⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2025-31344
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 4 weeks ago
The giflib open-source component has a buffer overflow vulnerability

Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. This vulnerability is associated with program files gif2rgb.C. This issue affects giflib: through 5.2.2.

giflib
=<5.2.2

pkgs.giflib

Library for reading and writing gif images
CVE-2025-32908
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 4 weeks ago
Libsoup: denial of service on libsoup through http/2 server

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS).

libsoup
<3.6.5
libsoup3
*

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4
  • nixos-unstable ???
    • nixpkgs-unstable
Package maintainers: 6
CVE-2025-2814
4.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 4 weeks ago
Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions

Crypt::CBC versions between 1.21 and 3.04 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case, Crypt::CBC will fallback to use the insecure rand() function.

Crypt-CBC
=<3.04
=<3.05

pkgs.perlPackages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

pkgs.perl538Packages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode

pkgs.perl540Packages.CryptCBC

Encrypt Data with Cipher Block Chaining Mode
CVE-2025-32589
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 weeks ago
WordPress Flexi – Guest Submit Plugin <= 4.28 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit allows PHP Local File Inclusion. This issue affects Flexi – Guest Submit: from n/a through 4.28.

flexi
=<4.28

pkgs.flexibee

Client for an accouting economic system

pkgs.python312Packages.pyflexit

Python library for Flexit A/C units

pkgs.python313Packages.pyflexit

Python library for Flexit A/C units

pkgs.haskellPackages.flexible-unlit

A configurable reimplementation of unlit

pkgs.python312Packages.flexit-bacnet

Client BACnet library for Flexit Nordic series of air handling units

pkgs.python313Packages.flexit-bacnet

Client BACnet library for Flexit Nordic series of air handling units

pkgs.haskellPackages.flexible-defaults

Generate default function implementations for complex type classes

pkgs.terraform-providers.flexibleengine

pkgs.haskellPackages.flexible-numeric-parsers

Flexible numeric parsers for real-world programming languages

pkgs.home-assistant-component-tests.flexit_bacnet

Open source home automation that puts local control and privacy first

pkgs.python312Packages.azure-mgmt-mysqlflexibleservers

Microsoft Azure Mysqlflexibleservers Management Client Library for Python

pkgs.python313Packages.azure-mgmt-mysqlflexibleservers

Microsoft Azure Mysqlflexibleservers Management Client Library for Python

pkgs.python312Packages.azure-mgmt-postgresqlflexibleservers

Microsoft Azure Postgresqlflexibleservers Management Client Library for Python

pkgs.python313Packages.azure-mgmt-postgresqlflexibleservers

Microsoft Azure Postgresqlflexibleservers Management Client Library for Python

pkgs.tests.stdenv.hooks.no-broken-symlinks.fail-reflexive-symlink-absolute

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.hooks.no-broken-symlinks.fail-reflexive-symlink-relative

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.hooks.no-broken-symlinks.pass-reflexive-symlink-absolute-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.hooks.no-broken-symlinks.pass-reflexive-symlink-relative-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.fail-reflexive-symlink-absolute

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.fail-reflexive-symlink-relative

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.pass-reflexive-symlink-absolute-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.hooks.default-stdenv-hooks.no-broken-symlinks.pass-reflexive-symlink-relative-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.fail-reflexive-symlink-absolute

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.fail-reflexive-symlink-relative

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.pass-reflexive-symlink-absolute-allowed

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.tests.stdenv.structuredAttrsByDefault.hooks.no-broken-symlinks.pass-reflexive-symlink-relative-allowed

  • nixos-unstable ???
    • nixpkgs-unstable
Package maintainers: 9
CVE-2025-1386 created 4 weeks ago
Query smuggling in ch-go library

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

ch-go
<0.65.0

pkgs.immich-go

Immich client tool for bulk-uploads
Package maintainers: 1
CVE-2025-32618
8.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 4 weeks ago
WordPress Wishlist plugin <= 1.0.43 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PickPlugins Wishlist allows SQL Injection. This issue affects Wishlist: from n/a through 1.0.43.

wishlist
=<1.0.43

pkgs.wishlist

Single entrypoint for multiple SSH endpoints
Package maintainers: 2
CVE-2025-32230
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 4 weeks ago
WordPress Tutor LMS plugin <= 3.4.0 - HTML Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS. This issue affects Tutor LMS: from n/a through 3.4.0.

tutor
=<3.4.0

pkgs.typstPackages.tutor_0_3_0

Utilities to create exams

pkgs.typstPackages.tutor_0_4_0

Utilities to create exams

pkgs.typstPackages.tutor_0_6_1

Utilities to create exams

pkgs.typstPackages.tutor_0_7_0

Utilities to create exams

pkgs.typstPackages.tutor_0_8_0

Utilities to create exams

pkgs.haskellPackages.timeless-tutorials

Initial project template from stack
Package maintainers: 1
CVE-2025-23386
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 weeks ago
gerbera: Privilege escalation from user gerbera to root because of insecure %post script

A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.

gerbera
<2.5.0-1.1

pkgs.gerbera

UPnP Media Server for 2024
Package maintainers: 1
CVE-2025-32584
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 4 weeks ago
WordPress Chat2 plugin <= 3.6.3 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chat2 Chat2 allows Cross Site Request Forgery. This issue affects Chat2: from n/a through 3.6.3.

chat2
=<3.6.3

pkgs.python312Packages.deltachat2

Client library for Delta Chat core JSON-RPC interface

pkgs.python313Packages.deltachat2

Client library for Delta Chat core JSON-RPC interface
Package maintainers: 1
CVE-2025-31003
2.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 4 weeks ago
WordPress Squeeze plugin <= 1.6 - Full Path Disclosure (FPD) vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze allows Retrieve Embedded Sensitive Data. This issue affects Squeeze: from n/a through 1.6.

squeeze
=<1.6

pkgs.squeezelite

Lightweight headless squeezebox client emulator

pkgs.squeezelite-pulse

Lightweight headless squeezebox client emulator

pkgs.postgresqlPackages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.python312Packages.pysqueezebox

Asynchronous library to control Logitech Media Server

pkgs.python313Packages.pysqueezebox

Asynchronous library to control Logitech Media Server

pkgs.postgresql13Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql14Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql15Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql16Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.postgresql18Packages.pg_squeeze

PostgreSQL extension for automatic bloat cleanup

pkgs.home-assistant-component-tests.squeezebox

Open source home automation that puts local control and privacy first
Package maintainers: 5