Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2025-40927
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 3 weeks ago
CGI::Simple versions 1.281 and earlier for Perl has a HTTP response splitting flaw

CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters. As a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks. The issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete. Impact By injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server’s response That can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation

CGI-Simple
<1.282

pkgs.perlPackages.CGISimple

Simple totally OO CGI interface that is CGI.pm compliant

pkgs.perl538Packages.CGISimple

Simple totally OO CGI interface that is CGI.pm compliant

pkgs.perl540Packages.CGISimple

Simple totally OO CGI interface that is CGI.pm compliant
CVE-2025-4437
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 3 weeks ago
Cri-o: large /etc/passwd file may lead to denial of service

There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.

cri-o
rhcos

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
Package maintainers: 2
CVE-2025-4877
4.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 3 weeks ago
Libssh: write beyond bounds in binary to base64 conversion functions

There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh.

rhcos
libssh
<0.11.2
libssh2

pkgs.libssh

SSH client library

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

pkgs.haskellPackages.libssh

libssh bindings

pkgs.python312Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

pkgs.python313Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Test whether libssh2-1.11.1 exposes pkg-config modules libssh2
Package maintainers: 3
CVE-2025-49436
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 3 weeks ago
WordPress Custom Menu plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thiudis Custom Menu allows Stored XSS. This issue affects Custom Menu: from n/a through 1.8.

custom-menu
=<1.8

pkgs.gnomeExtensions.custom-menu

Custom application menu with JSON configuration. Launch apps with specific profiles or execute toggle commands (e.g., for mounted drives) directly from your GNOME menu.
Package maintainers: 1
CVE-2025-48171
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 3 weeks ago
WordPress Cena Store <= 2.11.26 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion. This issue affects Cena Store: from n/a through 2.11.26.

cena
=<2.11.26

pkgs.ocenaudio

Cross-platform, easy to use, fast and functional audio editor

pkgs.spacenavd

Device driver and SDK for 3Dconnexion 3D input devices

pkgs.asciinema-scenario

Create asciinema videos from a text file

pkgs.spacenav-cube-example

Example application to test the spacenavd driver

pkgs.rubyPackages.mercenary

pkgs.rubyPackages_3_1.mercenary

pkgs.rubyPackages_3_2.mercenary

pkgs.rubyPackages_3_3.mercenary

pkgs.rubyPackages_3_4.mercenary

pkgs.python312Packages.testscenarios

Pyunit extension for dependency injection

pkgs.python313Packages.testscenarios

Pyunit extension for dependency injection

pkgs.azure-cli-extensions.scenario-guide

Microsoft Azure Command-Line Tools Scenario Guidance Extension

pkgs.haskellPackages.opengl-spacenavigator

Library and example for using a SpaceNavigator-compatible 3-D mouse with OpenGL
Package maintainers: 5
CVE-2023-5342
4.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 3 weeks ago
None

None

shim
shim-x64
<15.8-2

pkgs.yoshimi

High quality software synthesizer based on ZynAddSubFX

pkgs.epoll-shim

Small epoll implementation using kqueue

pkgs.libudev0-shim

Shim to preserve libudev.so.0 compatibility

pkgs.plex-mpv-shim

Allows casting of videos to MPV via the Plex mobile and web app

pkgs.shim-unsigned

UEFI shim loader

pkgs.doas-sudo-shim

Shim for the sudo command that utilizes doas

pkgs.rshim-user-space

User-space rshim driver for the BlueField SoC

pkgs.jellyfin-mpv-shim

Allows casting of videos to MPV via the jellyfin mobile and web app

pkgs.mpv-shim-default-shaders

Preconfigured set of MPV shaders and configurations for MPV Shim media clients

pkgs.python312Packages.shimmy

API conversion tool for popular external reinforcement learning environments

pkgs.pantheon.elementary-print-shim

Simple shim for printing support via Contractor

pkgs.python312Packages.notebook-shim

Switch frontends to Jupyter Server

pkgs.python313Packages.notebook-shim

Switch frontends to Jupyter Server

pkgs.python312Packages.pytz-deprecation-shim

Shims to make deprecation of pytz easier

pkgs.python313Packages.pytz-deprecation-shim

Shims to make deprecation of pytz easier
Package maintainers: 11
CVE-2025-55716
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 3 weeks ago
WordPress WP Statistics Plugin <= 14.15 - Broken Access Control Vulnerability

Missing Authorization vulnerability in VeronaLabs WP Statistics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Statistics: from n/a through 14.15.

wp-statistics
=<14.15

pkgs.wordpressPackages.plugins.wp-statistics

CVE-2025-53241
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 3 weeks ago
WordPress Simplified Plugin <= 1.0.9 - Server Side Request Forgery (SSRF) Vulnerability

Server-Side Request Forgery (SSRF) vulnerability in kodeshpa Simplified allows Server Side Request Forgery. This issue affects Simplified: from n/a through 1.0.9.

simplified
=<1.0.9

pkgs.gnomeExtensions.net-speed-simplified

A Net Speed extension With Loads of Customization. Fork of simplenetspeed

pkgs.gnomeExtensions.net-totals-simplified

A Net totals extension that only displays totals. Forked from Net Speed extension (netspeedsimplified@prateekmedia.extension) With Loads of Customization, version 43

pkgs.haskellPackages.phonetic-languages-simplified-base

A basics of the phonetic-languages functionality that can be groupped

pkgs.haskellPackages.phonetic-languages-simplified-properties-array-common

Common functionality for 'with-tuples' and old version of properties
Package maintainers: 1
CVE-2025-28975
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 3 weeks ago
WordPress Alike - WordPress Custom Post Comparison <= 3.0.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Alike - WordPress Custom Post Comparison allows Reflected XSS. This issue affects Alike - WordPress Custom Post Comparison: from n/a through 3.0.1.

alike
=<3.0.1

pkgs.soundalike

Find duplicate audio files using acoustic fingerprints

pkgs.gnomeExtensions.compiz-alike-magic-lamp-effect

Magic lamp effect inspired by the Compiz ones
Package maintainers: 2
CVE-2025-49053
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 3 weeks ago
WordPress WP Airdrop Manager plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kadesthemes WP Airdrop Manager allows Stored XSS. This issue affects WP Airdrop Manager: from n/a through 1.0.5.

airdrop
=<1.0.5

pkgs.pairdrop

Local file sharing in your browser

pkgs.nodePackages.hs-airdrop

Handshake airdrop redemption

pkgs.nodePackages_latest.hs-airdrop

Handshake airdrop redemption
Package maintainers: 3