Dismissed suggestions Untriaged suggestions Draft issues Published issues Dismissed suggestions These automatic suggestions were dimissed after initial triaging. Restore to select a suggestion for a revision. CVE-2023-26302 3.3 LOW CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): LOW updated 2 weeks, 1 day ago by @LeSuisse Activity log Created automatic suggestion 3 weeks, 1 day ago @LeSuisse dismissed 2 weeks, 1 day ago markdown-it-py CLI crash on invalid UTF-8 characters Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input. markdown-it-py <v2.2.0 pkgs.python311Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 pkgs.python312Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 Notify package maintainers: 1 @bhipple Benjamin Hipple <bhipple@protonmail.com> CVE-2023-26303 3.3 LOW CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): LOW updated 2 weeks, 1 day ago by @LeSuisse Activity log Created automatic suggestion 3 weeks, 1 day ago @LeSuisse dismissed 2 weeks, 1 day ago markdown-it-py crash on null assertions Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input. markdown-it-py <v2.2.0 pkgs.python311Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 pkgs.python312Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 Notify package maintainers: 1 @bhipple Benjamin Hipple <bhipple@protonmail.com> CVE-2023-1314 7.5 HIGH CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): HIGH Privileges required (PR): LOW User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): NONE Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 weeks, 1 day ago by @LeSuisse Activity log Created automatic suggestion 1 month, 1 week ago @LeSuisse dismissed 3 weeks, 1 day ago Local Privilege Escalation Vulnerability in cloudflared's Installer A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices. cloudflared =<<=2023.3.0 pkgs.cloudflared Cloudflare Tunnel daemon, Cloudflare Access toolkit, and DNS-over-HTTPS client nixos-24.05 2024.4.1 nixpkgs-24.05-darwin 2024.4.1 nixos-24.05-small 2024.4.1 nixos-24.11 2024.10.0 nixpkgs-24.11-darwin 2024.10.0 nixos-24.11-small 2024.10.0 nixos-unstable 2024.11.0 nixos-unstable-small 2024.11.0 nixpkgs-unstable 2024.11.0 Notify package maintainers: 5 @qjoly Quentin JOLY <github@une-pause-cafe.fr> @thoughtpolice Austin Seipp <aseipp@pobox.com> @ericnorris Eric Norris <erictnorris@gmail.com> @bbigras Bruno Bigras <bigras.bruno@gmail.com> @piperswe Piper McCorkle <contact@piperswe.me> CVE-2023-46288 updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348. apache-airflow <2.7.0 pkgs.apache-airflow Programmatically author, schedule and monitor data pipelines nixos-24.05 2.7.3 nixpkgs-24.05-darwin 2.7.3 nixos-24.05-small 2.7.3 nixos-24.11 2.7.3 nixpkgs-24.11-darwin 2.7.3 nixos-24.11-small 2.7.3 nixos-unstable 2.7.3 nixos-unstable-small 2.7.3 nixpkgs-unstable 2.7.3 Notify package maintainers: 3 @gbpdt Graham Bennett <nix@pdtpartners.com> @bhipple Benjamin Hipple <bhipple@protonmail.com> @ingenieroariel Ariel Nunez <ariel@nunez.co> CVE-2023-1999 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago Use after free in libwebp There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. libwebp <1.3.1 <1.3.0-8-ga486d800 pkgs.libwebp Tools and library for the WebP image format nixos-24.05 1.4.0 nixpkgs-24.05-darwin 1.4.0 nixos-24.05-small 1.4.0 nixos-24.11 1.4.0 nixpkgs-24.11-darwin 1.4.0 nixos-24.11-small 