Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-23668
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago
WordPress GiveWP Plugin <= 2.25.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in GiveWP plugin <= 2.25.1 versions.

Affected products

give
  • =<2.25.1

Matching in nixpkgs

Permalink CVE-2024-56827
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year, 3 months ago
Openjpeg: heap buffer overflow in lib/openjp2/j2k.c

A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior.

References

Affected products

openjpeg
  • *
openjpeg2
  • *
gimp:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

Package maintainers

Permalink CVE-2024-7006
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year, 3 months ago
Libtiff: null pointer dereference in tif_dirinfo.c

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

References

Affected products

libtiff
  • *
  • ==4.4.0
  • ==4.0.9

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

Package maintainers

Permalink CVE-2022-47161
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago
WordPress Health Check & Troubleshooting Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions.

Affected products

health-check
  • =<1.5.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-32550
9.3 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago
Landscape's Apache server-status is accessible by default

Landscape's server-status page exposed sensitive system information. This data leak included GET requests which contain information to attack and leak further information from the Landscape API.

Affected products

landscape
  • <19.10.05

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-32549
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 year, 3 months ago
Landscape insecure token generation

Landscape cryptographic keys were insecurely generated with a weak pseudo-random generator.

Affected products

landscape
  • <19.10.05

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-22511
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ella van Durpe Slides & Presentations allows Stored XSS.This issue affects Slides & Presentations: from n/a through 0.0.39.

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

pkgs.openslide

C library that provides a simple interface to read whole-slide images

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.backslide

Automatic background-image (wallpaper) slideshow for Gnome Shell

  • nixos-unstable 33
    • nixpkgs-unstable 33
    • nixos-unstable-small 33

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME >= 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

  • nixos-unstable 12
    • nixpkgs-unstable 12
    • nixos-unstable-small 12

Package maintainers

Permalink CVE-2023-32551
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago
Landscape Open Redirect

Landscape allowed URLs which caused open redirection.

Affected products

landscape
  • <19.10.05

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-22534
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ella van Durpe Slides & Presentations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slides & Presentations: from n/a through 0.0.39.

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

pkgs.openslide

C library that provides a simple interface to read whole-slide images

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.backslide

Automatic background-image (wallpaper) slideshow for Gnome Shell

  • nixos-unstable 33
    • nixpkgs-unstable 33
    • nixos-unstable-small 33

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME >= 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

  • nixos-unstable 12
    • nixpkgs-unstable 12
    • nixos-unstable-small 12

Package maintainers

Permalink CVE-2023-6277
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year, 3 months ago
Libtiff: out-of-memory in tiffopen via a craft file

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.

References

Affected products

iv
tkimg
libtiff
mingw-libtiff
compat-libtiff3

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

Package maintainers