Nixos Nixpkgs vulnerabilities

5 known vulnerabilities affecting nixos/nixpkgs.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-25740MEDIUMCVSS 5.8≤ 25.052026-02-09
CVE-2026-25740 [MEDIUM] CWE-250 CVE-2026-25740: captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS se captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_RAW capability (binding to privileged ports, spoofing localhost traffic from privileged services...). This vulne
nvd
CVE-2026-25137CRITICALCVSS 9.1v>= 21.11, < 25.112026-02-02
CVE-2026-25137 [CRITICAL] CWE-306 CVE-2026-25137: The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, e The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests.
nvd
CVE-2026-23838HIGHCVSS 8.7v>= 23.05, < 26.052026-01-19
CVE-2026-23838 [HIGH] CWE-538 CVE-2026-23838: Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is tha
nvd
CVE-2025-64766MEDIUMCVSS 5.3v>= 22.11, < 25.05fixed in Unstable 25.112025-11-17
CVE-2025-64766 [MEDIUM] CWE-798 CVE-2025-64766: NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, co NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an exi
nvd
CVE-2025-32438HIGHCVSS 8.8fixed in b17590193d8e5697000c23c66afcf11e1753734dfixed in fbf76bf72b161b9f4ab97704a8258776d5f3ffba2025-04-15
CVE-2025-32438 [HIGH] CWE-378 CVE-2025-32438: make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation aff make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable enabled (the default) a local user is able to create a program that will be executed by root during shutdown. Patches exist for NixOS 24.11 and 25.05 / unstable. As a workaround, set systemd.shut
nvd