1.4.0 nixos-unstable 1.4.0 nixos-unstable-small 1.4.0 nixpkgs-unstable 1.4.0 Notify package maintainers: 1 @ajs124 Andreas Schrägle <nix@ajs124.de> CVE-2025-1390 6.1 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): HIGH Availability impact (A): NONE updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago pam_cap: Fix potential configuration parsing error The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap ==2.73;0 pkgs.libcap Library for working with POSIX capabilities nixos-24.05 2.69 nixpkgs-24.05-darwin 2.69 nixos-24.05-small 2.69 nixos-24.11 2.70 nixpkgs-24.11-darwin 2.70 nixos-24.11-small 2.70 nixos-unstable 2.70 nixos-unstable-small 2.70 nixpkgs-unstable 2.70 pkgs.libcap_ng Library for working with POSIX capabilities nixos-24.05 0.8.5 nixpkgs-24.05-darwin 0.8.5 nixos-24.05-small 0.8.5 nixos-24.11 0.8.5 nixpkgs-24.11-darwin 0.8.5 nixos-24.11-small 0.8.5 nixos-unstable 0.8.5 nixos-unstable-small 0.8.5 nixpkgs-unstable 0.8.5 pkgs.libcaption Free open-source CEA608 / CEA708 closed-caption encoder/decoder nixos-24.05 0.7 nixpkgs-24.05-darwin 0.7 nixos-24.05-small 0.7 nixos-24.11 0.7 nixpkgs-24.11-darwin 0.7 nixos-24.11-small 0.7 nixos-unstable 0.7 nixos-unstable-small 0.7 nixpkgs-unstable 0.7 Notify package maintainers: 1 @pschmitt Philipp Schmitt <philipp@schmitt.co> CVE-2025-22654 10.0 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago WordPress Simplified Plugin Plugin <= 1.0.6 - Arbitrary File Upload vulnerability Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified allows Using Malicious Files. This issue affects Simplified: from n/a through 1.0.6. simplified =<1.0.6 pkgs.texlivePackages.simplified-latex A Simplified Introduction to LaTeX nixos-24.05 20620 nixpkgs-24.05-darwin 20620 nixos-24.05-small 20620 pkgs.gnomeExtensions.net-speed-simplified A Net Speed extension With Loads of Customization. Fork of simplenetspeed nixos-24.05 42 nixpkgs-24.05-darwin 42 nixos-24.05-small 42 nixos-24.11 43 nixpkgs-24.11-darwin 43 nixos-24.11-small 43 nixos-unstable 43 nixos-unstable-small 43 nixpkgs-unstable 43 pkgs.haskellPackages.phonetic-languages-simplified-base A basics of the phonetic-languages functionality that can be groupped nixos-24.05 0.9.0.0 nixpkgs-24.05-darwin 0.9.0.0 nixos-24.05-small 0.9.0.0 nixos-24.11 0.9.0.0 nixpkgs-24.11-darwin 0.9.0.0 nixos-24.11-small 0.9.0.0 nixos-unstable 0.9.0.0 nixos-unstable-small 0.9.0.0 nixpkgs-unstable 0.9.0.0 pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common Common functionality for 'with-tuples' and old version of properties nixos-24.05 0.4.1.0 nixpkgs-24.05-darwin 0.4.1.0 nixos-24.05-small 0.4.1.0 nixos-24.11 0.4.1.0 nixpkgs-24.11-darwin 0.4.1.0 nixos-24.11-small 0.4.1.0 nixos-unstable 0.4.1.0 nixos-unstable-small 0.4.1.0 nixpkgs-unstable 0.4.1.0 Notify package maintainers: 1 @honnip Jung seungwoo <me@honnip.page> CVE-2024-9979 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log Created automatic suggestion 3 months, 3 weeks ago @fricklerhandwerk dismissed 1 month, 4 weeks ago Pyo3: risk of use-after-free in `borrowed` reads from python weak references A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references. pyo3 <0.22.4 python3.11-nh3 python3.11-rpds-py python3.11-cryptography python3.12-cryptography CVE-2024-9902 6.3 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): HIGH Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): LOW updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log Created automatic suggestion 3 months, 3 weeks ago @fricklerhandwerk dismissed 1 month, 4 weeks ago Ansible-core: ansible-core user may read/write unauthorized content A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. core ansible-core * ee-29-container * ee-minimal-container * openstack-ansible-core ansible-builder-container * ansible-automation-platform/ee-29-rhel8 * ansible-automation-platform/ee-minimal-rhel8 * ansible-automation-platform/ee-minimal-rhel9 * ansible-automation-platform/ansible-builder-rhel8 * ansible-automation-platform/ansible-builder-rhel9 * CVE-2025-23987 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log Created automatic suggestion 2 months ago @fricklerhandwerk dismissed 1 month, 4 weeks ago WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0. designer =<1.6.0 pkgs.libsForQt5.kdesignerplugin nixos-24.05 5.116.0 nixpkgs-24.05-darwin 5.116.0 nixos-24.05-small 5.116.0 nixos-24.11 5.116.0 nixpkgs-24.11-darwin 5.116.0 nixos-24.11-small 5.116.0 nixos-unstable 5.116.0 nixos-unstable-small 5.116.0 nixpkgs-unstable 5.116.0 pkgs.plasma5Packages.kdesignerplugin nixos-24.05 5.116.0 nixpkgs-24.05-darwin 5.116.0 nixos-24.05-small 5.116.0 nixos-24.11 5.116.0 nixpkgs-24.11-darwin 5.116.0 nixos-24.11-small 5.116.0 nixos-unstable 5.116.0 nixos-unstable-small 5.116.0 nixpkgs-unstable 5.116.0 Notify package maintainers: 2 @nyanloutre Paul Trehiou <paul@nyanlout.re> @ttuegel Thomas Tuegel <ttuegel@mailbox.org>
CVE-2023-26302 3.3 LOW CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): LOW updated 2 weeks, 1 day ago by @LeSuisse Activity log Created automatic suggestion 3 weeks, 1 day ago @LeSuisse dismissed 2 weeks, 1 day ago markdown-it-py CLI crash on invalid UTF-8 characters Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input. markdown-it-py <v2.2.0 pkgs.python311Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 pkgs.python312Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 Notify package maintainers: 1 @bhipple Benjamin Hipple <bhipple@protonmail.com>
pkgs.python311Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0
pkgs.python312Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0
CVE-2023-26303 3.3 LOW CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): LOW updated 2 weeks, 1 day ago by @LeSuisse Activity log Created automatic suggestion 3 weeks, 1 day ago @LeSuisse dismissed 2 weeks, 1 day ago markdown-it-py crash on null assertions Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input. markdown-it-py <v2.2.0 pkgs.python311Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 pkgs.python312Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0 Notify package maintainers: 1 @bhipple Benjamin Hipple <bhipple@protonmail.com>
pkgs.python311Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0
pkgs.python312Packages.markdown-it-py Markdown parser in Python nixos-24.05 3.0.0 nixpkgs-24.05-darwin 3.0.0 nixos-24.05-small 3.0.0 nixos-24.11 3.0.0 nixpkgs-24.11-darwin 3.0.0 nixos-24.11-small 3.0.0 nixos-unstable 3.0.0 nixos-unstable-small 3.0.0 nixpkgs-unstable 3.0.0
