Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2011-2668
created 2 months ago Activity log
  • Created suggestion 2 months ago
Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the …

Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the content-length header

References

Affected products

Firefox
  • ==1.5.0.3 and earlier

Matching in nixpkgs

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account.

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5
  • nixos-25.11 5
    • nixos-25.11-small 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Permalink CVE-2012-4381
created 2 months ago Activity log
  • Created suggestion 2 months ago
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in …

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.

Affected products

MediaWiki
  • ==1.19.x before 1.19.2
  • ==before 1.18.5

Matching in nixpkgs

Package maintainers

Permalink CVE-2004-2154
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months ago Activity log
  • Created suggestion 2 months ago
CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as …

CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.

References

Affected products

n/a
  • ==n/a
cups
  • <1.1.21
ubuntu_linux
  • ==4.10

Matching in nixpkgs

pkgs.cups-filters

Backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc

pkgs.cups-kyocera

CUPS drivers for several Kyocera FS-{1020,1025,1040,1060,1120,1125} printers

pkgs.cups-pk-helper

PolicyKit helper to configure cups with fine-grained privileges

pkgs.libcupsfilters

Backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc

pkgs.cups-idprt-tspl

CUPS drivers for TSPL-based iDPRT thermal label printers (SP210, SP310, SP320, SP320E, SP410, SP410BT, SP420, SP450, SP460BT)

pkgs.cups-idprt-barcode

CUPS drivers for iDPRT barcode printers (iD2P, iD2X, iD4P, iD4S, iE2P, iE2X, iE4P, iE4S, iT4B, iT4E, iT4P, iT4S, iT4X, iX4E, iX4L, iX4P, iX4E, iX6P)

pkgs.cups-toshiba-estudio

Printer only driver for the Toshiba e-STUDIO class of printers

  • nixos-unstable 7.89
    • nixpkgs-unstable 7.89
    • nixos-unstable-small 7.89
  • nixos-25.11 7.89
    • nixos-25.11-small 7.89
    • nixpkgs-25.11-darwin 7.89

Package maintainers

Permalink CVE-2025-14350
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
Information disclosure via channel mentions in posts

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

References

Affected products

Mattermost
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==10.11.10
  • =<10.11.9
  • ==11.2.2
  • =<11.2.1

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2025-13821
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
User profile update exposes password hash and MFA secrets

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

References

Affected products

Mattermost
  • =<11.2.1
  • ==11.3.0
  • =<11.1.2
  • ==11.1.3
  • ==11.2.2
  • ==10.11.10
  • =<10.11.9

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2007-6745
created 2 months ago Activity log
  • Created suggestion 2 months ago
clamav 0.91.2 suffers from a floating point exception when using …

clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.

Affected products

clamav
  • ==0.91.2

Matching in nixpkgs

pkgs.clamav

Antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats

Package maintainers

Permalink CVE-2025-14573
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months ago Activity log
  • Created suggestion 2 months ago
Team Admin Bypass of Invite Permissions via allow_open_invite Field

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

References

Affected products

Mattermost
  • ==11.3.0
  • ==10.11.10
  • =<10.11.9

Matching in nixpkgs

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Permalink CVE-2003-0063
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 2 months ago Activity log
  • Created suggestion 2 months ago
The xterm terminal emulator in XFree86 4.2.0 and earlier allows …

The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.

References

Affected products

n/a
  • ==n/a
xfree86
  • =<4.2.0

Matching in nixpkgs

Permalink CVE-1999-0052
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months ago Activity log
  • Created suggestion 2 months ago
IP fragmentation denial of service in FreeBSD allows a remote …

IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

References

Affected products

n/a
  • ==n/a
bsd_os
  • ==4.0
freebsd
  • ==2.2.8
  • ==2.1.5
  • ==2.1.0
  • ==2.1.7.1
  • ==2.0
  • ==2.1.6
  • ==2.0.5
  • ==2.2.2
  • ==1.1.5.1
openbsd
  • ==2.2
  • ==2.4
  • ==2.3

Matching in nixpkgs

Package maintainers

Permalink CVE-1999-0029
8.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months ago Activity log
  • Created suggestion 2 months ago
root privileges via buffer overflow in ordist command on SGI …

root privileges via buffer overflow in ordist command on SGI IRIX systems.

Affected products

n/a
  • ==n/a
irix
  • *

Matching in nixpkgs