Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for a revision.

CVE-2025-54671
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed package libvoikko 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2.

Affected products

oik
  • =<4.15.2

Matching in nixpkgs

CVE-2025-54019
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a.

Affected products

alone
  • <7.8.5

Matching in nixpkgs

CVE-2025-54670
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed package libvoikko 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.

Affected products

oik
  • =<4.15.2

Matching in nixpkgs

CVE-2025-57890
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    3 packages
    • haskellPackages.simple-sessions
    • python312Packages.langchain-azure-dynamic-sessions
    • python313Packages.langchain-azure-dynamic-sessions
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Sessions Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0.

Affected products

sessions
  • =<3.2.0

Matching in nixpkgs

CVE-2025-58209
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    5 packages
    • haskellPackages.amazonka-elastictranscoder
    • python312Packages.mypy-boto3-elastictranscoder
    • python313Packages.mypy-boto3-elastictranscoder
    • python312Packages.types-aiobotocore-elastictranscoder
    • python313Packages.types-aiobotocore-elastictranscoder
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Transcoder Plugin <= 1.4.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtCamp Transcoder allows Stored XSS. This issue affects Transcoder: from n/a through 1.4.0.

Affected products

transcoder
  • =<1.4.0

Matching in nixpkgs

CVE-2025-54724
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    2 packages
    • ligolo-ng
    • xfce.gigolo
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Golo Theme <= 1.7.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo allows Reflected XSS. This issue affects Golo: from n/a through 1.7.1.

Affected products

golo
  • =<1.7.1

Matching in nixpkgs

CVE-2025-54725
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    2 packages
    • xfce.gigolo
    • ligolo-ng
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Golo Theme <= 1.7.0 - Broken Authentication Vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0.

Affected products

golo
  • =<1.7.0

Matching in nixpkgs

CVE-2024-3508
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    9 packages
    • bzip2
    • lbzip2
    • pbzip2
    • bzip2_1_1
    • indexed-bzip2
    • haskellPackages.bzip2-clib
    • python312Packages.indexed-bzip2
    • python313Packages.indexed-bzip2
    • tests.pkg-config.defaultPkgConfigPackages.bzip2
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
Bzip2: compressed content bomb leads to denial of service of bombastic api

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

Affected products

bzip2
  • ==faa7a496c5d98e0f0859dd2c623eddf82289eaa8
SBOM-Management-(Bombastic)

Matching in nixpkgs

CVE-2025-58806
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    6 packages
    • haskellPackages.bugsnag
    • python312Packages.bugsnag
    • python313Packages.bugsnag
    • haskellPackages.bugsnag-hs
    • haskellPackages.bugsnag-wai
    • haskellPackages.bugsnag-yesod
    2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress WordPress Error Monitoring by Bugsnag Plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in imjoehaines WordPress Error Monitoring by Bugsnag allows Stored XSS. This issue affects WordPress Error Monitoring by Bugsnag: from n/a through 1.6.3.

Affected products

bugsnag
  • =<1.6.3

Matching in nixpkgs

CVE-2025-58801
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed package responder 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Responder Plugin <= 4.3.8 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in KCS Responder allows Cross Site Request Forgery. This issue affects Responder: from n/a through 4.3.8.

Affected products

responder
  • =<4.3.8

Matching in nixpkgs