Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for a revision.

CVE-2025-49974
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    3 packages
    • git-upstream
    • lomiri.qtmir
    • tests.haskell.upstreamStackHpackVersion
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.

Affected products

upstream
  • =<2.1.0

Matching in nixpkgs

CVE-2025-53338
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    23 packages
    • replace
    • fireplace
    • qsreplace
    • replacement
    • replace-secret
    • haskellPackages.replace-attoparsec
    • haskellPackages.replace-megaparsec
    • haskellPackages.text-regex-replace
    • tests.substitute.legacySingleReplace
    • tests.replaceVars.replaceVars.succeeds
    • tests.replaceVars.replaceVarsWith.succeeds
    • tests.replaceVars.replaceVars.fails-on-directory
    • tests.replaceVars.replaceVars.fails-in-build-phase
    • tests.replaceVars.replaceVars.fails-in-check-phase
    • tests.replaceVars.replaceVarsWith.fails-on-directory
    • tests.replaceVars.replaceVars.succeeds-with-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-build-phase
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase
    • tests.replaceVars.replaceVarsWith.succeeds-with-exemption
    • tests.replaceVars.replaceVars.fails-in-check-phase-with-exemption
    • tests.replaceVars.replaceVars.fails-in-check-phase-with-bad-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-bad-exemption
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress re.place plugin <= 0.2.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1.

Affected products

replace
  • =<0.2.1

Matching in nixpkgs

CVE-2025-52826
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    4 packages
    • python312Packages.datasalad
    • python313Packages.datasalad
    • python312Packages.schema-salad
    • python313Packages.schema-salad
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.

Affected products

sala
  • =<1.1.3

Matching in nixpkgs

CVE-2025-31428
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    11 packages
    • hydrogen
    • hydroxide
    • libhydrogen
    • tau-hydrogen
    • fishPlugins.hydro
    • hydrogen-web-unwrapped
    • python312Packages.hydrogram
    • python313Packages.hydrogram
    • haskellPackages.hydrogen-version
    • python312Packages.swisshydrodata
    • python313Packages.swisshydrodata
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress HYDRO theme <= 2.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddhaThemes HYDRO allows Reflected XSS. This issue affects HYDRO: from n/a through 2.8.

Affected products

hydro
  • =<2.8

Matching in nixpkgs

CVE-2025-53200
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed package gnomeExtensions.penguin-ai-chatbot 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress ChatBot plugin <= 6.7.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3.

Affected products

chatbot
  • =<6.7.3

Matching in nixpkgs

CVE-2025-52799
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    16 packages
    • lms
    • flmsg
    • helmsman
    • lmstudio
    • python312Packages.calmsize
    • python313Packages.calmsize
    • python312Packages.dlms-cosem
    • python313Packages.dlms-cosem
    • python312Packages.llama-index-llms-ollama
    • python312Packages.llama-index-llms-openai
    • python313Packages.llama-index-llms-ollama
    • python313Packages.llama-index-llms-openai
    • python312Packages.llama-index-llms-openai-like
    • python313Packages.llama-index-llms-openai-like
    • python312Packages.llama-index-multi-modal-llms-openai
    • python313Packages.llama-index-multi-modal-llms-openai
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress LMS theme <= 9.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes LMS allows Reflected XSS. This issue affects LMS: from n/a through 9.1.

Affected products

lms
  • =<9.1

Matching in nixpkgs

CVE-2025-52833
9.3 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    16 packages
    • lms
    • flmsg
    • helmsman
    • lmstudio
    • python312Packages.calmsize
    • python313Packages.calmsize
    • python312Packages.dlms-cosem
    • python313Packages.dlms-cosem
    • python312Packages.llama-index-llms-ollama
    • python312Packages.llama-index-llms-openai
    • python313Packages.llama-index-llms-ollama
    • python313Packages.llama-index-llms-openai
    • python312Packages.llama-index-llms-openai-like
    • python313Packages.llama-index-llms-openai-like
    • python312Packages.llama-index-multi-modal-llms-openai
    • python313Packages.llama-index-multi-modal-llms-openai
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress LMS <= 9.1 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1.

Affected products

lms
  • =<9.1

Matching in nixpkgs

CVE-2025-52718
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Alone <= 7.8.2 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2.

Affected products

alone
  • =<7.8.2

Matching in nixpkgs

CVE-2025-6505
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    45 packages
    • perlPackages.NetServer
    • perl538Packages.NetServer
    • perl540Packages.NetServer
    • perlPackages.NetLDAPServer
    • perlPackages.NetServerCoro
    • perlPackages.ServerStarter
    • perl538Packages.NetLDAPServer
    • perl538Packages.NetServerCoro
    • perl538Packages.ServerStarter
    • perl540Packages.NetLDAPServer
    • perl540Packages.NetServerCoro
    • perl540Packages.ServerStarter
    • perlPackages.HTTPServerSimple
    • perlPackages.NetLDAPServerTest
    • perlPackages.NetAsyncHTTPServer
    • perlPackages.NetServerSSPrefork
    • perlPackages.PerlLanguageServer
    • perl538Packages.HTTPServerSimple
    • perl540Packages.HTTPServerSimple
    • perl538Packages.NetLDAPServerTest
    • perl540Packages.NetLDAPServerTest
    • perlPackages.HTTPServerSimplePSGI
    • perlPackages.TestHTTPServerSimple
    • perl538Packages.NetAsyncHTTPServer
    • perl538Packages.NetServerSSPrefork
    • perl538Packages.PerlLanguageServer
    • perl540Packages.NetAsyncHTTPServer
    • perl540Packages.NetServerSSPrefork
    • perl540Packages.PerlLanguageServer
    • perlPackages.HTTPServerSimpleMason
    • perlPackages.HTTPServerSimpleAuthen
    • perl538Packages.HTTPServerSimplePSGI
    • perl538Packages.TestHTTPServerSimple
    • perl538Packages.HTTPServerSimpleAuthen
    • perl540Packages.HTTPServerSimpleMason
    • perl538Packages.HTTPServerSimpleMason
    • perlPackages.PlackTestExternalServer
    • perl540Packages.TestHTTPServerSimple
    • perl540Packages.HTTPServerSimplePSGI
    • perl540Packages.HTTPServerSimpleAuthen
    • perl538Packages.PlackTestExternalServer
    • perl540Packages.PlackTestExternalServer
    • perlPackages.CatalystXScriptServerStarman
    • perl538Packages.CatalystXScriptServerStarman
    • perl540Packages.CatalystXScriptServerStarman
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and …

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.  When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.

Affected products

Server
  • =<4.6.2.3226

Matching in nixpkgs

CVE-2025-47444
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed package filegive 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure

Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.

Affected products

give
  • <4.6.1

Matching in nixpkgs