⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

Restore to select a suggestion for a revision.

CVE-2025-49974
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @fricklerhandwerk dismissed 2 months ago
WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.

upstream
=<2.1.0

pkgs.tests.haskell.upstreamStackHpackVersion

Test that the stack in Nixpkgs uses the same version of Hpack as the upstream stack release
Package maintainers: 3
CVE-2025-49964
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 2 months ago
  • @fricklerhandwerk dismissed 2 months ago
WordPress ClipLink plugin <= 1.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in indgeek ClipLink allows Cross Site Request Forgery. This issue affects ClipLink: from n/a through 1.1.

cliplink
=<1.1
CVE-2025-3931
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 2 weeks ago
  • @LeSuisse dismissed 3 months, 1 week ago
Yggdrasil: local privilege escalation in yggdrasil

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.

yggdrasil
<0.4.7
*
rhc-worker-playbook

pkgs.yggdrasil

An experiment in scalable routing as an encrypted IPv6 overlay network
Package maintainers: 4
CVE-2025-31846
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Theater for WordPress plugin <= 0.18.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theater for WordPress: from n/a through 0.18.7.

theatre
=<0.18.7
CVE-2025-31538
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Checklist plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in checklistcom Checklist allows Stored XSS. This issue affects Checklist: from n/a through 1.1.9.

checklist
=<1.1.9
CVE-2025-31549
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 4 weeks ago
  • @Srylax accepted as draft 4 months, 4 weeks ago
  • @Srylax marked as untriaged 4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Fusion plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Inc. Fusion allows DOM-Based XSS. This issue affects Fusion: from n/a through 1.6.3.

fusion
=<1.6.3

pkgs.datafusion-cli

cli for Apache Arrow DataFusion

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.finalfusion-utils

Utility for converting, quantizing, and querying word embeddings

pkgs.python311Packages.datafusion

Extensible query execution framework

pkgs.python312Packages.datafusion

Extensible query execution framework

pkgs.haskellPackages.fusion-plugin

GHC plugin to make stream fusion more predictable

pkgs.python311Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.haskellPackages.fusion-plugin-types

Types for the fusion-plugin package

pkgs.vimPlugins.nvim-treesitter-parsers.fusion

  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

pkgs.haskellPackages.fusion-plugin.x86_64-linux

GHC plugin to make stream fusion more predictable

pkgs.python312Packages.k-diffusion.x86_64-linux

Karras et al. (2022) diffusion models for PyTorch

pkgs.haskellPackages.fusion-plugin.aarch64-linux

GHC plugin to make stream fusion more predictable

pkgs.haskellPackages.fusion-plugin.x86_64-darwin

GHC plugin to make stream fusion more predictable

pkgs.python312Packages.k-diffusion.aarch64-linux

Karras et al. (2022) diffusion models for PyTorch

pkgs.python312Packages.k-diffusion.x86_64-darwin

Karras et al. (2022) diffusion models for PyTorch

pkgs.haskellPackages.fusion-plugin.aarch64-darwin

GHC plugin to make stream fusion more predictable

pkgs.haskellPackages.fusion-plugin-types.x86_64-linux

Types for the fusion-plugin package

pkgs.haskellPackages.fusion-plugin-types.aarch64-linux

Types for the fusion-plugin package

pkgs.haskellPackages.fusion-plugin-types.x86_64-darwin

Types for the fusion-plugin package

pkgs.haskellPackages.fusion-plugin-types.aarch64-darwin

Types for the fusion-plugin package
Package maintainers: 4
CVE-2025-3155
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
CVE Program Container

None

yelp
<42.2-8
*
yelp-xsl
*

pkgs.yelp

Help viewer in Gnome

pkgs.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

pkgs.yelp-tools

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation
Package maintainers: 5
CVE-2025-30596
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress include-file <= 1 - Arbitrary File Download Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound include-file allows Path Traversal. This issue affects include-file: from n/a through 1.

include-file
=<1

pkgs.haskellPackages.include-file

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.x86_64-linux

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.aarch64-linux

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.x86_64-darwin

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.aarch64-darwin

Inclusion of files in executables at compile-time
CVE-2025-32250
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Rollbar plugin <= 2.7.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in rollbar Rollbar allows Cross Site Request Forgery. This issue affects Rollbar: from n/a through 2.7.1.

rollbar
=<2.7.1

pkgs.haskellPackages.rollbar

error tracking through rollbar.com

pkgs.python311Packages.rollbar

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.x86_64-linux

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.aarch64-linux

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.x86_64-darwin

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.aarch64-darwin

Error tracking and logging from Python to Rollbar
CVE-2025-32272
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months, 3 weeks ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Wishlist Plugin <= 1.0.44 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in PickPlugins Wishlist allows Cross Site Request Forgery. This issue affects Wishlist: from n/a through 1.0.44.

wishlist
=<1.0.44

pkgs.wishlist

Single entrypoint for multiple SSH endpoints
Package maintainers: 2