Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2025-52816
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 2 weeks ago
WordPress Zita theme <= 1.6.5 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.

zita
=<1.6.5

pkgs.zitadel

Identity and access management platform

pkgs.zita-at1

Autotuner Jack application to correct the pitch of vocal tracks

pkgs.zita-ajbridge

Connect additional ALSA devices to JACK

pkgs.zita-njbridge

Command line Jack clients to transmit full quality multichannel audio over a local IP network

pkgs.zitadel-tools

Helper tools for zitadel

pkgs.zita-alsa-pcmi

Successor of clalsadrv, provides easy access to ALSA PCM devices

pkgs.zita-convolver

Convolution library by Fons Adriaensen

pkgs.zita-resampler

Resample library by Fons Adriaensen
Package maintainers: 3
CVE-2025-53331
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 2 months, 2 weeks ago
WordPress RSS Digest plugin <= 1.5 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in samcharrington RSS Digest allows Stored XSS. This issue affects RSS Digest: from n/a through 1.5.

rss-digest
=<1.5

pkgs.matcha-rss-digest

Daily digest generator from a list of RSS feeds
Package maintainers: 1
CVE-2024-6174
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 2 weeks ago
When a non-x86 platform is detected, cloud-init grants root access …

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

cloud-init
<25.1.3

pkgs.cloud-init

Provides configuration and customization of cloud instance
Package maintainers: 2
CVE-2024-11584
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 2 months, 2 weeks ago
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with …

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

cloud-init
<25.1.3

pkgs.cloud-init

Provides configuration and customization of cloud instance
Package maintainers: 2
CVE-2025-5318
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 months, 2 weeks ago
Libssh: out-of-bounds read in sftp_handle()

A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

rhcos
*
libssh
<0.11.2
*
rhosdt/tempo-rhel8
*
rhosdt/tempo-query-rhel8
*
rhosdt/tempo-gateway-rhel8
*
rhosdt/tempo-rhel8-operator
*
rhosdt/tempo-gateway-opa-rhel8
*
rhosdt/tempo-jaeger-query-rhel8
*

pkgs.libssh

SSH client library

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

pkgs.haskellPackages.libssh

libssh bindings

pkgs.python312Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

pkgs.python313Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Test whether libssh2-1.11.1 exposes pkg-config modules libssh2
Package maintainers: 3
CVE-2025-6032
8.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 2 weeks ago
Podman: podman missing tls verification

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

rhcos
*
podman
<5.5.2
*
container-tools:rhel8
*
container-tools:rhel8/podman

pkgs.podman

Program for managing pods, containers and container images

pkgs.podman-tui

Podman Terminal UI

pkgs.podman-bootc

Streamlining podman+bootc interactions

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

pkgs.nomad-driver-podman

Podman task driver for Nomad

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

pkgs.python313Packages.podman

Python bindings for Podman's RESTful API
Package maintainers: 8
CVE-2025-6547 created 2 months, 2 weeks ago
On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

pbkdf2
==<=3.1.2

pkgs.fastpbkdf2

Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C

pkgs.python312Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.python313Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.chickenPackages_5.chickenEggs.pbkdf2

Password-Based Key Derivation Function as defined in RFC2898
Package maintainers: 2
CVE-2025-6545 created 2 months, 2 weeks ago
pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

pbkdf2
=<3.1.2

pkgs.fastpbkdf2

Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C

pkgs.python312Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.python313Packages.fastpbkdf2

Python bindings for fastpbkdf2

pkgs.chickenPackages_5.chickenEggs.pbkdf2

Password-Based Key Derivation Function as defined in RFC2898
Package maintainers: 2
CVE-2025-5416
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @LeSuisse removed
    3 packages
    • terraform-providers.keycloak
    • python312Packages.python-keycloak
    • python313Packages.python-keycloak
    1 month ago
Keycloak-core: keycloak environment information

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

keycloak

pkgs.keycloak

Identity and access management for modern applications and services
Package maintainers: 4
CVE-2025-6019
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 2 weeks ago
Libblockdev: lpe from allow_active to root in libblockdev via udisks

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

libblockdev
*
<3.3.1

pkgs.libblockdev

Library for manipulating block devices
Package maintainers: 1