⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2023-52125
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress iFrame Plugin <= 4.8 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly iframe allows Stored XSS.This issue affects iframe: from n/a through 4.8.

iframe
=<4.8
CVE-2025-31423
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
WordPress Umberto <= 1.2.8 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection. This issue affects Umberto: from n/a through 1.2.8.

umberto
=<1.2.8

pkgs.vimPlugins.vim-numbertoggle.x86_64-linux

pkgs.vimPlugins.vim-numbertoggle.aarch64-linux

pkgs.vimPlugins.vim-numbertoggle.x86_64-darwin

pkgs.vimPlugins.vim-numbertoggle.aarch64-darwin

CVE-2025-32285
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Butcher theme <= 2.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Butcher allows Reflected XSS. This issue affects Butcher: from n/a through 2.40.

butcher
=<2.40

pkgs.haskellPackages.butcher.x86_64-linux

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.aarch64-linux

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.x86_64-darwin

Chops a command or program invocation into digestable pieces

pkgs.haskellPackages.butcher.aarch64-darwin

Chops a command or program invocation into digestable pieces
CVE-2025-5024
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months, 1 week ago
Gnome-remote-desktop: uncontrolled resource consumption due to malformed rdp pdus

A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop listens for RDP connections, an unauthenticated attacker can exhaust system resources and repeatedly crash the process. There may be a resource leak after many attacks, which will also result in gnome-remote-desktop no longer being able to open files even after it is restarted via systemd.

gnome-remote-desktop
*

pkgs.gnome-remote-desktop

GNOME Remote Desktop server
Package maintainers: 4
CVE-2024-6409
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 3 months, 1 week ago
Openssh: possible remote code execution due to a race condition in signal handling affecting red hat enterprise linux 9

A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

rhcos
*
OpenSSH
openssh
*

pkgs.openssh_hpn

Implementation of the SSH protocol with high performance networking patches

pkgs.openssh_hpnWithKerberos

Implementation of the SSH protocol with high performance networking patches

pkgs.lxqt.lxqt-openssh-askpass

GUI to query passwords on behalf of SSH agents

pkgs.perl538Packages.NetOpenSSH

Perl SSH client package implemented on top of OpenSSH

pkgs.perl540Packages.NetOpenSSH

Perl SSH client package implemented on top of OpenSSH

pkgs.perl540Packages.NetOpenSSH.x86_64-linux

Perl SSH client package implemented on top of OpenSSH

pkgs.perl540Packages.NetOpenSSH.aarch64-linux

Perl SSH client package implemented on top of OpenSSH

pkgs.perl540Packages.NetOpenSSH.x86_64-darwin

Perl SSH client package implemented on top of OpenSSH

pkgs.perl540Packages.NetOpenSSH.aarch64-darwin

Perl SSH client package implemented on top of OpenSSH
Package maintainers: 6
CVE-2024-6505
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months, 1 week ago
Qemu-kvm: virtio-net: queue index out-of-bounds access in software rss

A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.

qemu
<9.1.0
qemu-kvm
qemu-kvm-ma
virt:av/qemu-kvm
virt:rhel/qemu-kvm

pkgs.qemu_kvm

Generic and open source machine emulator and virtualizer

pkgs.qemu_xen

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

pkgs.qemu_full

Generic and open source machine emulator and virtualizer

pkgs.qemu_test

Generic and open source machine emulator and virtualizer

pkgs.qemu-utils

Generic and open source machine emulator and virtualizer

pkgs.qemu.x86_64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu.aarch64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu.x86_64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu.aarch64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu_kvm.x86_64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu_xen.x86_64-linux

Generic and open source machine emulator and virtualizer

pkgs.python311Packages.qemu

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.python313Packages.qemu

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.qemu-user.x86_64-linux

QEMU User space emulator - launch executables compiled for one CPU on another CPU

pkgs.qemu_full.x86_64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu_kvm.aarch64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu_kvm.x86_64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu_test.x86_64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu-user.aarch64-linux

QEMU User space emulator - launch executables compiled for one CPU on another CPU

pkgs.qemu-utils.x86_64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu_full.aarch64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu_full.x86_64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu_kvm.aarch64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu_test.aarch64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu_test.x86_64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu-utils.aarch64-linux

Generic and open source machine emulator and virtualizer

pkgs.qemu-utils.x86_64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu_full.aarch64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu_test.aarch64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu-utils.aarch64-darwin

Generic and open source machine emulator and virtualizer

pkgs.qemu-python-utils.x86_64-linux

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.qemu-python-utils.aarch64-linux

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.qemu-python-utils.x86_64-darwin

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.qemu-python-utils.aarch64-darwin

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.python312Packages.qemu.x86_64-linux

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.python312Packages.qemu.aarch64-linux

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.python312Packages.qemu.x86_64-darwin

Python tooling used by the QEMU project to build, configure, and test QEMU

pkgs.python312Packages.qemu.aarch64-darwin

Python tooling used by the QEMU project to build, configure, and test QEMU
Package maintainers: 11
CVE-2025-2559
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months, 1 week ago
Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak

A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.

