Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-24744
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 2 months ago Activity log
  • Created suggestion 2 months ago
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Affected products

InvoicePlane
  • === 1.7.0

Matching in nixpkgs

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

Package maintainers

Permalink CVE-2013-4168
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the start …

Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the start and end time fields.

Affected products

SmokePing
  • ==2.6.9

Matching in nixpkgs

Package maintainers

Permalink CVE-2013-4535
created 2 months ago Activity log
  • Created suggestion 2 months ago
The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows …

The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.

Affected products

QEMU
  • ==before 1.7.2

Matching in nixpkgs

pkgs.qemu

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

Package maintainers

Permalink CVE-2013-2092
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers …

Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.

Affected products

dolibarr
  • ==3.3.4-1

Matching in nixpkgs

pkgs.dolibarr

Enterprise resource planning (ERP) and customer relationship manager (CRM) server

Package maintainers

Permalink CVE-2014-2354
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cogent DataHub before 7.3.5 does not use a salt during …

Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

Affected products

n/a
  • ==n/a
DataHub
  • <7.3.5

Matching in nixpkgs

Permalink CVE-2026-2662
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months ago Activity log
  • Created suggestion 2 months ago
FascinatedBox lily lily_emitter.c count_transforms out-of-bounds

A weakness has been identified in FascinatedBox lily up to 2.3. This vulnerability affects the function count_transforms of the file src/lily_emitter.c. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

lily
  • ==2.3
  • ==2.2
  • ==2.0
  • ==2.1

Matching in nixpkgs

pkgs.gnomeExtensions.lilypad

Organize, hide, and reorder top bar icons

  • nixos-unstable 15
    • nixpkgs-unstable 15
    • nixos-unstable-small 15
  • nixos-25.11 15
    • nixos-25.11-small 15
    • nixpkgs-25.11-darwin 15

Package maintainers

Permalink CVE-2013-4227
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in …

Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in persona.module in the Mozilla Persona module 7.x-1.x before 7.x-1.11 for Drupal allows remote attackers to hijack the authentication of aribitrary users via a security token that is not a string data type.

References

Affected products

Persona
  • ==7.x-1.x versions prior to 7.x-1.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-24743
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 2 months ago Activity log
  • Created suggestion 2 months ago
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Affected products

InvoicePlane
  • === 1.7.0

Matching in nixpkgs

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

Package maintainers

Permalink CVE-2013-6451
created 2 months ago Activity log
  • Created suggestion 2 months ago
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x …

Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.

Affected products

MediaWiki
  • ==1.2x before 1.21.4
  • ==1.19.9 before 1.19.10
  • ==1.22.x before 1.22.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2013-4441
created 2 months ago Activity log
  • Created suggestion 2 months ago
The Phonemes mode in Pwgen 2.06 generates predictable passwords, which …

The Phonemes mode in Pwgen 2.06 generates predictable passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

Affected products

Pwgen
  • ==2.06

Matching in nixpkgs

pkgs.pwgen

Password generator which creates passwords which can be easily memorized by a human

  • nixos-unstable 2.08
    • nixpkgs-unstable 2.08
    • nixos-unstable-small 2.08
  • nixos-25.11 2.08
    • nixos-25.11-small 2.08
    • nixpkgs-25.11-darwin 2.08

pkgs.pwgen-secure

Secure password generation library to replace pwgen

Package maintainers