CVE-2023-1314 7.5 HIGH CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): HIGH Privileges required (PR): LOW User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): NONE Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 weeks, 1 day ago by @LeSuisse Activity log Created automatic suggestion 1 month, 1 week ago @LeSuisse dismissed 3 weeks, 1 day ago Local Privilege Escalation Vulnerability in cloudflared's Installer A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices. cloudflared =<<=2023.3.0 pkgs.cloudflared Cloudflare Tunnel daemon, Cloudflare Access toolkit, and DNS-over-HTTPS client nixos-24.05 2024.4.1 nixpkgs-24.05-darwin 2024.4.1 nixos-24.05-small 2024.4.1 nixos-24.11 2024.10.0 nixpkgs-24.11-darwin 2024.10.0 nixos-24.11-small 2024.10.0 nixos-unstable 2024.11.0 nixos-unstable-small 2024.11.0 nixpkgs-unstable 2024.11.0 Notify package maintainers: 5 @qjoly Quentin JOLY <github@une-pause-cafe.fr> @thoughtpolice Austin Seipp <aseipp@pobox.com> @ericnorris Eric Norris <erictnorris@gmail.com> @bbigras Bruno Bigras <bigras.bruno@gmail.com> @piperswe Piper McCorkle <contact@piperswe.me>
pkgs.cloudflared Cloudflare Tunnel daemon, Cloudflare Access toolkit, and DNS-over-HTTPS client nixos-24.05 2024.4.1 nixpkgs-24.05-darwin 2024.4.1 nixos-24.05-small 2024.4.1 nixos-24.11 2024.10.0 nixpkgs-24.11-darwin 2024.10.0 nixos-24.11-small 2024.10.0 nixos-unstable 2024.11.0 nixos-unstable-small 2024.11.0 nixpkgs-unstable 2024.11.0
CVE-2023-46288 updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348. apache-airflow <2.7.0 pkgs.apache-airflow Programmatically author, schedule and monitor data pipelines nixos-24.05 2.7.3 nixpkgs-24.05-darwin 2.7.3 nixos-24.05-small 2.7.3 nixos-24.11 2.7.3 nixpkgs-24.11-darwin 2.7.3 nixos-24.11-small 2.7.3 nixos-unstable 2.7.3 nixos-unstable-small 2.7.3 nixpkgs-unstable 2.7.3 Notify package maintainers: 3 @gbpdt Graham Bennett <nix@pdtpartners.com> @bhipple Benjamin Hipple <bhipple@protonmail.com> @ingenieroariel Ariel Nunez <ariel@nunez.co>
pkgs.apache-airflow Programmatically author, schedule and monitor data pipelines nixos-24.05 2.7.3 nixpkgs-24.05-darwin 2.7.3 nixos-24.05-small 2.7.3 nixos-24.11 2.7.3 nixpkgs-24.11-darwin 2.7.3 nixos-24.11-small 2.7.3 nixos-unstable 2.7.3 nixos-unstable-small 2.7.3 nixpkgs-unstable 2.7.3
CVE-2023-1999 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago Use after free in libwebp There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. libwebp <1.3.1 <1.3.0-8-ga486d800 pkgs.libwebp Tools and library for the WebP image format nixos-24.05 1.4.0 nixpkgs-24.05-darwin 1.4.0 nixos-24.05-small 1.4.0 nixos-24.11 1.4.0 nixpkgs-24.11-darwin 1.4.0 nixos-24.11-small 1.4.0 nixos-unstable 1.4.0 nixos-unstable-small 1.4.0 nixpkgs-unstable 1.4.0 Notify package maintainers: 1 @ajs124 Andreas Schrägle <nix@ajs124.de>
pkgs.libwebp Tools and library for the WebP image format nixos-24.05 1.4.0 nixpkgs-24.05-darwin 1.4.0 nixos-24.05-small 1.4.0 nixos-24.11 1.4.0 nixpkgs-24.11-darwin 1.4.0 nixos-24.11-small 1.4.0 nixos-unstable 1.4.0 nixos-unstable-small 1.4.0 nixpkgs-unstable 1.4.0
CVE-2025-1390 6.1 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): HIGH Availability impact (A): NONE updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago pam_cap: Fix potential configuration parsing error The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. libcap ==2.73;0 pkgs.libcap Library for working with POSIX capabilities nixos-24.05 2.69 nixpkgs-24.05-darwin 2.69 nixos-24.05-small 2.69 nixos-24.11 2.70 nixpkgs-24.11-darwin 2.70 nixos-24.11-small 2.70 nixos-unstable 2.70 nixos-unstable-small 2.70 nixpkgs-unstable 2.70 pkgs.libcap_ng