Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for a revision.

CVE-2025-53449
updated 1 week, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package haskellPackages.convexHullNd 1 week, 3 days ago
  • @LeSuisse dismissed 1 week, 3 days ago
WordPress Convex theme <= 1.11 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11.

Affected products

convex
  • =<<= 1.11

Matching in nixpkgs

CVE-2025-14542
updated 1 week, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package strutcpp 1 week, 3 days ago
  • @LeSuisse removed maintainer @SchweGELBin 1 week, 3 days ago
  • @LeSuisse dismissed 1 week, 3 days ago
Command execution in python-utcp allows attackers to achieve remote code execution when fetching a remote Manual from a malicious endpoint

The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client.

Affected products

utcp
  • <1.1.0

Matching in nixpkgs

CVE-2025-5467
updated 1 week, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package haskellPackages.apportionment 1 week, 3 days ago
  • @LeSuisse removed maintainer @thielema 1 week, 3 days ago
  • @LeSuisse dismissed 1 week, 3 days ago
Ubuntu Apport Insecure File Permissions Vulnerability

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Affected products

apport
  • <2.33.0-0ubuntu1
  • <2.20.11-0ubuntu82.7
  • <2.20.9-0ubuntu7.29+esm1
  • <2.32.0-0ubuntu5.1
  • <2.28.1-0ubuntu3.6
  • <2.20.1-0ubuntu2.30+esm5
  • <2.20.11-0ubuntu27.28

Matching in nixpkgs

CVE-2025-7195
updated 1 week, 3 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 3 days ago
Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Affected products