keycloak
<26.1.5
<26.0.11
keycloak-services
rhbk/keycloak-rhel9
*
keycloak-rhel9-container
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
keycloak-rhel9-operator-container
*
keycloak-rhel9-operator-bundle-container
*

pkgs.python311Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-darwin

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-darwin

Provides access to the Keycloak API
Package maintainers: 3
CVE-2024-7383
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 months, 1 week ago
Libnbd: nbd server improper certificate validation

A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

libnbd
*
<1.20.2
<1.18.5
virt:rhel
*
virt:av/libnbd
virt-devel:rhel
*
virt:rhel/libnbd

pkgs.libnbd.x86_64-linux

Network Block Device client library in userspace

pkgs.libnbd.aarch64-linux

Network Block Device client library in userspace

pkgs.python311Packages.libnbd

Network Block Device client library in userspace

pkgs.python313Packages.libnbd

Network Block Device client library in userspace

pkgs.python312Packages.libnbd.x86_64-linux

Network Block Device client library in userspace

pkgs.python312Packages.libnbd.aarch64-linux

Network Block Device client library in userspace
Package maintainers: 1
CVE-2024-8235
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months, 1 week ago
Libvirt: crash of virtinterfaced via virconnectlistinterfaces()

A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to crash the virtinterfaced daemon.

libvirt
<10.7.0
*
virt:av/libvirt
virt:rhel/libvirt

pkgs.libvirt

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt-glib

Wrapper library of libvirt for glib-based applications

pkgs.libvirt.x86_64-linux

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt.aarch64-linux

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt.x86_64-darwin

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt.aarch64-darwin

Toolkit to interact with the virtualization capabilities of recent versions of Linux and other OSes

pkgs.libvirt-glib.x86_64-linux

Library for working with virtual machines

pkgs.python313Packages.libvirt

libvirt Python bindings

pkgs.rubyPackages.ruby-libvirt

pkgs.libvirt-glib.aarch64-linux

Library for working with virtual machines

pkgs.libvirt-glib.x86_64-darwin

Library for working with virtual machines

pkgs.libvirt-glib.aarch64-darwin

Library for working with virtual machines

pkgs.prometheus-libvirt-exporter

Prometheus metrics exporter for libvirt

pkgs.python312Packages.libvirt.x86_64-linux

libvirt Python bindings

pkgs.python312Packages.libvirt.aarch64-linux

libvirt Python bindings

pkgs.python312Packages.libvirt.x86_64-darwin

libvirt Python bindings

pkgs.python312Packages.libvirt.aarch64-darwin

libvirt Python bindings

pkgs.rubyPackages_3_1.ruby-libvirt.x86_64-linux

pkgs.rubyPackages_3_2.ruby-libvirt.x86_64-linux

pkgs.rubyPackages_3_3.ruby-libvirt.x86_64-linux

pkgs.rubyPackages_3_4.ruby-libvirt.x86_64-linux

pkgs.rubyPackages_3_1.ruby-libvirt.aarch64-linux

pkgs.rubyPackages_3_1.ruby-libvirt.x86_64-darwin

pkgs.rubyPackages_3_2.ruby-libvirt.aarch64-linux

pkgs.rubyPackages_3_2.ruby-libvirt.x86_64-darwin

pkgs.rubyPackages_3_3.ruby-libvirt.aarch64-linux

pkgs.rubyPackages_3_3.ruby-libvirt.x86_64-darwin

pkgs.rubyPackages_3_4.ruby-libvirt.aarch64-linux

pkgs.rubyPackages_3_4.ruby-libvirt.x86_64-darwin

pkgs.rubyPackages_3_1.ruby-libvirt.aarch64-darwin

pkgs.rubyPackages_3_2.ruby-libvirt.aarch64-darwin

pkgs.rubyPackages_3_3.ruby-libvirt.aarch64-darwin

pkgs.rubyPackages_3_4.ruby-libvirt.aarch64-darwin

Package maintainers: 4
CVE-2025-4969
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 3 months, 1 week ago
Libsoup: off-by-one out-of-bounds read in find_boundary() in soup-multipart.c

A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP body, causing the libsoup-consuming server to read beyond its allocated memory boundaries (out-of-bounds read).

libsoup
=<3.6.5
libsoup3

pkgs.libsoup_3.x86_64-linux

HTTP client/server library for GNOME

pkgs.libsoup_3.aarch64-linux

HTTP client/server library for GNOME

pkgs.libsoup_3.x86_64-darwin

HTTP client/server library for GNOME

pkgs.libsoup_2_4.x86_64-linux

HTTP client/server library for GNOME

pkgs.libsoup_3.aarch64-darwin

HTTP client/server library for GNOME

pkgs.libsoup_2_4.aarch64-linux

HTTP client/server library for GNOME

pkgs.libsoup_2_4.x86_64-darwin

HTTP client/server library for GNOME

pkgs.libsoup_2_4.aarch64-darwin

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4
  • nixos-25.05 ???
    • nixpkgs-25.05-darwin
    • nixos-25.05-small
  • nixos-unstable 2.4
Package maintainers: 6