⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

Restore to select a suggestion for a revision.

CVE-2025-49974
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 week ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @fricklerhandwerk dismissed 1 week ago
WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.

upstream
=<2.1.0

pkgs.git-upstream.x86_64-linux

A shortcut for `git push --set-upstream`

pkgs.git-upstream.aarch64-linux

A shortcut for `git push --set-upstream`

pkgs.git-upstream.x86_64-darwin

A shortcut for `git push --set-upstream`

pkgs.git-upstream.aarch64-darwin

A shortcut for `git push --set-upstream`

pkgs.tests.haskell.upstreamStackHpackVersion

Test that the stack in Nixpkgs uses the same version of Hpack as the upstream stack release

pkgs.tests.haskell.upstreamStackHpackVersion.x86_64-linux

Test that the stack in Nixpkgs uses the same version of Hpack as the upstream stack release
Package maintainers: 3
CVE-2025-49964
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 week ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 week ago
  • @fricklerhandwerk removed
    6 packages
    • pkgs.emacsPackages.org-cliplink 20201126.1020
    • pkgs.emacsPackages.org-cliplink 20201126.1020
    • pkgs.emacsPackages.org-cliplink 20201126.1020
    • pkgs.emacsPackages.org-cliplink 20201126.1020
    • pkgs.emacsPackages.org-cliplink 20201126.1020
    • pkgs.emacsPackages.org-cliplink 20201126.1020
    1 week ago
  • @fricklerhandwerk dismissed 1 week ago
WordPress ClipLink plugin <= 1.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in indgeek ClipLink allows Cross Site Request Forgery. This issue affects ClipLink: from n/a through 1.1.

cliplink
=<1.1
CVE-2025-3931
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Yggdrasil: local privilege escalation in yggdrasil

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.

yggdrasil
*
rhc-worker-playbook

pkgs.yggdrasil.x86_64-linux

An experiment in scalable routing as an encrypted IPv6 overlay network

pkgs.yggdrasil.aarch64-linux

An experiment in scalable routing as an encrypted IPv6 overlay network

pkgs.yggdrasil.x86_64-darwin

An experiment in scalable routing as an encrypted IPv6 overlay network

pkgs.yggdrasil.aarch64-darwin

An experiment in scalable routing as an encrypted IPv6 overlay network
Package maintainers: 4
CVE-2025-31846
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 4 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
WordPress Theater for WordPress plugin <= 0.18.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theater for WordPress: from n/a through 0.18.7.

theatre
=<0.18.7

pkgs.texlivePackages.theatre

A sophisticated package for typesetting stage plays

pkgs.haskellPackages.theatre.x86_64-linux

Minimalistic actor library

pkgs.texlivePackages.theatre.x86_64-linux

A sophisticated package for typesetting stage plays

pkgs.haskellPackages.theatre.aarch64-linux

Minimalistic actor library

pkgs.haskellPackages.theatre.x86_64-darwin

Minimalistic actor library

pkgs.haskellPackages.theatre.aarch64-darwin

Minimalistic actor library
CVE-2025-31538
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 4 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
WordPress Checklist plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in checklistcom Checklist allows Stored XSS. This issue affects Checklist: from n/a through 1.1.9.

checklist
=<1.1.9

pkgs.texlivePackages.checklistings

Pass verbatim contents through a compiler and reincorporate the resulting output

pkgs.texlivePackages.typed-checklist

Typesetting tasks, goals, milestones, artifacts, and more in LaTeX

pkgs.texlivePackages.checklistings.x86_64-linux

Pass verbatim contents through a compiler and reincorporate the resulting output

pkgs.texlivePackages.typed-checklist.x86_64-linux

Typesetting tasks, goals, milestones, artifacts, and more in LaTeX
CVE-2025-31549
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 4 weeks ago
  • @Srylax accepted as draft 2 months, 4 weeks ago
  • @Srylax marked as untriaged 2 months, 4 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
WordPress Fusion plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Inc. Fusion allows DOM-Based XSS. This issue affects Fusion: from n/a through 1.6.3.

fusion
=<1.6.3

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.lxgw-fusionkai.x86_64-linux

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.lxgw-fusionkai.aarch64-linux

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.lxgw-fusionkai.x86_64-darwin

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.lxgw-fusionkai.aarch64-darwin

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.python311Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.finalfusion-utils.x86_64-linux

Utility for converting, quantizing, and querying word embeddings

pkgs.finalfusion-utils.aarch64-linux

Utility for converting, quantizing, and querying word embeddings

pkgs.finalfusion-utils.x86_64-darwin

Utility for converting, quantizing, and querying word embeddings

pkgs.finalfusion-utils.aarch64-darwin

Utility for converting, quantizing, and querying word embeddings

pkgs.vimPlugins.nvim-treesitter-parsers.fusion

  • nixos-24.05 ???
    • nixpkgs-24.05-darwin
  • nixos-24.11 ???
    • nixpkgs-24.11-darwin
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

pkgs.haskellPackages.fusion-plugin.x86_64-linux

GHC plugin to make stream fusion more predictable

pkgs.python311Packages.finalfusion.x86_64-linux

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion.x86_64-linux

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.haskellPackages.fusion-plugin.aarch64-linux

GHC plugin to make stream fusion more predictable

pkgs.haskellPackages.fusion-plugin.x86_64-darwin

GHC plugin to make stream fusion more predictable

pkgs.python311Packages.finalfusion.aarch64-linux

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python311Packages.finalfusion.x86_64-darwin

