CVE-2026-23724 updated 4 days, 16 hours ago by @LeSuisse Activity log Created automatic suggestion 5 days ago @LeSuisse removed 3 packages perlPackages.SnowballNorwegian perl538Packages.SnowballNorwegian perl540Packages.SnowballNorwegian 4 days, 16 hours ago @LeSuisse dismissed 4 days, 16 hours ago WeGIA Stored Cross-Site Scripting (XSS) – atendido_idatendido Parameter on Occurrence Registration Page WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2. Affected products WeGIA ==< 3.6.2 Matching in nixpkgs
CVE-2026-0695 updated 4 days, 16 hours ago by @LeSuisse Activity log Created automatic suggestion 5 days ago @LeSuisse removed 23 packages mopsa sipsak sharpsat-td purescript-psa svndumpsanitizer phpPackages.psalm ocamlPackages.mopsa php82Packages.psalm php83Packages.psalm php84Packages.psalm haskellPackages.cpsa python312Packages.tapsaff python313Packages.tapsaff nodePackages.purescript-psa python312Packages.markupsafe python312Packages.psautohint terraform-providers.vpsfreecz_vpsadmin python313Packages.types-markupsafe python312Packages.types-markupsafe nodePackages_latest.purescript-psa terraform-providers.vpsadmin python313Packages.psautohint python313Packages.markupsafe 4 days, 16 hours ago @LeSuisse dismissed 4 days, 16 hours ago Stored XSS in Time Entry Audit Trail In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed. Affected products PSA ==All versions prior to 2026.1 Matching in nixpkgs Package maintainers: 13 @vbgl Vincent Laporte <Vincent.Laporte@gmail.com> @piotrkwiecinski Piotr Kwiecinski <piokwiecinski+nixpkgs@gmail.com> @Ma27 Maximilian Bosch <maximilian@mbosch.me> @aanderse Aaron Andersen <aaron@fosslib.net> @talyz Kim Lindberger <kim.lindberger@gmail.com> @domenkozar Domen Kozar <domen@dev.si> @sternenseemann Lukas Epple <sternenseemann@systemli.org> @nim65s Guilhem Saurel <guilhem.saurel@laas.fr> @risicle Robert Scott <code@humanleg.org.uk> @sheenobu Sheena Artrip <sheena.artrip@gmail.com> @lafrenierejm Joseph LaFreniere <joseph@lafreniere.xyz> @patka-123 patka <patka@patka.dev> @JamieMagee Jamie Magee <jamie.magee@gmail.com>
CVE-2025-14242 updated 5 days, 7 hours ago by @LeSuisse Activity log Created automatic suggestion 1 week ago @LeSuisse dismissed 5 days, 7 hours ago Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. Affected products vsftpd * Matching in nixpkgs pkgs.vsftpd Very secure FTP daemon nixos-unstable 3.0.5 nixpkgs-unstable 3.0.5 nixos-unstable-small 3.0.5 nixos-25.05 3.0.5 nixos-25.05-small 3.0.5 nixpkgs-25.05-darwin 3.0.5 Package maintainers: 1 @peterhoeg Peter Hoeg <peter@hoeg.com>
pkgs.vsftpd Very secure FTP daemon nixos-unstable 3.0.5 nixpkgs-unstable 3.0.5 nixos-unstable-small 3.0.5 nixos-25.05 3.0.5 nixos-25.05-small 3.0.5 nixpkgs-25.05-darwin 3.0.5
CVE-2025-59029 updated 1 week, 1 day ago by @LeSuisse Activity log Created automatic suggestion 1 week, 5 days ago @LeSuisse dismissed 1 week, 1 day ago Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY. Affected products pdns-recursor <5.3.2 Matching in nixpkgs pkgs.pdns-recursor Recursive DNS server nixos-unstable 5.2.6 nixpkgs-unstable 5.2.6 nixos-unstable-small 5.2.6 nixos-25.11 5.2.6 nixos-25.11-small 5.2.6 nixpkgs-25.11-darwin 5.2.6 nixos-25.05 5.2.6 nixos-25.05-small 5.2.6 nixpkgs-25.05-darwin 5.2.6 Package maintainers: 1 @rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>
pkgs.pdns-recursor Recursive DNS server nixos-unstable 5.2.6 nixpkgs-unstable 5.2.6 nixos-unstable-small 5.2.6 nixos-25.11 5.2.6 nixos-25.11-small 5.2.6 nixpkgs-25.11-darwin 5.2.6 nixos-25.05 5.2.6 nixos-25.05-small 5.2.6 nixpkgs-25.05-darwin 5.2.6
