Dismissed suggestions Untriaged suggestions Draft issues Published issues Dismissed suggestions These automatic suggestions were dismissed after initial triaging. Restore to select a suggestion for a revision. CVE-2025-52799 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 16 packages lms flmsg helmsman lmstudio python312Packages.calmsize python313Packages.calmsize python312Packages.dlms-cosem python313Packages.dlms-cosem python312Packages.llama-index-llms-ollama python312Packages.llama-index-llms-openai python313Packages.llama-index-llms-ollama python313Packages.llama-index-llms-openai python312Packages.llama-index-llms-openai-like python313Packages.llama-index-llms-openai-like python312Packages.llama-index-multi-modal-llms-openai python313Packages.llama-index-multi-modal-llms-openai 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress LMS theme <= 9.1 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes LMS allows Reflected XSS. This issue affects LMS: from n/a through 9.1. lms =<9.1 Package maintainers: 7 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @jherland Johan Herland <johan@herland.net> @dysinger Tim Dysinger <tim@dysinger.net> @sarcasticadmin Robert James Hernandez <rob@sarcasticadmin.com> @Lynty Lynn Dong <ltdong93+nix@gmail.com> @mksafavi MK Safavi <mksafavi@gmail.com> @crertel Chris Ertel <chris@kedagital.com> CVE-2025-52833 9.3 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 16 packages lms flmsg helmsman lmstudio python312Packages.calmsize python313Packages.calmsize python312Packages.dlms-cosem python313Packages.dlms-cosem python312Packages.llama-index-llms-ollama python312Packages.llama-index-llms-openai python313Packages.llama-index-llms-ollama python313Packages.llama-index-llms-openai python312Packages.llama-index-llms-openai-like python313Packages.llama-index-llms-openai-like python312Packages.llama-index-multi-modal-llms-openai python313Packages.llama-index-multi-modal-llms-openai 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress LMS <= 9.1 - SQL Injection Vulnerability Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1. lms =<9.1 Package maintainers: 7 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @jherland Johan Herland <johan@herland.net> @dysinger Tim Dysinger <tim@dysinger.net> @sarcasticadmin Robert James Hernandez <rob@sarcasticadmin.com> @Lynty Lynn Dong <ltdong93+nix@gmail.com> @mksafavi MK Safavi <mksafavi@gmail.com> @crertel Chris Ertel <chris@kedagital.com> CVE-2025-52718 7.2 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): NONE updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 8 packages selendroid stalonetray art-standalone argp-standalone cbqn-standalone htmlunit-driver cbqn-standalone-replxx selenium-server-standalone 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Alone <= 7.8.2 - Arbitrary Code Execution Vulnerability Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2. alone =<7.8.2 Package maintainers: 9 @onny Jonas Heinrich <onny@project-insanity.org> @coreyoconnor Corey O'Connor <coreyoconnor@gmail.com> @offlinehacker Jaka Hudoklin <jaka@x-truder.net> @Amar1729 Amar Paul <amar.paul16@gmail.com> @Detegr Antti Keränen <detegr@rbx.email> @shnarazk Narazaki Shuji <shujinarazaki@protonmail.com> @sternenseemann Lukas Epple <sternenseemann@systemli.org> @Synthetica9 Patrick Hilhorst <nix@hilhorst.be> @7c6f434c Michael Raskin <7c6f434c@mail.ru> CVE-2025-6505 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 45 packages perlPackages.NetServer perl538Packages.NetServer perl540Packages.NetServer perlPackages.NetLDAPServer perlPackages.NetServerCoro perlPackages.ServerStarter perl538Packages.NetLDAPServer perl538Packages.NetServerCoro perl538Packages.ServerStarter perl540Packages.NetLDAPServer perl540Packages.NetServerCoro perl540Packages.ServerStarter perlPackages.HTTPServerSimple perlPackages.NetLDAPServerTest perlPackages.NetAsyncHTTPServer perlPackages.NetServerSSPrefork perlPackages.PerlLanguageServer perl538Packages.HTTPServerSimple perl540Packages.HTTPServerSimple perl538Packages.NetLDAPServerTest perl540Packages.NetLDAPServerTest perlPackages.HTTPServerSimplePSGI perlPackages.TestHTTPServerSimple perl538Packages.NetAsyncHTTPServer perl538Packages.NetServerSSPrefork perl538Packages.PerlLanguageServer perl540Packages.NetAsyncHTTPServer perl540Packages.NetServerSSPrefork perl540Packages.PerlLanguageServer perlPackages.HTTPServerSimpleMason perlPackages.HTTPServerSimpleAuthen perl538Packages.HTTPServerSimplePSGI