Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2015-1780
created 2 months ago Activity log
  • Created suggestion 2 months ago
oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain …

oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center

References

Affected products

oVirt
  • ==through 2015-03-06

Matching in nixpkgs

pkgs.libgovirt

GObject wrapper for the oVirt REST API

Permalink CVE-2013-1820
created 2 months ago Activity log
  • Created suggestion 2 months ago
tuned before 2.x allows local users to kill running processes …

tuned before 2.x allows local users to kill running processes due to insecure permissions with tuned's ktune service.

Affected products

tuned
  • ==2.10.0-1

Matching in nixpkgs

Package maintainers

Permalink CVE-2014-8140
created 2 months ago Activity log
  • Created suggestion 2 months ago
Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip …

Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.

References

Affected products

UnZip
  • ==6.0 and earlier

Matching in nixpkgs

pkgs.unzip

Extraction utility for archives compressed in .zip format

  • nixos-unstable 6.0
    • nixpkgs-unstable 6.0
    • nixos-unstable-small 6.0
  • nixos-25.11 6.0
    • nixos-25.11-small 6.0
    • nixpkgs-25.11-darwin 6.0

pkgs.runzip

Tool to convert filename encoding inside a ZIP archive

  • nixos-unstable 1.4
    • nixpkgs-unstable 1.4
    • nixos-unstable-small 1.4
  • nixos-25.11 1.4
    • nixos-25.11-small 1.4
    • nixpkgs-25.11-darwin 1.4

pkgs.unzipNLS

Extraction utility for archives compressed in .zip format

  • nixos-unstable 6.0
    • nixpkgs-unstable 6.0
    • nixos-unstable-small 6.0
  • nixos-25.11 6.0
    • nixos-25.11-small 6.0
    • nixpkgs-25.11-darwin 6.0

Package maintainers

Permalink CVE-2026-2650
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months ago Activity log
  • Created suggestion 2 months ago
Heap buffer overflow in Media in Google Chrome prior to …

Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <145.0.7632.109

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2013-2106
created 2 months ago Activity log
  • Created suggestion 2 months ago
webauth before 4.6.1 has authentication credential disclosure

webauth before 4.6.1 has authentication credential disclosure

Affected products

webauth
  • ==4.4.1 up to 4.5.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2014-8128
created 2 months ago Activity log
  • Created suggestion 2 months ago
LibTIFF prior to 4.0.4, as used in Apple iOS before …

LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.

Affected products

LibTIFF
  • ==prior to 4.0.4

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

Package maintainers

Permalink CVE-2026-0665
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months ago Activity log
  • Created suggestion 2 months ago
Qemu-kvm: heap off-by-one in kvm xen physdevop_map_pirq

An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

References

Affected products

qemu
  • =<10.2.0
rhcos
qemu-kvm
qemu-kvm-ma
virt:rhel/qemu-kvm

Matching in nixpkgs

pkgs.qemu

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

Package maintainers

Permalink CVE-2013-1771
created 2 months ago Activity log
  • Created suggestion 2 months ago
The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on …

The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo.

Affected products

monkey
  • ==2

Matching in nixpkgs

pkgs.monkeysphere

Leverage the OpenPGP web of trust for SSH and TLS authentication

  • nixos-unstable 0.44
    • nixpkgs-unstable 0.44
    • nixos-unstable-small 0.44
  • nixos-25.11 0.44
    • nixos-25.11-small 0.44
    • nixpkgs-25.11-darwin 0.44

pkgs.gnomeExtensions.monkeybar

See your weekly Monkeytype typing activity in top bar

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-25.11 4
    • nixos-25.11-small 4
    • nixpkgs-25.11-darwin 4

pkgs.python312Packages.monkeyhex

Small library to assist users of the python shell who work in contexts where printed numbers are more usefully viewed in hexadecimal

Package maintainers

Permalink CVE-2026-2649
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months ago Activity log
  • Created suggestion 2 months ago
Integer overflow in V8 in Google Chrome prior to 145.0.7632.109 …

Integer overflow in V8 in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <145.0.7632.109

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-2648
created 2 months ago Activity log
  • Created suggestion 2 months ago
Heap buffer overflow in PDFium in Google Chrome prior to …

Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. (Chromium security severity: High)

Affected products

Chrome
  • <145.0.7632.109

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups