Dismissed suggestions Untriaged suggestions Draft issues Published issues Dismissed suggestions These automatic suggestions were dismissed after initial triaging. Restore to select a suggestion for a revision. CVE-2025-49251 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 33 packages grafana grafanactl mcp-grafana grafana-loki grafana-alloy grafana-kiosk grafana-to-ntfy grafana-dash-n-grab dhallPackages.dhall-grafana terraform-providers.grafana python312Packages.grafanalib python313Packages.grafanalib haskellPackages.amazonka-grafana grafanaPlugins.grafana-oncall-app grafanaPlugins.grafana-clock-panel grafanaPlugins.grafana-pyroscope-app grafanaPlugins.grafana-googlesheets-datasource grafanaPlugins.grafana-opensearch-datasource grafanaPlugins.grafana-clickhouse-datasource python313Packages.types-aiobotocore-grafana python312Packages.types-aiobotocore-grafana grafanaPlugins.grafana-metricsdrilldown-app grafanaPlugins.grafana-discourse-datasource grafanaPlugins.grafana-sentry-datasource grafanaPlugins.grafana-github-datasource grafanaPlugins.grafana-exploretraces-app grafanaPlugins.grafana-mqtt-datasource grafanaPlugins.grafana-lokiexplore-app grafanaPlugins.grafana-worldmap-panel grafanaPlugins.grafana-polystat-panel grafanaPlugins.grafana-piechart-panel python313Packages.mypy-boto3-grafana python312Packages.mypy-boto3-grafana 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Fana <= 1.1.28 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28. fana =<1.1.28 Package maintainers: 28 @flokli Florian Klink <flokli@flokli.de> @azahi Azat Bahawi <azat@bahawi.net> @hbjydev Hayden Young <hayden@kuraudo.io> @cdepillabout Dennis Gosnell <cdep.illabout@gmail.com> @wraithm Matthew Wraith <wraithm@gmail.com> @wcarlsen Willi Carlsen <carlsenwilli@gmail.com> @mbalatsko Maksym Balatsko <mbalatsko@gmail.com> @MarcelCoding Marcel <me@m4rc3l.de> @michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com> @ryan4yin Ryan Yin <xiaoyin_c@qq.com> @emilylange Emily Lange <nix@emilylange.de> @mmahut Marek Mahut <marek.mahut@gmail.com> @globin Robin Gloster <mail@glob.in> @fabaff Fabian Affolter <mail@fabian-affolter.ch> @fpletz Franz Pletz <fpletz@fnordicwalking.de> @Frostman Sergei Lukianov <me@slukjanov.name> @Ma27 Maximilian Bosch <maximilian@mbosch.me> @offlinehacker Jaka Hudoklin <jaka@x-truder.net> @pilz0 Pilz <nix@pilz.foo> @majiru Jacob Moody <moody@posixcafe.org> @lukegb Luke Granger-Brown <nix@lukegb.com> @nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me> @mockersf François Mockers <francois.mockers@vleue.com> @NthTensor Miles Silberling-Cook <miles.silberlingcook@gmail.com> @loispostula Loïs Postula <lois@postu.la> @marcusramberg Marcus Ramberg <marcus@means.no> @Kranzes Ilan Joselevich <personal@ilanjoselevich.com> @arianvp Arian van Putten <arian.vanputten@gmail.com> CVE-2025-49253 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 3 packages typstPackages.lasagna_0_1_0 typstPackages.lasaveur_0_1_3 typstPackages.lasaveur_0_1_4 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Lasa <= 1.1 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1. lasa =<1.1 Package maintainers: 1 @cherrypiejam Gongqi Huang CVE-2025-49259 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 11 packages charasay gnome-characters keepass-charactercopy unicode-character-database haskellPackages.character-ps coqPackages.mathcomp-character python312Packages.characteristic python313Packages.characteristic magnetophonDSP.CharacterCompressor python312Packages.character-encoding-utils python313Packages.character-encoding-utils 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Hara <= 1.2.10 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through 1.2.10. hara =<1.2.10 Package maintainers: 11 @hmajid2301 Haseeb Majid <hello@haseebmajid.dev> @hedning Tor Hedin Brønner <torhedinbronner@gmail.com> @dasj19 Daniel Șerbănescu <daniel@serbanescu.dk> @jtojnar Jan Tojnar <jtojnar@gmail.com> @bobby285271 Bobby Rong <rjl931189261@126.com> @h7x4 