CVE-2025-46399 created 4 months ago fig2dev segmentation fault in genge_itp_spline Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via genge_itp_spline function. Affected products xfig =<3.2.9a fig2dev ==3.2.9a transfig Matching in nixpkgs pkgs.fig2dev Tool to convert Xfig files to other formats nixos-unstable - nixpkgs-unstable 3.2.9a pkgs.transfig Tool to convert Xfig files to other formats nixos-unstable - nixpkgs-unstable 3.2.9a Package maintainers: 1 @LeSuisse Thomas Gerbet <thomas@gerbet.me>
CVE-2025-46397 created 4 months ago fig2dev stack-overflow Stack-overflow in fig2dev in version 3.2.9a allows an attacker possible code execution via local input manipulation via bezier_spline function. Affected products xfig =<3.2.9a fig2dev ==3.2.9a transfig Matching in nixpkgs pkgs.fig2dev Tool to convert Xfig files to other formats nixos-unstable - nixpkgs-unstable 3.2.9a pkgs.transfig Tool to convert Xfig files to other formats nixos-unstable - nixpkgs-unstable 3.2.9a Package maintainers: 1 @LeSuisse Thomas Gerbet <thomas@gerbet.me>
CVE-2025-46398 created 4 months ago fig2dev stack-overflow via read_objects Stack-overflow in fig2dev in version 3.2.9a allows an attacker possible code execution via local input manipulation via read_objects function. Affected products xfig =<3.2.9a fig2dev ==3.2.9a transfig Matching in nixpkgs pkgs.fig2dev Tool to convert Xfig files to other formats nixos-unstable - nixpkgs-unstable 3.2.9a pkgs.transfig Tool to convert Xfig files to other formats nixos-unstable - nixpkgs-unstable 3.2.9a Package maintainers: 1 @LeSuisse Thomas Gerbet <thomas@gerbet.me>
CVE-2025-39580 created 4 months ago WordPress Dashi <= 3.1.8 - Broken Access Control Vulnerability Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8. Affected products dashi =<3.1.8 Matching in nixpkgs pkgs.dashing Dash Generator Script for Any HTML nixos-unstable - nixpkgs-unstable 0.4.0 pkgs.python312Packages.dashing Terminal dashboards for Python nixos-unstable - nixpkgs-unstable 0.1.0 pkgs.python313Packages.dashing Terminal dashboards for Python nixos-unstable - nixpkgs-unstable 0.1.0 pkgs.typstPackages.dashing-dept-news_0_1_0 Share the news with bold graphic design and a modern layout nixos-unstable - nixpkgs-unstable 0.1.0 pkgs.typstPackages.dashing-dept-news_0_1_1 Share the news with bold graphic design and a modern layout nixos-unstable - nixpkgs-unstable 0.1.1 Package maintainers: 2 @juliusrickert Julius Rickert <nixpkgs@juliusrickert.de> @cherrypiejam Gongqi Huang
pkgs.python312Packages.dashing Terminal dashboards for Python nixos-unstable - nixpkgs-unstable 0.1.0
pkgs.python313Packages.dashing Terminal dashboards for Python nixos-unstable - nixpkgs-unstable 0.1.0
pkgs.typstPackages.dashing-dept-news_0_1_0 Share the news with bold graphic design and a modern layout nixos-unstable - nixpkgs-unstable 0.1.0
pkgs.typstPackages.dashing-dept-news_0_1_1 Share the news with bold graphic design and a modern layout nixos-unstable - nixpkgs-unstable 0.1.1
CVE-2025-24655 created 4 months ago WordPress Wishlist Plugin <= 1.0.39 - Reflected Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 1.0.39. Affected products wishlist =<1.0.39 Matching in nixpkgs pkgs.wishlist Single entrypoint for multiple SSH endpoints nixos-unstable - nixpkgs-unstable 0.15.2 Package maintainers: 2 @caarlos0 Carlos A Becker <carlos@becker.software> @penguwin Nicolas Martin <penguwin@penguwin.eu>