Library for working with POSIX capabilities nixos-24.05 0.8.5 nixpkgs-24.05-darwin 0.8.5 nixos-24.05-small 0.8.5 nixos-24.11 0.8.5 nixpkgs-24.11-darwin 0.8.5 nixos-24.11-small 0.8.5 nixos-unstable 0.8.5 nixos-unstable-small 0.8.5 nixpkgs-unstable 0.8.5 pkgs.libcaption Free open-source CEA608 / CEA708 closed-caption encoder/decoder nixos-24.05 0.7 nixpkgs-24.05-darwin 0.7 nixos-24.05-small 0.7 nixos-24.11 0.7 nixpkgs-24.11-darwin 0.7 nixos-24.11-small 0.7 nixos-unstable 0.7 nixos-unstable-small 0.7 nixpkgs-unstable 0.7 Notify package maintainers: 1 @pschmitt Philipp Schmitt <philipp@schmitt.co>
pkgs.libcap Library for working with POSIX capabilities nixos-24.05 2.69 nixpkgs-24.05-darwin 2.69 nixos-24.05-small 2.69 nixos-24.11 2.70 nixpkgs-24.11-darwin 2.70 nixos-24.11-small 2.70 nixos-unstable 2.70 nixos-unstable-small 2.70 nixpkgs-unstable 2.70
pkgs.libcap_ng Library for working with POSIX capabilities nixos-24.05 0.8.5 nixpkgs-24.05-darwin 0.8.5 nixos-24.05-small 0.8.5 nixos-24.11 0.8.5 nixpkgs-24.11-darwin 0.8.5 nixos-24.11-small 0.8.5 nixos-unstable 0.8.5 nixos-unstable-small 0.8.5 nixpkgs-unstable 0.8.5
pkgs.libcaption Free open-source CEA608 / CEA708 closed-caption encoder/decoder nixos-24.05 0.7 nixpkgs-24.05-darwin 0.7 nixos-24.05-small 0.7 nixos-24.11 0.7 nixpkgs-24.11-darwin 0.7 nixos-24.11-small 0.7 nixos-unstable 0.7 nixos-unstable-small 0.7 nixpkgs-unstable 0.7
CVE-2025-22654 10.0 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 1 month, 2 weeks ago by @fpletz Activity log Created automatic suggestion 1 month, 2 weeks ago @fpletz dismissed 1 month, 2 weeks ago WordPress Simplified Plugin Plugin <= 1.0.6 - Arbitrary File Upload vulnerability Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified allows Using Malicious Files. This issue affects Simplified: from n/a through 1.0.6. simplified =<1.0.6 pkgs.texlivePackages.simplified-latex A Simplified Introduction to LaTeX nixos-24.05 20620 nixpkgs-24.05-darwin 20620 nixos-24.05-small 20620 pkgs.gnomeExtensions.net-speed-simplified A Net Speed extension With Loads of Customization. Fork of simplenetspeed nixos-24.05 42 nixpkgs-24.05-darwin 42 nixos-24.05-small 42 nixos-24.11 43 nixpkgs-24.11-darwin 43 nixos-24.11-small 43 nixos-unstable 43 nixos-unstable-small 43 nixpkgs-unstable 43 pkgs.haskellPackages.phonetic-languages-simplified-base A basics of the phonetic-languages functionality that can be groupped nixos-24.05 0.9.0.0 nixpkgs-24.05-darwin 0.9.0.0 nixos-24.05-small 0.9.0.0 nixos-24.11 0.9.0.0 nixpkgs-24.11-darwin 0.9.0.0 nixos-24.11-small 0.9.0.0 nixos-unstable 0.9.0.0 nixos-unstable-small 0.9.0.0 nixpkgs-unstable 0.9.0.0 pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common Common functionality for 'with-tuples' and old version of properties nixos-24.05 0.4.1.0 nixpkgs-24.05-darwin 0.4.1.0 nixos-24.05-small 0.4.1.0 nixos-24.11 0.4.1.0 nixpkgs-24.11-darwin 0.4.1.0 nixos-24.11-small 0.4.1.0 nixos-unstable 0.4.1.0 nixos-unstable-small 0.4.1.0 nixpkgs-unstable 0.4.1.0 Notify package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
pkgs.texlivePackages.simplified-latex A Simplified Introduction to LaTeX nixos-24.05 20620 nixpkgs-24.05-darwin 20620 nixos-24.05-small 20620
pkgs.gnomeExtensions.net-speed-simplified A Net Speed extension With Loads of Customization. Fork of simplenetspeed nixos-24.05 42 nixpkgs-24.05-darwin 42 nixos-24.05-small 42 nixos-24.11 43 nixpkgs-24.11-darwin 43 nixos-24.11-small 43 nixos-unstable 43 nixos-unstable-small 43 nixpkgs-unstable 43