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion.aarch64-linux

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion.x86_64-darwin

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.haskellPackages.fusion-plugin.aarch64-darwin

GHC plugin to make stream fusion more predictable

pkgs.python311Packages.finalfusion.aarch64-darwin

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion.aarch64-darwin

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.haskellPackages.fusion-plugin-types.x86_64-linux

Types for the fusion-plugin package

pkgs.haskellPackages.fusion-plugin-types.aarch64-linux

Types for the fusion-plugin package

pkgs.haskellPackages.fusion-plugin-types.x86_64-darwin

Types for the fusion-plugin package

pkgs.haskellPackages.fusion-plugin-types.aarch64-darwin

Types for the fusion-plugin package

pkgs.vimPlugins.nvim-treesitter-parsers.fusion.x86_64-linux

  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???

pkgs.vimPlugins.nvim-treesitter-parsers.fusion.aarch64-linux

  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???

pkgs.vimPlugins.nvim-treesitter-parsers.fusion.x86_64-darwin

  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???

pkgs.vimPlugins.nvim-treesitter-parsers.fusion.aarch64-darwin

  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???
Package maintainers: 4
CVE-2025-3155
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
Yelp: arbitrary file read

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

yelp
<42.2-8
*
yelp-xsl
*

pkgs.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

pkgs.yelp-tools

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

pkgs.gnome.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

pkgs.yelp.x86_64-linux

Help viewer in Gnome

pkgs.yelp.aarch64-linux

Help viewer in Gnome

pkgs.yelp-xsl.x86_64-linux

Yelp's universal stylesheets for Mallard and DocBook

pkgs.yelp-xsl.aarch64-linux

Yelp's universal stylesheets for Mallard and DocBook

pkgs.yelp-xsl.x86_64-darwin

Yelp's universal stylesheets for Mallard and DocBook

pkgs.gnome.yelp.x86_64-linux

Help viewer in Gnome

pkgs.yelp-tools.x86_64-linux

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

pkgs.yelp-xsl.aarch64-darwin

Yelp's universal stylesheets for Mallard and DocBook

pkgs.gnome.yelp.aarch64-linux

Help viewer in Gnome

pkgs.yelp-tools.aarch64-linux

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

pkgs.yelp-tools.x86_64-darwin

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

pkgs.yelp-tools.aarch64-darwin

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

pkgs.gnome.yelp-xsl.x86_64-linux

Yelp's universal stylesheets for Mallard and DocBook

pkgs.gnome.yelp-xsl.aarch64-linux

Yelp's universal stylesheets for Mallard and DocBook

pkgs.gnome.yelp-xsl.x86_64-darwin

Yelp's universal stylesheets for Mallard and DocBook

pkgs.gnome.yelp-xsl.aarch64-darwin

Yelp's universal stylesheets for Mallard and DocBook
Package maintainers: 5
CVE-2025-30596
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
WordPress include-file <= 1 - Arbitrary File Download Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound include-file allows Path Traversal. This issue affects include-file: from n/a through 1.

include-file
=<1

pkgs.haskellPackages.include-file.x86_64-linux

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.aarch64-linux

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.x86_64-darwin

Inclusion of files in executables at compile-time

pkgs.haskellPackages.include-file.aarch64-darwin

Inclusion of files in executables at compile-time
CVE-2025-32250
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
WordPress Rollbar plugin <= 2.7.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in rollbar Rollbar allows Cross Site Request Forgery. This issue affects Rollbar: from n/a through 2.7.1.

rollbar
=<2.7.1

pkgs.python311Packages.rollbar

Error tracking and logging from Python to Rollbar

pkgs.haskellPackages.rollbar.x86_64-linux

error tracking through rollbar.com

pkgs.haskellPackages.rollbar.aarch64-linux

error tracking through rollbar.com

pkgs.haskellPackages.rollbar.x86_64-darwin

error tracking through rollbar.com

pkgs.haskellPackages.rollbar.aarch64-darwin

error tracking through rollbar.com

pkgs.python311Packages.rollbar.x86_64-linux

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.x86_64-linux

Error tracking and logging from Python to Rollbar

pkgs.python311Packages.rollbar.aarch64-linux

Error tracking and logging from Python to Rollbar

pkgs.python311Packages.rollbar.x86_64-darwin

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.aarch64-linux

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.x86_64-darwin

Error tracking and logging from Python to Rollbar

pkgs.python311Packages.rollbar.aarch64-darwin

Error tracking and logging from Python to Rollbar

pkgs.python312Packages.rollbar.aarch64-darwin

Error tracking and logging from Python to Rollbar
CVE-2025-32272
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
WordPress Wishlist Plugin <= 1.0.44 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in PickPlugins Wishlist allows Cross Site Request Forgery. This issue affects Wishlist: from n/a through 1.0.44.

wishlist
=<1.0.44

pkgs.wishlist.x86_64-linux

Single entrypoint for multiple SSH endpoints

pkgs.wishlist.aarch64-linux

Single entrypoint for multiple SSH endpoints

pkgs.wishlist.x86_64-darwin

Single entrypoint for multiple SSH endpoints

pkgs.wishlist.aarch64-darwin

Single entrypoint for multiple SSH endpoints
Package maintainers: 2