h7x4 <h7x4@nani.wtf> @TakWolf TakWolf <takwolf@foxmail.com> @vbgl Vincent Laporte <Vincent.Laporte@gmail.com> @jwiegley John Wiegley <johnw@newartisans.com> @CohenCyril Cyril Cohen <cyril.cohen@inria.fr> @magnetophon Bart Brouns <bart@magnetophon.nl> CVE-2025-23999 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 14 packages kdePackages.breeze kdePackages.breeze-gtk kdePackages.breeze-grub libsForQt5.breeze-icons kdePackages.breeze-icons breeze-hacked-cursor-theme kdePackages.breeze-plymouth python312Packages.seabreeze python313Packages.seabreeze plasma5Packages.breeze-icons kdePackages.qqc2-breeze-style wordpressPackages.plugins.breeze kdePackages.sierra-breeze-enhanced qt6Packages.sierra-breeze-enhanced 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Breeze plugin <= 2.2.13 - Broken Access Control vulnerability Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.2.13. breeze =<2.2.13 Package maintainers: 10 @A1ca7raz A1ca7raz <aya@wtm.moe> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @K900 Ilya K. <me@0upti.me> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @NickCao Nick Cao <nickcao@nichi.co> @mjm Matt Moriarity <matt@mattmoriarity.com> @nyanloutre Paul Trehiou <paul@nyanlout.re> @Anomalocaridid Duncan Russell <duncan@anomalocaris.xyz> CVE-2025-49976 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 10 packages fsnotifier mpris-notifier terminal-notifier usbguard-notifier python312Packages.pynotifier python312Packages.desktop-notifier python313Packages.desktop-notifier haskellPackages.status-notifier-item kdePackages.kstatusnotifieritem python313Packages.pynotifier 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress WANotifier plugin <= 2.7.7 - Broken Access Control Vulnerability Missing Authorization vulnerability in WANotifier WANotifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through 2.7.7. notifier =<2.7.7 Package maintainers: 11 @Leixb Aleix Boné <abone9999+nixpkgs@gmail.com> @pbsds Peder Bergebakken Sundt <pbsds@hotmail.com> @fpletz Franz Pletz <fpletz@fnordicwalking.de> @SFrijters Stefan Frijters <sfrijters@gmail.com> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @K900 Ilya K. <me@0upti.me> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @NickCao Nick Cao <nickcao@nichi.co> @mjm Matt Moriarity <matt@mattmoriarity.com> CVE-2025-49974 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 3 packages git-upstream lomiri.qtmir tests.haskell.upstreamStackHpackVersion 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0. upstream =<2.1.0 Package maintainers: 3 @9999years Rebecca Turner <rbt@fastmail.com> @OPNA2608 Cosima Neidahl <opna2608@protonmail.com> @cdepillabout Dennis Gosnell <cdep.illabout@gmail.com> CVE-2025-53338 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 23 packages replace fireplace qsreplace replacement replace-secret haskellPackages.replace-attoparsec haskellPackages.replace-megaparsec haskellPackages.text-regex-replace tests.substitute.legacySingleReplace tests.replaceVars.replaceVars.succeeds tests.replaceVars.replaceVarsWith.succeeds tests.replaceVars.replaceVars.fails-on-directory tests.replaceVars.replaceVars.fails-in-build-phase tests.replaceVars.replaceVars.fails-in-check-phase tests.replaceVars.replaceVarsWith.fails-on-directory tests.replaceVars.replaceVars.succeeds-with-exemption tests.replaceVars.replaceVarsWith.fails-in-build-phase tests.replaceVars.replaceVarsWith.fails-in-check-phase tests.replaceVars.replaceVarsWith.succeeds-with-exemption tests.replaceVars.replaceVars.fails-in-check-phase-with-exemption tests.replaceVars.replaceVars.fails-in-check-phase-with-bad-exemption tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-exemption tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-bad-exemption 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress re.place plugin <= 0.2.1 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1. replace =<0.2.1 Package maintainers: 5 @maralorn maralorn <mail@maralorn.de> @multivac61 