Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2025-22534
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ella van Durpe Slides & Presentations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slides & Presentations: from n/a through 0.0.39.

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

pkgs.openslide

C library that provides a simple interface to read whole-slide images

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.backslide

Automatic background-image (wallpaper) slideshow for Gnome Shell

  • nixos-unstable 33
    • nixpkgs-unstable 33
    • nixos-unstable-small 33

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME >= 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

  • nixos-unstable 12
    • nixpkgs-unstable 12
    • nixos-unstable-small 12

Package maintainers

Permalink CVE-2023-6277
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
Libtiff: out-of-memory in tiffopen via a craft file

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.

Affected products

iv
tkimg
libtiff
mingw-libtiff
compat-libtiff3

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

Package maintainers

Permalink CVE-2023-6596
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
Openshift: incomplete fix for rapid reset (cve-2023-44487/cve-2023-39325)

An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.

References

Affected products

openshift
  • <4.12.48
  • <4.11.58
openshift4/ose-olm-rukpak-rhel8
openshift4/ose-operator-lifecycle-manager
  • *

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

Package maintainers

Permalink CVE-2024-45617
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
Libopensc: uninitialized values after incorrect or missing checking return values of functions in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.

Affected products

opensc
libopensc
  • <0.26.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Package maintainers

Permalink CVE-2024-38789
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
WordPress Telegram Bot & Channel plugin <= 3.8.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Telegram Bot & Channel allows Cross Site Request Forgery.This issue affects Telegram Bot & Channel: from n/a through 3.8.2.

Affected products

telegram-bot
  • =<3.8.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-38766
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
WordPress Matomo Analytics plugin <= 5.1.1 - Cross Site Request Forgery (CSRF) leading to Notice Dismissal vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1.

Affected products

matomo
  • =<5.1.1

Matching in nixpkgs

pkgs.matomo

Real-time web analytics application

pkgs.matomo_5

Real-time web analytics application

Package maintainers

Permalink CVE-2023-47183
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
WordPress GiveWP plugin <= 2.33.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in GiveWP GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through 2.33.1.

Affected products

give
  • =<2.33.1

Matching in nixpkgs

Permalink CVE-2024-38765
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
WordPress Oceanic theme <= 1.0.48 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48.

Affected products

oceanic
  • =<1.0.48

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-45616
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
Libopensc: uninitialized values after incorrect check or usage of apdu response values in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

Affected products

opensc
libopensc
  • <0.26.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Package maintainers

Permalink CVE-2024-37490
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 3 months ago Activity log
  • Created suggestion 1 year, 3 months ago
WordPress Bard theme <= 2.210 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210.

Affected products

bard
  • =<2.210

Matching in nixpkgs

pkgs.bombardier

Fast cross-platform HTTP benchmarking tool written in Go

Package maintainers