⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

Restore to select a suggestion for a revision.

CVE-2025-3931
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 6 days, 6 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse dismissed 6 days, 6 hours ago
Yggdrasil: local privilege escalation in yggdrasil

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.

yggdrasil
*

pkgs.yggdrasil.x86_64-linux

An experiment in scalable routing as an encrypted IPv6 overlay network

pkgs.yggdrasil.aarch64-linux

An experiment in scalable routing as an encrypted IPv6 overlay network

pkgs.yggdrasil.x86_64-darwin

An experiment in scalable routing as an encrypted IPv6 overlay network

pkgs.yggdrasil.aarch64-darwin

An experiment in scalable routing as an encrypted IPv6 overlay network
CVE-2025-31846
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Theater for WordPress plugin <= 0.18.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theater for WordPress: from n/a through 0.18.7.

theatre
=<0.18.7

pkgs.texlivePackages.theatre

A sophisticated package for typesetting stage plays
CVE-2025-31538
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Checklist plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in checklistcom Checklist allows Stored XSS. This issue affects Checklist: from n/a through 1.1.9.

checklist
=<1.1.9

pkgs.texlivePackages.checklistings

Pass verbatim contents through a compiler and reincorporate the resulting output

pkgs.texlivePackages.typed-checklist

Typesetting tasks, goals, milestones, artifacts, and more in LaTeX
CVE-2025-31549
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @Srylax accepted as draft 1 month, 3 weeks ago
  • @Srylax marked as untriaged 1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Fusion plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Inc. Fusion allows DOM-Based XSS. This issue affects Fusion: from n/a through 1.6.3.

fusion
=<1.6.3

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.python311Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.vimPlugins.nvim-treesitter-parsers.fusion

  • nixos-24.05 ???
    • nixpkgs-24.05-darwin
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixpkgs-24.11-darwin
    • nixos-24.11-small
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable
CVE-2025-3155
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Yelp: arbitrary file read

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

yelp

pkgs.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook

pkgs.yelp-tools

Small programs that help you create, edit, manage, and publish your Mallard or DocBook documentation

pkgs.gnome.yelp-xsl

Yelp's universal stylesheets for Mallard and DocBook
CVE-2025-30596
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress include-file <= 1 - Arbitrary File Download Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound include-file allows Path Traversal. This issue affects include-file: from n/a through 1.

include-file
=<1
CVE-2025-31827
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Fonto plugin <= 1.2.2 - Arbitrary File Download vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto allows Path Traversal. This issue affects Fonto: from n/a through 1.2.2.

fonto
=<1.2.2

pkgs.texlivePackages.fontools

Tools to simplify using fonts (especially TT/OTF ones)
CVE-2025-31384
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Videos plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.

videos
=<1.0.5
CVE-2025-32250
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Rollbar plugin <= 2.7.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in rollbar Rollbar allows Cross Site Request Forgery. This issue affects Rollbar: from n/a through 2.7.1.

rollbar
=<2.7.1
CVE-2025-32272
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
WordPress Wishlist Plugin <= 1.0.44 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in PickPlugins Wishlist allows Cross Site Request Forgery. This issue affects Wishlist: from n/a through 1.0.44.

wishlist
=<1.0.44