operator-sdk
  • <0.15.2
odf4/cephcsi-rhel9
  • *
odf4/mcg-cli-rhel9
  • *
odf4/odf-cli-rhel9
  • *
odf4/mcg-core-rhel9
  • *
odf4/odf-console-rhel9
  • *
odf4/mcg-rhel9-operator
  • *
odf4/ocs-rhel9-operator
  • *
odf4/odf-rhel9-operator
  • *
odf4/odr-rhel9-operator
  • *
odf4/odf-must-gather-rhel9
  • *
openshift4/cnf-tests-rhel8
openshift4/cnf-tests-rhel9
odf4/cephcsi-rhel9-operator
  • *
odf4/odf-cosi-sidecar-rhel9
  • *
odf4/ocs-client-console-rhel9
  • *
odf4/rook-ceph-rhel9-operator
  • *
rhacm2/rbac-query-proxy-rhel9
rhacm2/search-collector-rhel9
multicluster-engine/work-rhel8
multicluster-engine/work-rhel9
  • *
odf4/ocs-client-rhel9-operator
  • *
rhacm2/metrics-collector-rhel9
odf4/ocs-metrics-exporter-rhel9
  • *
apicurio/apicurio-registry-rhel8
  • *
apicurio/apicurio-studio-ui-rhel8
  • *
odf4/odf-csi-addons-sidecar-rhel9
  • *
odf4/odf-csi-addons-rhel9-operator
  • *
openshift4/ztp-site-generate-rhel8
rhacm2/iam-policy-controller-rhel9
apicurio/apicurio-registry-ui-rhel8
  • *
fuse7/fuse-apicurito-rhel8-operator
multicluster-engine/discovery-rhel8
multicluster-engine/discovery-rhel9
  • *
multicluster-engine/placement-rhel8
multicluster-engine/placement-rhel9
  • *
odf4/odf-multicluster-console-rhel9
  • *
rhacm2/acm-cluster-permission-rhel8
rhacm2/acm-cluster-permission-rhel9
  • *
rhacm2/cert-policy-controller-rhel9
odf4/odf-multicluster-rhel9-operator
  • *
rhacm2/cluster-backup-rhel9-operator
rhacm2/multicloud-integrations-rhel8
rhacm2/multicloud-integrations-rhel9
  • *
web-terminal/web-terminal-exec-rhel9
rhacm2/config-policy-controller-rhel9
rhacm2/grafana-dashboard-loader-rhel9
multicluster-engine/registration-rhel8
multicluster-engine/registration-rhel9
  • *
multicluster-engine/addon-manager-rhel8
multicluster-engine/addon-manager-rhel9
  • *
devworkspace/devworkspace-rhel8-operator
devworkspace/devworkspace-rhel9-operator
rhacm2/klusterlet-addon-controller-rhel8
rhacm2/klusterlet-addon-controller-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
apicurio/apicurio-registry-rhel8-operator
  • *
rhacm2/endpoint-monitoring-rhel9-operator
rhacm2/governance-policy-propagator-rhel9
openshift4/lifecycle-agent-operator-bundle
rhacm2/multicluster-operators-channel-rhel8
rhacm2/multicluster-operators-channel-rhel9
  • *
apicurio/apicurio-registry-3-operator-bundle
  • *
devworkspace/devworkspace-project-clone-rhel8
devworkspace/devworkspace-project-clone-rhel9
advanced-cluster-security/rhacs-rhel8-operator
compliance/openshift-compliance-rhel8-operator
  • *
container-native-virtualization/virt-api-rhel9
  • *
container-native-virtualization/pr-helper-rhel9
  • *
multicluster-engine/registration-operator-rhel8
multicluster-engine/registration-operator-rhel9
  • *
rhacm2/multicluster-operators-application-rhel8
rhacm2/multicluster-operators-application-rhel9
  • *
container-native-virtualization/aaq-server-rhel9
  • *
container-native-virtualization/virtio-win-rhel9
  • *
container-native-virtualization/wasp-agent-rhel9
  • *
rhacm2/multicluster-observability-rhel9-operator
rhacm2/multicluster-operators-subscription-rhel9
  • *
container-native-virtualization/kubemacpool-rhel9
  • *
compliance/openshift-file-integrity-rhel8-operator
  • *
container-native-virtualization/aaq-operator-rhel9
  • *
container-native-virtualization/sidecar-shim-rhel9
  • *
container-native-virtualization/virt-handler-rhel9
  • *
rhacm2/acm-governance-policy-framework-addon-rhel9
compliance/openshift-file-integrity-operator-bundle
container-native-virtualization/bridge-marker-rhel9
  • *
container-native-virtualization/virt-launcher-rhel9
  • *
container-native-virtualization/virt-operator-rhel9
  • *
multicluster-engine/hypershift-addon-rhel8-operator
multicluster-engine/hypershift-addon-rhel9-operator
container-native-virtualization/aaq-controller-rhel9
  • *
container-native-virtualization/ovs-cni-plugin-rhel9
  • *
container-native-virtualization/cnv-must-gather-rhel9
  • *
container-native-virtualization/virt-cdi-cloner-rhel9
  • *
container-native-virtualization/virt-controller-rhel9
  • *
container-native-virtualization/kubesecondarydns-rhel9
  • *
container-native-virtualization/libguestfs-tools-rhel9
  • *
container-native-virtualization/virt-exportproxy-rhel9
  • *
container-native-virtualization/vm-console-proxy-rhel9
  • *
container-native-virtualization/virt-cdi-importer-rhel9
  • *
container-native-virtualization/virt-cdi-operator-rhel9
  • *
container-native-virtualization/virt-exportserver-rhel9
  • *
container-native-virtualization/virt-cdi-apiserver-rhel9
  • *
multicluster-engine/clusterlifecycle-state-metrics-rhel8
multicluster-engine/clusterlifecycle-state-metrics-rhel9
  • *
container-native-virtualization/hco-bundle-registry-rhel9
  • *
container-native-virtualization/hostpath-csi-driver-rhel9
  • *
container-native-virtualization/virt-cdi-controller-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-agent-rhel9
container-native-virtualization/hostpath-provisioner-rhel9
  • *
container-native-virtualization/virt-cdi-uploadproxy-rhel9
  • *
multicluster-engine/managedcluster-import-controller-rhel8
multicluster-engine/managedcluster-import-controller-rhel9
  • *
container-native-virtualization/kubevirt-dpdk-checkup-rhel9
  • *
container-native-virtualization/kubevirt-ssp-operator-rhel9
  • *
container-native-virtualization/virt-artifacts-server-rhel9
  • *
container-native-virtualization/virt-cdi-uploadserver-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-manager-rhel9
openshift4/topology-aware-lifecycle-manager-operator-bundle
multicluster-globalhub/multicluster-globalhub-rhel9-operator
container-native-virtualization/kubevirt-console-plugin-rhel9
  • *
container-native-virtualization/multus-dynamic-networks-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-operator-bundle
container-native-virtualization/kubevirt-apiserver-proxy-rhel9
  • *
container-native-virtualization/kubevirt-ipam-controller-rhel9
  • *
container-native-virtualization/kubevirt-storage-checkup-rhel9
  • *
container-native-virtualization/cluster-network-addons-operator
container-native-virtualization/kubevirt-realtime-checkup-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm
container-native-virtualization/vm-network-latency-checkup-rhel9
  • *
container-native-virtualization/kubevirt-template-validator-rhel9
  • *
container-native-virtualization/hostpath-provisioner-operator-rhel9
  • *
container-native-virtualization/kubevirt-common-instancetypes-rhel9
  • *
container-native-virtualization/hyperconverged-cluster-webhook-rhel9
  • *
container-native-virtualization/cluster-network-addons-operator-rhel9
  • *
container-native-virtualization/cnv-containernetworking-plugins-rhel9
  • *
container-native-virtualization/hyperconverged-cluster-operator-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm-rhel9
container-native-virtualization/passt-network-binding-plugin-cni-rhel9
  • *
container-native-virtualization/kubevirt-api-lifecycle-automation-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status
container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status-rhel9