multivac61 <olafur@genkiinstruments.com> @averagebit averagebit <averagebit@pm.me> @talyz Kim Lindberger <kim.lindberger@gmail.com> @siriobalmelli Sirio Balmelli <sirio@b-ad.ch> CVE-2025-52826 8.8 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 4 packages python312Packages.datasalad python313Packages.datasalad python312Packages.schema-salad python313Packages.schema-salad 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. sala =<1.1.3 Package maintainers: 2 @veprbl Dmitry Kalinkin <veprbl@gmail.com> @gador Florian Brandes <florian.brandes@posteo.de> CVE-2025-31428 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 11 packages hydrogen hydroxide libhydrogen tau-hydrogen fishPlugins.hydro hydrogen-web-unwrapped python312Packages.hydrogram python313Packages.hydrogram haskellPackages.hydrogen-version python312Packages.swisshydrodata python313Packages.swisshydrodata 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress HYDRO theme <= 2.8 - Reflected Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddhaThemes HYDRO allows Reflected XSS. This issue affects HYDRO: from n/a through 2.8. hydro =<2.8 Package maintainers: 12 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @pyrox0 Pyrox <pyrox@pyrox.dev> @tholoo Ali Mohammadzadeh <ali0mhmz@gmail.com> @tanya1866 Tanya Arora <tanyaarora@tutamail.com> @orivej Orivej Desh <orivej@gmx.fr> @NickCao Nick Cao <nickcao@nichi.co> @teutat3s teutat3s <teutates@mailbox.org> @fadenb Tristan Helmich <tristan.helmich+nixos@gmail.com> @Ma27 Maximilian Bosch <maximilian@mbosch.me> @mguentner Maximilian Güntner <code@mguentner.de> @D4ndellion Daniel Olsen <daniel@dodsorf.as> @Br1ght0ne Oleksii Filonenko <brightone@protonmail.com> CVE-2025-53200 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package gnomeExtensions.penguin-ai-chatbot 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress ChatBot plugin <= 6.7.3 - Broken Access Control Vulnerability Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3. chatbot =<6.7.3 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
CVE-2025-49251 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 33 packages grafana grafanactl mcp-grafana grafana-loki grafana-alloy grafana-kiosk grafana-to-ntfy grafana-dash-n-grab dhallPackages.dhall-grafana terraform-providers.grafana python312Packages.grafanalib python313Packages.grafanalib haskellPackages.amazonka-grafana grafanaPlugins.grafana-oncall-app grafanaPlugins.grafana-clock-panel grafanaPlugins.grafana-pyroscope-app grafanaPlugins.grafana-googlesheets-datasource grafanaPlugins.grafana-opensearch-datasource grafanaPlugins.grafana-clickhouse-datasource python313Packages.types-aiobotocore-grafana python312Packages.types-aiobotocore-grafana grafanaPlugins.grafana-metricsdrilldown-app grafanaPlugins.grafana-discourse-datasource grafanaPlugins.grafana-sentry-datasource grafanaPlugins.grafana-github-datasource grafanaPlugins.grafana-exploretraces-app grafanaPlugins.grafana-mqtt-datasource grafanaPlugins.grafana-lokiexplore-app grafanaPlugins.grafana-worldmap-panel grafanaPlugins.grafana-polystat-panel grafanaPlugins.grafana-piechart-panel python313Packages.mypy-boto3-grafana python312Packages.mypy-boto3-grafana 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Fana <= 1.1.28 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28. fana =<1.1.28 Package maintainers: 28 @flokli Florian Klink <flokli@flokli.de> @azahi Azat Bahawi <azat@bahawi.net> @hbjydev Hayden Young <hayden@kuraudo.io> @cdepillabout Dennis Gosnell <cdep.illabout@gmail.com> @wraithm Matthew Wraith <wraithm@gmail.com> @wcarlsen Willi Carlsen <carlsenwilli@gmail.com> @mbalatsko Maksym Balatsko <mbalatsko@gmail.com> @MarcelCoding Marcel <me@m4rc3l.de> @michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com> @ryan4yin Ryan Yin <xiaoyin_c@qq.com> @emilylange Emily Lange <nix@emilylange.de> @mmahut Marek Mahut <marek.mahut@gmail.com> @globin Robin Gloster <mail@glob.in> @fabaff Fabian Affolter <mail@fabian-affolter.ch> @fpletz Franz Pletz <fpletz@fnordicwalking.de> @Frostman Sergei Lukianov <me@slukjanov.name> @Ma27 Maximilian Bosch <maximilian@mbosch.me> @offlinehacker Jaka Hudoklin <jaka@x-truder.net> @pilz0 Pilz <nix@pilz.foo> @majiru Jacob Moody <moody@posixcafe.org> @lukegb Luke Granger-Brown <nix@lukegb.com> @nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me> @mockersf François Mockers <francois.mockers@vleue.com> @NthTensor Miles Silberling-Cook <miles.silberlingcook@gmail.com> @loispostula Loïs Postula <lois@postu.la> @marcusramberg Marcus Ramberg <marcus@means.no> @Kranzes Ilan Joselevich <personal@ilanjoselevich.com> @arianvp Arian van Putten <arian.vanputten@gmail.com>
CVE-2025-49253 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 3 packages typstPackages.lasagna_0_1_0 typstPackages.lasaveur_0_1_3 typstPackages.lasaveur_0_1_4 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Lasa <= 1.1 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1. lasa =<1.1 Package maintainers: 1 @cherrypiejam Gongqi Huang
CVE-2025-49259 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 11 packages charasay gnome-characters keepass-charactercopy unicode-character-database haskellPackages.character-ps coqPackages.mathcomp-character python312Packages.characteristic python313Packages.characteristic magnetophonDSP.CharacterCompressor python312Packages.character-encoding-utils python313Packages.character-encoding-utils 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Hara <= 1.2.10 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through 1.2.10. hara =<1.2.10 Package maintainers: 11 @hmajid2301 Haseeb Majid <hello@haseebmajid.dev> @hedning Tor Hedin Brønner <torhedinbronner@gmail.com> @dasj19 Daniel Șerbănescu <daniel@serbanescu.dk> @jtojnar Jan Tojnar <jtojnar@gmail.com> @bobby285271 Bobby Rong <rjl931189261@126.com> @h7x4 h7x4 <h7x4@nani.wtf> @TakWolf TakWolf <takwolf@foxmail.com> @vbgl Vincent Laporte <Vincent.Laporte@gmail.com> @jwiegley John Wiegley <johnw@newartisans.com> @CohenCyril Cyril Cohen <cyril.cohen@inria.fr> @magnetophon Bart Brouns <bart@magnetophon.nl>
CVE-2025-23999 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 14 packages kdePackages.breeze kdePackages.breeze-gtk kdePackages.breeze-grub libsForQt5.breeze-icons kdePackages.breeze-icons breeze-hacked-cursor-theme kdePackages.breeze-plymouth python312Packages.seabreeze python313Packages.seabreeze plasma5Packages.breeze-icons kdePackages.qqc2-breeze-style wordpressPackages.plugins.breeze kdePackages.sierra-breeze-enhanced qt6Packages.sierra-breeze-enhanced 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Breeze plugin <= 2.2.13 - Broken Access Control vulnerability Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.2.13. breeze =<2.2.13 Package maintainers: 10 @A1ca7raz A1ca7raz <aya@wtm.moe> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @K900 Ilya K. <me@0upti.me> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @NickCao Nick Cao <nickcao@nichi.co> @mjm Matt Moriarity <matt@mattmoriarity.com> @nyanloutre Paul Trehiou <paul@nyanlout.re> @Anomalocaridid Duncan Russell <duncan@anomalocaris.xyz>
CVE-2025-49976 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 10 packages fsnotifier mpris-notifier terminal-notifier usbguard-notifier python312Packages.pynotifier python312Packages.desktop-notifier python313Packages.desktop-notifier haskellPackages.status-notifier-item kdePackages.kstatusnotifieritem python313Packages.pynotifier 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress WANotifier plugin <= 2.7.7 - Broken Access Control Vulnerability Missing Authorization vulnerability in WANotifier WANotifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through 2.7.7. notifier =<2.7.7 Package maintainers: 11 @Leixb Aleix Boné <abone9999+nixpkgs@gmail.com> @pbsds Peder Bergebakken Sundt <pbsds@hotmail.com> @fpletz Franz Pletz <fpletz@fnordicwalking.de> @SFrijters Stefan Frijters <sfrijters@gmail.com> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @K900 Ilya K. <me@0upti.me> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @NickCao Nick Cao <nickcao@nichi.co> @mjm Matt Moriarity <matt@mattmoriarity.com>
