⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2023-43788
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 23 hours ago
Libxpm: out of bounds read in xpmcreatexpmimagefrombuffer()

A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local attacker to trigger an out-of-bounds read error and read the contents of memory on the system.

motif
*
libXpm
*
<3.5.17

pkgs.tests.pkg-config.defaultPkgConfigPackages.xpm

Test whether libXpm-3.5.17 exposes pkg-config modules xpm
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable
Notify package maintainers: 1
CVE-2024-22050
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 23 hours ago
Iodine Static File Server Path Traversal Vulnerability

Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.

iodine
<0.7.33

pkgs.iodine.x86_64-linux

Tool to tunnel IPv4 data through a DNS server

pkgs.iodine.aarch64-linux

Tool to tunnel IPv4 data through a DNS server

pkgs.iodine.x86_64-darwin

Tool to tunnel IPv4 data through a DNS server

pkgs.iodine.aarch64-darwin

Tool to tunnel IPv4 data through a DNS server
Notify package maintainers: 3
CVE-2025-6021
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 4 days, 23 hours ago
Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

rhcos
libxml2

pkgs.python313Packages.libxml2

XML parsing library for C

pkgs.tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"

Test whether libxml2-2.13.8 exposes pkg-config modules libxml-2.0
Notify package maintainers: 7
CVE-2025-40914
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 5 days, 23 hours ago
Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow

Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow. CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

CryptX
=<0.086

pkgs.perl536Packages.CryptX

Cryptographic toolkit

pkgs.perl536Packages.CryptX.x86_64-linux

Cryptographic toolkit

pkgs.perl540Packages.CryptX.x86_64-linux

Cryptographic toolkit

pkgs.perl536Packages.CryptX.aarch64-linux

Cryptographic toolkit

pkgs.perl536Packages.CryptX.x86_64-darwin

Cryptographic toolkit

pkgs.perl540Packages.CryptX.aarch64-linux

Cryptographic toolkit

pkgs.perl540Packages.CryptX.x86_64-darwin

Cryptographic toolkit

pkgs.perl536Packages.CryptX.aarch64-darwin

Cryptographic toolkit

pkgs.perl540Packages.CryptX.aarch64-darwin

Cryptographic toolkit
CVE-2025-40912
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 5 days, 23 hours ago
CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode

CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode. CryptX embeds the tomcrypt library. The versions of that library in CryptX before 0.065 may be susceptible to CVE-2019-17362.

CryptX
<0.065

pkgs.perl536Packages.CryptX

Cryptographic toolkit

pkgs.perl536Packages.CryptX.x86_64-linux

Cryptographic toolkit

pkgs.perl540Packages.CryptX.x86_64-linux

Cryptographic toolkit

pkgs.perl536Packages.CryptX.aarch64-linux

Cryptographic toolkit

pkgs.perl536Packages.CryptX.x86_64-darwin

Cryptographic toolkit

pkgs.perl540Packages.CryptX.aarch64-linux

Cryptographic toolkit

pkgs.perl540Packages.CryptX.x86_64-darwin

Cryptographic toolkit

pkgs.perl536Packages.CryptX.aarch64-darwin

Cryptographic toolkit

pkgs.perl540Packages.CryptX.aarch64-darwin

Cryptographic toolkit
CVE-2025-49075
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 6 days, 14 hours ago by @06kellyjac Activity log
  • Created automatic suggestion 1 week, 3 days ago
  • @06kellyjac accepted as draft 6 days, 14 hours ago
  • @06kellyjac marked as untriaged 6 days, 14 hours ago
WordPress Wishlist plugin <= 1.0.43 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Stored XSS.This issue affects Wishlist: from n/a through 1.0.43.

wishlist
=<1.0.43

pkgs.wishlist.x86_64-linux

Single entrypoint for multiple SSH endpoints

pkgs.wishlist.aarch64-linux

Single entrypoint for multiple SSH endpoints

pkgs.wishlist.x86_64-darwin

Single entrypoint for multiple SSH endpoints

pkgs.wishlist.aarch64-darwin

Single entrypoint for multiple SSH endpoints
Notify package maintainers: 2
CVE-2025-31638
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 week ago
WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.