perl538Packages.TestHTTPServerSimple perl538Packages.HTTPServerSimpleAuthen perl540Packages.HTTPServerSimpleMason perl538Packages.HTTPServerSimpleMason perlPackages.PlackTestExternalServer perl540Packages.TestHTTPServerSimple perl540Packages.HTTPServerSimplePSGI perl540Packages.HTTPServerSimpleAuthen perl538Packages.PlackTestExternalServer perl540Packages.PlackTestExternalServer perlPackages.CatalystXScriptServerStarman perl538Packages.CatalystXScriptServerStarman perl540Packages.CatalystXScriptServerStarman 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago Unauthorized access and impersonation can occur in versions 4.6.2.3226 and … Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. Server =<4.6.2.3226 Package maintainers: 1 @anoadragon453 Andrew Morgan <andrew@amorgan.xyz> CVE-2025-47444 7.5 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package filegive 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1. give <4.6.1 CVE-2025-54689 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 30 packages furnace xournalpp journalist lazyjournal qjournalctl tui-journal journalwatch annapurna-sil journaldriver systemd-journal2gelf kdePackages.kjournald perlPackages.LogJournald perl538Packages.LogJournald perl540Packages.LogJournald python312Packages.swh-journal python313Packages.swh-journal python312Packages.waterfurnace python313Packages.waterfurnace haskellPackages.journalctl-stream haskellPackages.libsystemd-journal python312Packages.logging-journald python313Packages.logging-journald haskellPackages.logging-facade-journald typstPackages.starter-journal-article_0_1_1 typstPackages.starter-journal-article_0_2_0 typstPackages.starter-journal-article_0_3_0 typstPackages.starter-journal-article_0_3_1 typstPackages.starter-journal-article_0_3_2 typstPackages.starter-journal-article_0_3_3 typstPackages.starter-journal-article_0_4_0 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7. urna =<2.5.7 Package maintainers: 20 @Moraxyc Moraxyc Xu <i@qaq.li> @fabaff Fabian Affolter <mail@fabian-affolter.ch> @florianjacob Florian Jacob <projects+nixos@florianjacob.de> @pluiedev Leah Amelia Chen <hi@pluie.me> @cherrypiejam Gongqi Huang @romildo José Romildo Malaquias <malaquias@gmail.com> @tazjin Vincent Ambo <mail@tazj.in> @fadenb Tristan Helmich <tristan.helmich+nixos@gmail.com> @fpletz Franz Pletz <fpletz@fnordicwalking.de> @kmein Kierán Meinhardt <kmein@posteo.de> @OPNA2608 Cosima Neidahl <opna2608@protonmail.com> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @mjm Matt Moriarity <matt@mattmoriarity.com> @K900 Ilya K. <me@0upti.me> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @NickCao Nick Cao <nickcao@nichi.co> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @sikmir Nikolay Korotkiy <sikmir@disroot.org> @figsoda figsoda <figsoda@pm.me> CVE-2025-54671 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package libvoikko 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2. oik =<4.15.2 Package maintainers: 1 @Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com> CVE-2025-54019 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 8 packages selendroid stalonetray art-standalone argp-standalone cbqn-standalone htmlunit-driver cbqn-standalone-replxx selenium-server-standalone 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a. alone <7.8.5 Package maintainers: 9 @7c6f434c Michael Raskin <7c6f434c@mail.ru> @onny Jonas Heinrich <onny@project-insanity.org> @coreyoconnor Corey O'Connor <coreyoconnor@gmail.com> @offlinehacker Jaka Hudoklin <jaka@x-truder.net> @Amar1729 Amar Paul <amar.paul16@gmail.com> @Detegr Antti Keränen <detegr@rbx.email> @shnarazk Narazaki Shuji <shujinarazaki@protonmail.com> @sternenseemann Lukas Epple <sternenseemann@systemli.org> @Synthetica9 Patrick Hilhorst <nix@hilhorst.be> CVE-2025-54670 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package libvoikko 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2. oik =<4.15.2 Package maintainers: 1 @Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com> CVE-2025-57890 5.9 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): HIGH User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 3 packages haskellPackages.simple-sessions python312Packages.langchain-azure-dynamic-sessions python313Packages.langchain-azure-dynamic-sessions 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Sessions Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0. sessions =<3.2.0 Package maintainers: 2 @sarahec Sarah Clark <seclark@nextquestion.net> @natsukium Tomoya Otabi <nixpkgs@natsukium.com>
