Activity log
  • Created suggestion 2 months ago
libbluray MountManager class has a time-of-check time-of-use (TOCTOU) race when …

libbluray MountManager class has a time-of-check time-of-use (TOCTOU) race when expanding JAR files

Affected products

libbluray
  • ==1

Matching in nixpkgs

pkgs.libbluray

Library to access Blu-Ray disks for video playback

Package maintainers

Permalink CVE-2015-1853
created 2 months ago Activity log
  • Created suggestion 2 months ago
chrony before 1.31.1 does not properly protect state variables in …

chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.

References

Affected products

chrony
  • ==before 1.31.1

Matching in nixpkgs

pkgs.chrony

Sets your computer's clock from time servers on the Net

  • nixos-unstable 4.8
    • nixpkgs-unstable 4.8
    • nixos-unstable-small 4.8
  • nixos-25.11 4.8
    • nixos-25.11-small 4.8
    • nixpkgs-25.11-darwin 4.8

pkgs.synchrony

Simple deobfuscator for mangled or obfuscated JavaScript files

Package maintainers

Permalink CVE-2013-4395
created 2 months ago Activity log
  • Created suggestion 2 months ago
Simple Machines Forum (SMF) through 2.0.5 has XSS

Simple Machines Forum (SMF) through 2.0.5 has XSS

Affected products

SMF
  • ==through 2.0.5

Matching in nixpkgs

pkgs.smfh

Sleek Manifest File Handler

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.4
    • nixpkgs-25.11-darwin 1.3

pkgs.libsmf

C library for reading and writing Standard MIDI Files

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3
  • nixos-25.11 1.3
    • nixos-25.11-small 1.3
    • nixpkgs-25.11-darwin 1.3

Package maintainers

Permalink CVE-2014-0021
created 2 months ago Activity log
  • Created suggestion 2 months ago
Chrony before 1.29.1 has traffic amplification in cmdmon protocol

Chrony before 1.29.1 has traffic amplification in cmdmon protocol

Affected products

Chrony
  • ==Fixed in 1.29.1

Matching in nixpkgs

pkgs.chrony

Sets your computer's clock from time servers on the Net

  • nixos-unstable 4.8
    • nixpkgs-unstable 4.8
    • nixos-unstable-small 4.8
  • nixos-25.11 4.8
    • nixos-25.11-small 4.8
    • nixpkgs-25.11-darwin 4.8

pkgs.synchrony

Simple deobfuscator for mangled or obfuscated JavaScript files

Package maintainers