CVE-2025-54689 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 30 packages furnace xournalpp journalist lazyjournal qjournalctl tui-journal journalwatch annapurna-sil journaldriver systemd-journal2gelf kdePackages.kjournald perlPackages.LogJournald perl538Packages.LogJournald perl540Packages.LogJournald python312Packages.swh-journal python313Packages.swh-journal python312Packages.waterfurnace python313Packages.waterfurnace haskellPackages.journalctl-stream haskellPackages.libsystemd-journal python312Packages.logging-journald python313Packages.logging-journald haskellPackages.logging-facade-journald typstPackages.starter-journal-article_0_1_1 typstPackages.starter-journal-article_0_2_0 typstPackages.starter-journal-article_0_3_0 typstPackages.starter-journal-article_0_3_1 typstPackages.starter-journal-article_0_3_2 typstPackages.starter-journal-article_0_3_3 typstPackages.starter-journal-article_0_4_0 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7. Affected products urna =<2.5.7 Matching in nixpkgs
CVE-2025-54671 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed package libvoikko 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2. Affected products oik =<4.15.2 Matching in nixpkgs
CVE-2025-54019 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 8 packages selendroid stalonetray art-standalone argp-standalone cbqn-standalone htmlunit-driver cbqn-standalone-replxx selenium-server-standalone 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a. Affected products alone <7.8.5 Matching in nixpkgs
CVE-2025-54670 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed package libvoikko 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2. Affected products oik =<4.15.2 Matching in nixpkgs
CVE-2025-57890 5.9 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): HIGH User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 3 packages haskellPackages.simple-sessions python312Packages.langchain-azure-dynamic-sessions python313Packages.langchain-azure-dynamic-sessions 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress Sessions Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0. Affected products sessions =<3.2.0 Matching in nixpkgs
CVE-2025-58209 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 5 packages haskellPackages.amazonka-elastictranscoder python312Packages.mypy-boto3-elastictranscoder python313Packages.mypy-boto3-elastictranscoder python312Packages.types-aiobotocore-elastictranscoder python313Packages.types-aiobotocore-elastictranscoder 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress Transcoder Plugin <= 1.4.0 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtCamp Transcoder allows Stored XSS. This issue affects Transcoder: from n/a through 1.4.0. Affected products transcoder =<1.4.0 Matching in nixpkgs
CVE-2025-54724 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 2 packages ligolo-ng xfce.gigolo 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress Golo Theme <= 1.7.1 - Cross Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo allows Reflected XSS. This issue affects Golo: from n/a through 1.7.1. Affected products golo =<1.7.1 Matching in nixpkgs
CVE-2025-54725 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 2 packages xfce.gigolo ligolo-ng 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress Golo Theme <= 1.7.0 - Broken Authentication Vulnerability Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0. Affected products golo =<1.7.0 Matching in nixpkgs
CVE-2024-3508 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 9 packages bzip2 lbzip2 pbzip2 bzip2_1_1 indexed-bzip2 haskellPackages.bzip2-clib python312Packages.indexed-bzip2 python313Packages.indexed-bzip2 tests.pkg-config.defaultPkgConfigPackages.bzip2 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago Bzip2: compressed content bomb leads to denial of service of bombastic api A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed. Affected products bzip2 ==faa7a496c5d98e0f0859dd2c623eddf82289eaa8 SBOM-Management-(Bombastic) Matching in nixpkgs
CVE-2025-58806 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 1 month, 3 weeks ago by @LeSuisse Activity log Created automatic suggestion 3 months ago @LeSuisse removed 6 packages haskellPackages.bugsnag python312Packages.bugsnag python313Packages.bugsnag haskellPackages.bugsnag-hs haskellPackages.bugsnag-wai haskellPackages.bugsnag-yesod 1 month, 3 weeks ago @LeSuisse dismissed 1 month, 3 weeks ago WordPress WordPress Error Monitoring by Bugsnag Plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in imjoehaines WordPress Error Monitoring by Bugsnag allows Stored XSS. This issue affects WordPress Error Monitoring by Bugsnag: from n/a through 1.6.3. Affected products bugsnag =<1.6.3 Matching in nixpkgs