pkgs.haskellPackages.phonetic-languages-simplified-base A basics of the phonetic-languages functionality that can be groupped nixos-24.05 0.9.0.0 nixpkgs-24.05-darwin 0.9.0.0 nixos-24.05-small 0.9.0.0 nixos-24.11 0.9.0.0 nixpkgs-24.11-darwin 0.9.0.0 nixos-24.11-small 0.9.0.0 nixos-unstable 0.9.0.0 nixos-unstable-small 0.9.0.0 nixpkgs-unstable 0.9.0.0
pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common Common functionality for 'with-tuples' and old version of properties nixos-24.05 0.4.1.0 nixpkgs-24.05-darwin 0.4.1.0 nixos-24.05-small 0.4.1.0 nixos-24.11 0.4.1.0 nixpkgs-24.11-darwin 0.4.1.0 nixos-24.11-small 0.4.1.0 nixos-unstable 0.4.1.0 nixos-unstable-small 0.4.1.0 nixpkgs-unstable 0.4.1.0
CVE-2024-9979 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log Created automatic suggestion 3 months, 3 weeks ago @fricklerhandwerk dismissed 1 month, 4 weeks ago Pyo3: risk of use-after-free in `borrowed` reads from python weak references A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references. pyo3 <0.22.4 python3.11-nh3 python3.11-rpds-py python3.11-cryptography python3.12-cryptography
CVE-2024-9902 6.3 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): HIGH Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): LOW updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log Created automatic suggestion 3 months, 3 weeks ago @fricklerhandwerk dismissed 1 month, 4 weeks ago Ansible-core: ansible-core user may read/write unauthorized content A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. core ansible-core * ee-29-container * ee-minimal-container * openstack-ansible-core ansible-builder-container * ansible-automation-platform/ee-29-rhel8 * ansible-automation-platform/ee-minimal-rhel8 * ansible-automation-platform/ee-minimal-rhel9 * ansible-automation-platform/ansible-builder-rhel8 * ansible-automation-platform/ansible-builder-rhel9 *
CVE-2025-23987 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log Created automatic suggestion 2 months ago @fricklerhandwerk dismissed 1 month, 4 weeks ago WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0. designer =<1.6.0 pkgs.libsForQt5.kdesignerplugin nixos-24.05 5.116.0 nixpkgs-24.05-darwin 5.116.0 nixos-24.05-small 5.116.0 nixos-24.11 5.116.0 nixpkgs-24.11-darwin 5.116.0 nixos-24.11-small 5.116.0 nixos-unstable 5.116.0 nixos-unstable-small 5.116.0 nixpkgs-unstable 5.116.0 pkgs.plasma5Packages.kdesignerplugin nixos-24.05 5.116.0 nixpkgs-24.05-darwin 5.116.0 nixos-24.05-small 5.116.0 nixos-24.11 5.116.0 nixpkgs-24.11-darwin 5.116.0 nixos-24.11-small 5.116.0 nixos-unstable 5.116.0 nixos-unstable-small 5.116.0 nixpkgs-unstable 5.116.0 Notify package maintainers: 2 @nyanloutre Paul Trehiou <paul@nyanlout.re> @ttuegel Thomas Tuegel <ttuegel@mailbox.org>
pkgs.libsForQt5.kdesignerplugin nixos-24.05 5.116.0 nixpkgs-24.05-darwin 5.116.0 nixos-24.05-small 5.116.0 nixos-24.11 5.116.0 nixpkgs-24.11-darwin 5.116.0 nixos-24.11-small 5.116.0 nixos-unstable 5.116.0 nixos-unstable-small 5.116.0 nixpkgs-unstable 5.116.0
pkgs.plasma5Packages.kdesignerplugin nixos-24.05 5.116.0 nixpkgs-24.05-darwin 5.116.0 nixos-24.05-small 5.116.0 nixos-24.11 5.116.0 nixpkgs-24.11-darwin 5.116.0 nixos-24.11-small 5.116.0 nixos-unstable 5.116.0 nixos-unstable-small 5.116.0 nixpkgs-unstable 5.116.0