Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-62036
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 4 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62037
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 4 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-10622
8.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Foreman: os command injection via ct_location and fcct_location parameters

A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting.

References

Affected products

foreman
  • <3.16.1
  • *
satellite:el8/foreman

Matching in nixpkgs

pkgs.foreman

Process manager for applications with multiple components

Package maintainers

Permalink CVE-2023-4232
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Ofono: sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_status_report() function

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report().

Affected products

ofono
  • ==2.1

Matching in nixpkgs

pkgs.ofono

Infrastructure for building mobile telephony (GSM/UMTS) applications

  • nixos-unstable 2.17
    • nixpkgs-unstable 2.17
    • nixos-unstable-small 2.17
Permalink CVE-2023-4235
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Ofono: sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_deliver_report() function

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report().

Affected products

ofono
  • ==2.1

Matching in nixpkgs

pkgs.ofono

Infrastructure for building mobile telephony (GSM/UMTS) applications

  • nixos-unstable 2.17
    • nixpkgs-unstable 2.17
    • nixos-unstable-small 2.17
Permalink CVE-2023-43787
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Libx11: integer overflow in xcreateimage() leading to a heap overflow

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

References

Affected products

libX11
  • *
  • <1.8.7
  • ==1.8.7

Matching in nixpkgs

Permalink CVE-2023-4233
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Ofono: sms decoder stack-based buffer overflow remote code execution vulnerability within the sms_decode_address_field() function

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS.

Affected products

ofono
  • ==2.1
  • ==2.1

Matching in nixpkgs

pkgs.ofono

Infrastructure for building mobile telephony (GSM/UMTS) applications

  • nixos-unstable 2.17
    • nixpkgs-unstable 2.17
    • nixos-unstable-small 2.17
Permalink CVE-2023-43785
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 4 months, 2 weeks ago
Libx11: out-of-bounds memory access in _xkbreadkeysyms()

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.

References

Affected products

libX11
  • *
  • <1.8.7
  • ==1.8.7

Matching in nixpkgs

Permalink CVE-2023-4234
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Ofono: sms decoder stack-based buffer overflow remote code execution vulnerability within the decode_submit_report() function

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report().

Affected products

ofono
  • ==2.1
  • ==2.1

Matching in nixpkgs

pkgs.ofono

Infrastructure for building mobile telephony (GSM/UMTS) applications

  • nixos-unstable 2.17
    • nixpkgs-unstable 2.17
    • nixos-unstable-small 2.17
Permalink CVE-2023-5380
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Xorg-x11-server: use-after-free bug in destroywindow

A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.

Affected products

tigervnc
  • *
xorg-server
  • ==21.1.9
xorg-x11-server
  • *
xorg-x11-server-Xwayland

Matching in nixpkgs

pkgs.tigervnc

Fork of tightVNC, made in cooperation with VirtualGL