CVE-2025-52799 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 16 packages lms flmsg helmsman lmstudio python312Packages.calmsize python313Packages.calmsize python312Packages.dlms-cosem python313Packages.dlms-cosem python312Packages.llama-index-llms-ollama python312Packages.llama-index-llms-openai python313Packages.llama-index-llms-ollama python313Packages.llama-index-llms-openai python312Packages.llama-index-llms-openai-like python313Packages.llama-index-llms-openai-like python312Packages.llama-index-multi-modal-llms-openai python313Packages.llama-index-multi-modal-llms-openai 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress LMS theme <= 9.1 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes LMS allows Reflected XSS. This issue affects LMS: from n/a through 9.1. lms =<9.1 Package maintainers: 7 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @jherland Johan Herland <johan@herland.net> @dysinger Tim Dysinger <tim@dysinger.net> @sarcasticadmin Robert James Hernandez <rob@sarcasticadmin.com> @Lynty Lynn Dong <ltdong93+nix@gmail.com> @mksafavi MK Safavi <mksafavi@gmail.com> @crertel Chris Ertel <chris@kedagital.com>
CVE-2025-52833 9.3 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 16 packages lms flmsg helmsman lmstudio python312Packages.calmsize python313Packages.calmsize python312Packages.dlms-cosem python313Packages.dlms-cosem python312Packages.llama-index-llms-ollama python312Packages.llama-index-llms-openai python313Packages.llama-index-llms-ollama python313Packages.llama-index-llms-openai python312Packages.llama-index-llms-openai-like python313Packages.llama-index-llms-openai-like python312Packages.llama-index-multi-modal-llms-openai python313Packages.llama-index-multi-modal-llms-openai 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress LMS <= 9.1 - SQL Injection Vulnerability Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1. lms =<9.1 Package maintainers: 7 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @jherland Johan Herland <johan@herland.net> @dysinger Tim Dysinger <tim@dysinger.net> @sarcasticadmin Robert James Hernandez <rob@sarcasticadmin.com> @Lynty Lynn Dong <ltdong93+nix@gmail.com> @mksafavi MK Safavi <mksafavi@gmail.com> @crertel Chris Ertel <chris@kedagital.com>
CVE-2025-52718 7.2 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): NONE updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 8 packages selendroid stalonetray art-standalone argp-standalone cbqn-standalone htmlunit-driver cbqn-standalone-replxx selenium-server-standalone 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Alone <= 7.8.2 - Arbitrary Code Execution Vulnerability Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2. alone =<7.8.2 Package maintainers: 9 @onny Jonas Heinrich <onny@project-insanity.org> @coreyoconnor Corey O'Connor <coreyoconnor@gmail.com> @offlinehacker Jaka Hudoklin <jaka@x-truder.net> @Amar1729 Amar Paul <amar.paul16@gmail.com> @Detegr Antti Keränen <detegr@rbx.email> @shnarazk Narazaki Shuji <shujinarazaki@protonmail.com> @sternenseemann Lukas Epple <sternenseemann@systemli.org> @Synthetica9 Patrick Hilhorst <nix@hilhorst.be> @7c6f434c Michael Raskin <7c6f434c@mail.ru>
CVE-2025-6505 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 45 packages perlPackages.NetServer perl538Packages.NetServer perl540Packages.NetServer perlPackages.NetLDAPServer perlPackages.NetServerCoro perlPackages.ServerStarter perl538Packages.NetLDAPServer perl538Packages.NetServerCoro perl538Packages.ServerStarter perl540Packages.NetLDAPServer perl540Packages.NetServerCoro perl540Packages.ServerStarter perlPackages.HTTPServerSimple perlPackages.NetLDAPServerTest perlPackages.NetAsyncHTTPServer perlPackages.NetServerSSPrefork perlPackages.PerlLanguageServer perl538Packages.HTTPServerSimple perl540Packages.HTTPServerSimple perl538Packages.NetLDAPServerTest perl540Packages.NetLDAPServerTest perlPackages.HTTPServerSimplePSGI perlPackages.TestHTTPServerSimple perl538Packages.NetAsyncHTTPServer perl538Packages.NetServerSSPrefork perl538Packages.PerlLanguageServer perl540Packages.NetAsyncHTTPServer perl540Packages.NetServerSSPrefork perl540Packages.PerlLanguageServer perlPackages.HTTPServerSimpleMason perlPackages.HTTPServerSimpleAuthen perl538Packages.HTTPServerSimplePSGI perl538Packages.TestHTTPServerSimple perl538Packages.HTTPServerSimpleAuthen perl540Packages.HTTPServerSimpleMason perl538Packages.HTTPServerSimpleMason perlPackages.PlackTestExternalServer perl540Packages.TestHTTPServerSimple perl540Packages.HTTPServerSimplePSGI perl540Packages.HTTPServerSimpleAuthen perl538Packages.PlackTestExternalServer perl540Packages.PlackTestExternalServer perlPackages.CatalystXScriptServerStarman perl538Packages.CatalystXScriptServerStarman perl540Packages.CatalystXScriptServerStarman 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago Unauthorized access and impersonation can occur in versions 4.6.2.3226 and … Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. Server =<4.6.2.3226 Package maintainers: 1 @anoadragon453 Andrew Morgan <andrew@amorgan.xyz>
