⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dimissed after initial triaging.

Restore to select a suggestion for a revision.

CVE-2023-26302
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse dismissed
markdown-it-py CLI crash on invalid UTF-8 characters

Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input.

markdown-it-py
<v2.2.0
Notify package maintainers: 1
CVE-2023-26303
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse dismissed
markdown-it-py crash on null assertions

Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input.

markdown-it-py
<v2.2.0
Notify package maintainers: 1
CVE-2023-1314
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 weeks, 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse dismissed
Local Privilege Escalation Vulnerability in cloudflared's Installer

A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.

cloudflared
=<<=2023.3.0
Notify package maintainers: 5
CVE-2023-46288
updated 1 month, 2 weeks ago by @fpletz Activity log
  • Created automatic suggestion
  • @fpletz dismissed
Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.

apache-airflow
<2.7.0
Notify package maintainers: 3
CVE-2023-1999
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @fpletz Activity log
  • Created automatic suggestion
  • @fpletz dismissed
Use after free in libwebp

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. 

libwebp
<1.3.1
<1.3.0-8-ga486d800
Notify package maintainers: 1
CVE-2025-1390
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @fpletz Activity log
  • Created automatic suggestion
  • @fpletz dismissed
pam_cap: Fix potential configuration parsing error

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

libcap
==2.73;0

pkgs.libcaption

Free open-source CEA608 / CEA708 closed-caption encoder/decoder
Notify package maintainers: 1
CVE-2025-22654
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @fpletz Activity log
  • Created automatic suggestion
  • @fpletz dismissed
WordPress Simplified Plugin Plugin <= 1.0.6 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified allows Using Malicious Files. This issue affects Simplified: from n/a through 1.0.6.

simplified
=<1.0.6

pkgs.texlivePackages.simplified-latex

A Simplified Introduction to LaTeX

pkgs.gnomeExtensions.net-speed-simplified

A Net Speed extension With Loads of Customization. Fork of simplenetspeed
  • nixos-24.05 42
    • nixpkgs-24.05-darwin 42
    • nixos-24.05-small 42
  • nixos-24.11 43
    • nixpkgs-24.11-darwin 43
    • nixos-24.11-small 43
  • nixos-unstable 43
    • nixos-unstable-small 43
    • nixpkgs-unstable 43
Notify package maintainers: 1
CVE-2024-9979
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion
  • @fricklerhandwerk dismissed
Pyo3: risk of use-after-free in `borrowed` reads from python weak references

A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.

pyo3
<0.22.4
python3.11-nh3
python3.11-rpds-py
python3.11-cryptography
python3.12-cryptography
CVE-2024-9902
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion
  • @fricklerhandwerk dismissed
Ansible-core: ansible-core user may read/write unauthorized content

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

core
ansible-core
*
ee-29-container
*
ee-minimal-container
*
openstack-ansible-core
ansible-builder-container
*
ansible-automation-platform/ee-29-rhel8
*
ansible-automation-platform/ee-minimal-rhel8
*
ansible-automation-platform/ee-minimal-rhel9
*
ansible-automation-platform/ansible-builder-rhel8
*
ansible-automation-platform/ansible-builder-rhel9
*
CVE-2025-23987
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion
  • @fricklerhandwerk dismissed
WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0.

designer
=<1.6.0
Notify package maintainers: 2