CVE-2025-49974 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 3 packages git-upstream lomiri.qtmir tests.haskell.upstreamStackHpackVersion 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0. upstream =<2.1.0 Package maintainers: 3 @9999years Rebecca Turner <rbt@fastmail.com> @OPNA2608 Cosima Neidahl <opna2608@protonmail.com> @cdepillabout Dennis Gosnell <cdep.illabout@gmail.com>
CVE-2025-53338 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 23 packages replace fireplace qsreplace replacement replace-secret haskellPackages.replace-attoparsec haskellPackages.replace-megaparsec haskellPackages.text-regex-replace tests.substitute.legacySingleReplace tests.replaceVars.replaceVars.succeeds tests.replaceVars.replaceVarsWith.succeeds tests.replaceVars.replaceVars.fails-on-directory tests.replaceVars.replaceVars.fails-in-build-phase tests.replaceVars.replaceVars.fails-in-check-phase tests.replaceVars.replaceVarsWith.fails-on-directory tests.replaceVars.replaceVars.succeeds-with-exemption tests.replaceVars.replaceVarsWith.fails-in-build-phase tests.replaceVars.replaceVarsWith.fails-in-check-phase tests.replaceVars.replaceVarsWith.succeeds-with-exemption tests.replaceVars.replaceVars.fails-in-check-phase-with-exemption tests.replaceVars.replaceVars.fails-in-check-phase-with-bad-exemption tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-exemption tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-bad-exemption 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress re.place plugin <= 0.2.1 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1. replace =<0.2.1 Package maintainers: 5 @maralorn maralorn <mail@maralorn.de> @multivac61 multivac61 <olafur@genkiinstruments.com> @averagebit averagebit <averagebit@pm.me> @talyz Kim Lindberger <kim.lindberger@gmail.com> @siriobalmelli Sirio Balmelli <sirio@b-ad.ch>
CVE-2025-52826 8.8 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 4 packages python312Packages.datasalad python313Packages.datasalad python312Packages.schema-salad python313Packages.schema-salad 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. sala =<1.1.3 Package maintainers: 2 @veprbl Dmitry Kalinkin <veprbl@gmail.com> @gador Florian Brandes <florian.brandes@posteo.de>
CVE-2025-31428 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 11 packages hydrogen hydroxide libhydrogen tau-hydrogen fishPlugins.hydro hydrogen-web-unwrapped python312Packages.hydrogram python313Packages.hydrogram haskellPackages.hydrogen-version python312Packages.swisshydrodata python313Packages.swisshydrodata 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress HYDRO theme <= 2.8 - Reflected Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddhaThemes HYDRO allows Reflected XSS. This issue affects HYDRO: from n/a through 2.8. hydro =<2.8 Package maintainers: 12 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @pyrox0 Pyrox <pyrox@pyrox.dev> @tholoo Ali Mohammadzadeh <ali0mhmz@gmail.com> @tanya1866 Tanya Arora <tanyaarora@tutamail.com> @orivej Orivej Desh <orivej@gmx.fr> @NickCao Nick Cao <nickcao@nichi.co> @teutat3s teutat3s <teutates@mailbox.org> @fadenb Tristan Helmich <tristan.helmich+nixos@gmail.com> @Ma27 Maximilian Bosch <maximilian@mbosch.me> @mguentner Maximilian Güntner <code@mguentner.de> @D4ndellion Daniel Olsen <daniel@dodsorf.as> @Br1ght0ne Oleksii Filonenko <brightone@protonmail.com>
CVE-2025-53200 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 8 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package gnomeExtensions.penguin-ai-chatbot 3 days, 8 hours ago @LeSuisse dismissed 3 days, 8 hours ago WordPress ChatBot plugin <= 6.7.3 - Broken Access Control Vulnerability Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3. chatbot =<6.7.3 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>