spare
=<1.7

pkgs.asciiquarium-transparent

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.texlivePackages.transparent

Using a color stack for transparency with pdfTeX

pkgs.texlivePackages.transparent-io

Show for approval the filenames used in input, openin, or openout

pkgs.gnomeExtensions.transparent-topbar

Transparent Topbar with Multi monitors support
  • nixos-24.05 4
    • nixos-24.05-small 4

pkgs.gnomeExtensions.transparent-top-bar

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.

pkgs.asciiquarium-transparent.x86_64-linux

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.asciiquarium-transparent.aarch64-linux

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.asciiquarium-transparent.x86_64-darwin

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.asciiquarium-transparent.aarch64-darwin

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.texlivePackages.transparent.x86_64-linux

Using a color stack for transparency with pdfTeX

pkgs.gnomeExtensions.transparent-window-moving

Makes the window semi-transparent when moving or resizing

pkgs.texlivePackages.transparent-io.x86_64-linux

Show for approval the filenames used in input, openin, or openout

pkgs.gnomeExtensions.transparent-topbar.x86_64-linux

Transparent Topbar with Multi monitors support
  • nixos-24.05 4
    • nixpkgs-24.05-darwin 4

pkgs.gnomeExtensions.transparent-top-bar.x86_64-linux

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.

pkgs.gnomeExtensions.transparent-topbar.aarch64-linux

Transparent Topbar with Multi monitors support
  • nixos-24.05 4
    • nixpkgs-24.05-darwin 4

pkgs.gnomeExtensions.transparent-top-bar.aarch64-linux

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.

pkgs.gnomeExtensions.transparent-window-moving.x86_64-linux

Makes the window semi-transparent when moving or resizing

pkgs.gnomeExtensions.transparent-window-moving.aarch64-linux

Makes the window semi-transparent when moving or resizing

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency.x86_64-linux

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency.aarch64-linux

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar
Notify package maintainers: 4
CVE-2025-28945
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 week ago
WordPress Valen - Sport, Fashion WooCommerce WordPress Theme <= 2.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through 2.4.

valen
=<2.4

pkgs.haskellPackages.equivalence

Maintaining an equivalence relation implemented as union-find using STT

pkgs.haskellPackages.equivalence.x86_64-linux

Maintaining an equivalence relation implemented as union-find using STT

pkgs.haskellPackages.equivalence.aarch64-linux

Maintaining an equivalence relation implemented as union-find using STT

pkgs.haskellPackages.equivalence.x86_64-darwin

Maintaining an equivalence relation implemented as union-find using STT

pkgs.haskellPackages.equivalence.aarch64-darwin

Maintaining an equivalence relation implemented as union-find using STT

pkgs.vscode-extensions.valentjn.vscode-ltex.aarch64-linux

pkgs.vscode-extensions.valentjn.vscode-ltex.x86_64-darwin

pkgs.vscode-extensions.valentjn.vscode-ltex.aarch64-darwin

Notify package maintainers: 7
CVE-2025-31396
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 week ago
WordPress FLAP - Business WordPress Theme <= 1.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.

flap
=<1.5

pkgs.jflap

GUI tool for experimenting with formal languages topics

pkgs.jflap.x86_64-linux

GUI tool for experimenting with formal languages topics

pkgs.jflap.aarch64-linux

GUI tool for experimenting with formal languages topics
Notify package maintainers: 2
CVE-2025-32291
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 week ago
WordPress SUMO Affiliates Pro <= 10.7.0 - Arbitrary File Upload Vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in FantasticPlugins SUMO Affiliates Pro allows Using Malicious Files. This issue affects SUMO Affiliates Pro: from n/a through 10.7.0.

affs
=<10.7.0

pkgs.unyaffs

Tool to extract files from a YAFFS2 file system image

pkgs.unyaffs.x86_64-linux

Tool to extract files from a YAFFS2 file system image

pkgs.unyaffs.aarch64-linux

Tool to extract files from a YAFFS2 file system image

pkgs.unyaffs.x86_64-darwin

Tool to extract files from a YAFFS2 file system image

pkgs.unyaffs.aarch64-darwin

Tool to extract files from a YAFFS2 file system image
Notify package maintainers: 2