Matching in nixpkgs

Package maintainers: 1

CVE-2025-69031
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    2 packages
    • arcanechat-tui
    • deltachat-cursed
    1 week, 4 days ago
  • @LeSuisse dismissed 1 week, 4 days ago
WordPress Arcane theme <= 3.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6.

Affected products

arcane
  • =<<= 3.6.6

Matching in nixpkgs

Package maintainers: 1

CVE-2025-68985
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    2 packages
    • typstPackages.aoran
    • typstPackages.aoran_0_1_0
    1 week, 4 days ago
  • @LeSuisse dismissed 1 week, 4 days ago
WordPress Aora theme <= 1.3.15 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.

Affected products

aora
  • =<<= 1.3.15

Matching in nixpkgs

Package maintainers: 1

CVE-2025-69331
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package haskellPackages.theatre-dev 1 week, 4 days ago
  • @LeSuisse dismissed 1 week, 4 days ago
WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19.

Affected products

theatre
  • =<<= 0.19

Matching in nixpkgs

CVE-2025-63070
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package lomiri.lomiri-download-manager 1 week, 4 days ago
  • @LeSuisse dismissed 1 week, 4 days ago
WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32.

Affected products

download-manager
  • =<<= 3.3.32

Matching in nixpkgs

Package maintainers: 1

CVE-2025-62103
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package media-downloader 1 week, 4 days ago
  • @LeSuisse dismissed 1 week, 4 days ago
WordPress Media Library File Download plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery.This issue affects Media Library File Download: from n/a through <= 1.4.

Affected products

media-download
  • =<<= 1.4

Matching in nixpkgs

Package maintainers: 2

CVE-2025-66533
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package filegive 1 week, 4 days ago
  • @LeSuisse dismissed 1 week, 4 days ago
WordPress GiveWP plugin <= 4.13.1 - Arbitrary Shortocde Execution vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

Affected products

give
  • =<<= 4.13.1

Matching in nixpkgs