Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-25793
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Nebula Has Possible Blocklist Bypass via ECDSA Signature Malleability

Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3.

Affected products

nebula
  • ==>= 1.7.0, < 1.10.3

Matching in nixpkgs

pkgs.nebula

Overlay networking tool with a focus on performance, simplicity and security

pkgs.nebula-sans

Versatile, modern, humanist sans-serif with a neutral aesthetic, designed for legibility in both digital and print applications

Permalink CVE-2020-37140
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Everest 5.50.2100 - 'Open File' Denial of Service

Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash.

Affected products

Everest
  • ==5.50.2100

Matching in nixpkgs

pkgs.everest

Celeste mod loader (don't install; use celestegame instead)

  • nixos-unstable -
    • nixpkgs-unstable 6129
    • nixos-unstable-small 6157
  • nixos-25.11 5986
    • nixpkgs-25.11-darwin 5986

pkgs.everest-bin

Celeste mod loader (don't install; use celestegame instead)

  • nixos-unstable -
    • nixpkgs-unstable 6129
    • nixos-unstable-small 6157
  • nixos-25.11 5986
    • nixpkgs-25.11-darwin 5986

pkgs.everest-mons

Commandline Everest installer and mod manager for Celeste

Package maintainers

Permalink CVE-2024-28243
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
KaTeX's maxExpand bypassed by \edef

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Affected products

KaTeX
  • ==>= v0.10.0-beta, < 0.16.10
  • ==>= 0.12.0, < 0.16.10

Matching in nixpkgs

pkgs.mdbook-katex

Preprocessor for mdbook, rendering LaTeX equations to HTML at build time

Permalink CVE-2025-15289
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed an improper access controls vulnerability in Interact.

Tanium addressed an improper access controls vulnerability in Interact.

References

Affected products

Interact
  • <3.2.185
  • <3.5.90
  • <3.1.337

Matching in nixpkgs

pkgs.interactsh

Out of bounds interaction gathering server and client library

pkgs.bashInteractive

GNU Bourne-Again Shell, the de facto standard shell on Linux (for interactive use)

pkgs.bashInteractiveFHS

GNU Bourne-Again Shell, the de facto standard shell on Linux (for interactive use)

Package maintainers

Permalink CVE-2025-15324
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed a local privilege escalation vulnerability in Engage.

Tanium addressed a documentation issue in Engage.

References

Affected products

Engage
  • <1.3.37
  • <1.6.193

Matching in nixpkgs

pkgs.engage

Task runner with DAG-based parallelism

Package maintainers

Permalink CVE-2025-15327
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed an improper access controls vulnerability in Deploy.

Tanium addressed an improper access controls vulnerability in Deploy.

References

Affected products

Deploy
  • <2.26.1253
  • <2.30.150

Matching in nixpkgs

pkgs.deployer

PHP deployment tool with support for popular frameworks out of the box

pkgs.ios-deploy

Install and debug iPhone apps from the command line, without using Xcode

pkgs.nix-deploy

Deploy Nix-built software to a NixOS machine

Permalink CVE-2025-15328
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed an improper link resolution before file access vulnerability in Enforce.

Tanium addressed an improper link resolution before file access vulnerability in Enforce.

References

Affected products

Enforce
  • <2.8.544
  • <2.7.314

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-15330
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed an improper input validation vulnerability in Deploy.

Tanium addressed an improper input validation vulnerability in Deploy.

References

Affected products

Deploy
  • <2.26.1279
  • <2.30.175

Matching in nixpkgs

pkgs.deployer

PHP deployment tool with support for popular frameworks out of the box

pkgs.ios-deploy

Install and debug iPhone apps from the command line, without using Xcode

pkgs.nix-deploy

Deploy Nix-built software to a NixOS machine

Permalink CVE-2025-15336
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed an incorrect default permissions vulnerability in Performance.

Tanium addressed an incorrect default permissions vulnerability in Performance.

References

Affected products

Performance
  • <1.17.134
  • <1.21.141
  • <1.22.288

Matching in nixpkgs

pkgs.portfolio

Simple tool to calculate the overall performance of an investment portfolio

Package maintainers

Permalink CVE-2025-15340
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Tanium addressed an incorrect default permissions vulnerability in Comply.

Tanium addressed an incorrect default permissions vulnerability in Comply.

References

Affected products

Comply
  • <2.24.159
  • <2.29.124
  • <2.32.155

Matching in nixpkgs

Package maintainers