CVE-2026-61828
Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes,
CVSS
—
No CVSS
EPSS
0.1%
p1
KEV
—
Exploit Today
0
0-100
Published: Jul 15, 2026 · Last modified: Jul 15, 2026 · CWE-276
Not enough EPSS history yet.
Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05.
- github.comhttps://github.com/NixOS/nixpkgs/commit/3f68d7ad2a6865ff8b4910d89f173d7258bad8dd
- github.comhttps://github.com/NixOS/nixpkgs/commit/4aed47116a8734922763cd8f477467b0a0bcd6d7
- github.comhttps://github.com/NixOS/nixpkgs/commit/f8ee41468a7a8f9ed3a8cc7d017151c2ca6f90b5
- github.comhttps://github.com/NixOS/nixpkgs/pull/534254
- github.comhttps://github.com/NixOS/nixpkgs/pull/534482
- github.comhttps://github.com/NixOS/nixpkgs/pull/534484
- github.comhttps://github.com/NixOS/nixpkgs/security/advisories/GHSA-6qxx-6rg8-c4p8
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2021-409048.8 HIG87.7%
——26The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.8dCVE-2022-289329.8 CRI79.3%
——24D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.8dCVE-2021-290058.8 HIG79.3%
——24Insecure permission of chmod command on rConfig server 3.9.6 exists. After installing rConfig apache user may execute chmod as root without password which may let an attacker with low privilege to gain root access on server.8dCVE-2022-366409.8 CRI78.6%
——24influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization."8dCVE-2023-230599.8 CRI64.2%
——19An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges.8dCVE-2021-382686.5 MED51.8%
——16The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API.8d