CVE-2025-47444 7.5 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package filegive 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1. give <4.6.1
CVE-2025-54689 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 30 packages furnace xournalpp journalist lazyjournal qjournalctl tui-journal journalwatch annapurna-sil journaldriver systemd-journal2gelf kdePackages.kjournald perlPackages.LogJournald perl538Packages.LogJournald perl540Packages.LogJournald python312Packages.swh-journal python313Packages.swh-journal python312Packages.waterfurnace python313Packages.waterfurnace haskellPackages.journalctl-stream haskellPackages.libsystemd-journal python312Packages.logging-journald python313Packages.logging-journald haskellPackages.logging-facade-journald typstPackages.starter-journal-article_0_1_1 typstPackages.starter-journal-article_0_2_0 typstPackages.starter-journal-article_0_3_0 typstPackages.starter-journal-article_0_3_1 typstPackages.starter-journal-article_0_3_2 typstPackages.starter-journal-article_0_3_3 typstPackages.starter-journal-article_0_4_0 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7. urna =<2.5.7 Package maintainers: 20 @Moraxyc Moraxyc Xu <i@qaq.li> @fabaff Fabian Affolter <mail@fabian-affolter.ch> @florianjacob Florian Jacob <projects+nixos@florianjacob.de> @pluiedev Leah Amelia Chen <hi@pluie.me> @cherrypiejam Gongqi Huang @romildo José Romildo Malaquias <malaquias@gmail.com> @tazjin Vincent Ambo <mail@tazj.in> @fadenb Tristan Helmich <tristan.helmich+nixos@gmail.com> @fpletz Franz Pletz <fpletz@fnordicwalking.de> @kmein Kierán Meinhardt <kmein@posteo.de> @OPNA2608 Cosima Neidahl <opna2608@protonmail.com> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @mjm Matt Moriarity <matt@mattmoriarity.com> @K900 Ilya K. <me@0upti.me> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @NickCao Nick Cao <nickcao@nichi.co> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @sikmir Nikolay Korotkiy <sikmir@disroot.org> @figsoda figsoda <figsoda@pm.me>
CVE-2025-54671 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package libvoikko 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2. oik =<4.15.2 Package maintainers: 1 @Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com>
CVE-2025-54019 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 8 packages selendroid stalonetray art-standalone argp-standalone cbqn-standalone htmlunit-driver cbqn-standalone-replxx selenium-server-standalone 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a. alone <7.8.5 Package maintainers: 9 @7c6f434c Michael Raskin <7c6f434c@mail.ru> @onny Jonas Heinrich <onny@project-insanity.org> @coreyoconnor Corey O'Connor <coreyoconnor@gmail.com> @offlinehacker Jaka Hudoklin <jaka@x-truder.net> @Amar1729 Amar Paul <amar.paul16@gmail.com> @Detegr Antti Keränen <detegr@rbx.email> @shnarazk Narazaki Shuji <shujinarazaki@protonmail.com> @sternenseemann Lukas Epple <sternenseemann@systemli.org> @Synthetica9 Patrick Hilhorst <nix@hilhorst.be>
CVE-2025-54670 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed package libvoikko 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2. oik =<4.15.2 Package maintainers: 1 @Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com>
CVE-2025-57890 5.9 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): HIGH User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 5 days, 10 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month, 2 weeks ago @LeSuisse removed 3 packages haskellPackages.simple-sessions python312Packages.langchain-azure-dynamic-sessions python313Packages.langchain-azure-dynamic-sessions 5 days, 10 hours ago @LeSuisse dismissed 5 days, 10 hours ago WordPress Sessions Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0. sessions =<3.2.0 Package maintainers: 2 @sarahec Sarah Clark <seclark@nextquestion.net> @natsukium Tomoya Otabi <nixpkgs@natsukium.com>