CVE-2025-62762 updated 1 week, 3 days ago by @SigmaSquadron Activity log Created automatic suggestion 1 week, 5 days ago @SigmaSquadron removed package haskellPackages.smtp-mail 1 week, 3 days ago @SigmaSquadron removed maintainer @mpscholten 1 week, 3 days ago @SigmaSquadron accepted as draft 1 week, 3 days ago @SigmaSquadron dismissed 1 week, 3 days ago WordPress SMTP Mail plugin <= 1.3.47 - Cross Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47. Affected products smtp-mail =<<= 1.3.47 Matching in nixpkgs
CVE-2025-67467 updated 1 week, 3 days ago by @SigmaSquadron Activity log Created automatic suggestion 1 week, 5 days ago @SigmaSquadron dismissed 1 week, 3 days ago WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1. Affected products give =<<= 4.13.1 Matching in nixpkgs pkgs.filegive Easy p2p file sending program nixos-unstable 2022-05-29 nixpkgs-unstable 2022-05-29 nixos-unstable-small 2022-05-29 nixos-25.11 2022-05-29 nixos-25.11-small 2022-05-29 nixpkgs-25.11-darwin 2022-05-29 nixos-25.05 2022-05-29 nixos-25.05-small 2022-05-29 nixpkgs-25.05-darwin 2022-05-29
pkgs.filegive Easy p2p file sending program nixos-unstable 2022-05-29 nixpkgs-unstable 2022-05-29 nixos-unstable-small 2022-05-29 nixos-25.11 2022-05-29 nixos-25.11-small 2022-05-29 nixpkgs-25.11-darwin 2022-05-29 nixos-25.05 2022-05-29 nixos-25.05-small 2022-05-29 nixpkgs-25.05-darwin 2022-05-29
CVE-2025-66527 updated 1 week, 3 days ago by @SigmaSquadron Activity log Created automatic suggestion 1 week, 5 days ago @SigmaSquadron dismissed 1 week, 3 days ago WordPress Lobo theme <= 2.8.6 - Broken Access Control vulnerability Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6. Affected products lobo =<<= 2.8.6 Matching in nixpkgs pkgs.colobot Real-time strategy game with programmable bots nixos-unstable 0.2.2-alpha nixpkgs-unstable 0.2.2-alpha nixos-unstable-small 0.2.2-alpha nixos-25.11 0.2.2-alpha nixos-25.11-small 0.2.2-alpha nixpkgs-25.11-darwin 0.2.2-alpha nixos-25.05 0.2.2-alpha nixos-25.05-small 0.2.2-alpha nixpkgs-25.05-darwin 0.2.2-alpha Package maintainers: 1 @freezeboy freezeboy
pkgs.colobot Real-time strategy game with programmable bots nixos-unstable 0.2.2-alpha nixpkgs-unstable 0.2.2-alpha nixos-unstable-small 0.2.2-alpha nixos-25.11 0.2.2-alpha nixos-25.11-small 0.2.2-alpha nixpkgs-25.11-darwin 0.2.2-alpha nixos-25.05 0.2.2-alpha nixos-25.05-small 0.2.2-alpha nixpkgs-25.05-darwin 0.2.2-alpha
CVE-2025-58936 updated 1 week, 3 days ago by @LeSuisse Activity log Created automatic suggestion 1 week, 5 days ago @LeSuisse removed package catamaran 1 week, 3 days ago @LeSuisse dismissed 1 week, 3 days ago WordPress Catamaran theme <= 1.15 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15. Affected products catamaran =<<= 1.15 Matching in nixpkgs
CVE-2025-58929 updated 1 week, 3 days ago by @LeSuisse Activity log Created automatic suggestion 1 week, 5 days ago @LeSuisse removed package haskellPackages.pantry 1 week, 3 days ago @LeSuisse dismissed 1 week, 3 days ago WordPress Pantry theme <= 1.4 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4. Affected products pantry =<<= 1.4 Matching in nixpkgs
CVE-2025-60061 updated 1 week, 3 days ago by @LeSuisse Activity log Created automatic suggestion 1 week, 5 days ago @LeSuisse removed package elfkickers 1 week, 3 days ago @LeSuisse dismissed 1 week, 3 days ago WordPress Kicker theme <= 2.2.0 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Kicker kicker allows PHP Local File Inclusion.This issue affects Kicker: from n/a through <= 2.2.0. Affected products kicker =<<= 2.2.0 Matching in nixpkgs