CVE-2025-39436 created 4 months ago WordPress I Draw <= 1.0 - Arbitrary File Upload Vulnerability Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files. This issue affects I Draw: from n/a through 1.0. Affected products idraw =<1.0 Matching in nixpkgs pkgs.rapidraw Blazingly-fast, non-destructive, and GPU-accelerated RAW image editor built with performance in mind nixos-unstable - nixpkgs-unstable 1.3.2 pkgs.kanjidraw Handwritten kanji recognition nixos-unstable - nixpkgs-unstable 0.2.3 pkgs.jitsi-excalidraw Excalidraw collaboration backend for Jitsi nixos-unstable - nixpkgs-unstable 21 pkgs.excalidraw_export CLI to export Excalidraw drawings to SVG and PDF nixos-unstable - nixpkgs-unstable 1.1.0 Package maintainers: 4 @venikx Kevin De Baerdemaeker <code@venikx.com> @camillemndn Camille M. <camillemondon@free.fr> @obfusk FC Stegerman <flx@obfusk.net> @taciturnaxolotl Kieran Klukas <me@dunkirk.sh>
pkgs.rapidraw Blazingly-fast, non-destructive, and GPU-accelerated RAW image editor built with performance in mind nixos-unstable - nixpkgs-unstable 1.3.2
pkgs.jitsi-excalidraw Excalidraw collaboration backend for Jitsi nixos-unstable - nixpkgs-unstable 21
pkgs.excalidraw_export CLI to export Excalidraw drawings to SVG and PDF nixos-unstable - nixpkgs-unstable 1.1.0
CVE-2025-27288 created 4 months ago WordPress File Icons Plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1. Affected products file-icons =<2.1 Matching in nixpkgs pkgs.vscode-extensions.file-icons.file-icons File-specific icons in VSCode for improved visual grepping nixos-unstable - nixpkgs-unstable 1.1.0
pkgs.vscode-extensions.file-icons.file-icons File-specific icons in VSCode for improved visual grepping nixos-unstable - nixpkgs-unstable 1.1.0
CVE-2025-39434 created 4 months ago WordPress Avatar plugin <= 0.1.4 - Insecure Direct Object References (IDOR) vulnerability Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4. Affected products avatar =<0.1.4 Matching in nixpkgs pkgs.yunfaavatar Utility for automatic centralized changing of avatar in Github, Discord, Steam, Shikimori, and many more nixos-unstable - nixpkgs-unstable 0.2.0 pkgs.kdePackages.libgravatar Library that provides Gravatar support nixos-unstable - nixpkgs-unstable 25.08.1 pkgs.gnomeExtensions.gravatar Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar. nixos-unstable - nixpkgs-unstable 8 pkgs.haskellPackages.gravatar Generate Gravatar image URLs nixos-unstable - nixpkgs-unstable 0.8.1 pkgs.haskellPackages.libravatar Use Libravatar, the decentralized avatar delivery service nixos-unstable - nixpkgs-unstable 0.4.0.2 pkgs.rubyPackages.jekyll-avatar nixos-unstable - nixpkgs-unstable 0.7.0 pkgs.python312Packages.libgravatar Library that provides a Python 3 interface for the Gravatar API nixos-unstable - nixpkgs-unstable 1.0.4 pkgs.python313Packages.libgravatar Library that provides a Python 3 interface for the Gravatar API nixos-unstable - nixpkgs-unstable 1.0.4 pkgs.rubyPackages_3_1.jekyll-avatar nixos-unstable - nixpkgs-unstable 0.7.0 pkgs.rubyPackages_3_2.jekyll-avatar nixos-unstable - nixpkgs-unstable 0.7.0 pkgs.rubyPackages_3_3.jekyll-avatar nixos-unstable - nixpkgs-unstable 0.7.0 pkgs.rubyPackages_3_4.jekyll-avatar nixos-unstable - nixpkgs-unstable 0.7.0 pkgs.python312Packages.flask-gravatar Small and simple integration of gravatar into flask nixos-unstable - nixpkgs-unstable 0.5.0 pkgs.python313Packages.flask-gravatar Small and simple integration of gravatar into flask nixos-unstable - nixpkgs-unstable 0.5.0 pkgs.python312Packages.django-gravatar2 Essential Gravatar support for Django nixos-unstable - nixpkgs-unstable gravatar2-1.4.5 pkgs.python313Packages.django-gravatar2 Essential Gravatar support for Django nixos-unstable - nixpkgs-unstable gravatar2-1.4.5 pkgs.perlPackages.MojoliciousPluginGravatar Globally Recognized Avatars for Mojolicious nixos-unstable - nixpkgs-unstable 0.04 pkgs.perl538Packages.MojoliciousPluginGravatar Globally Recognized Avatars for Mojolicious nixos-unstable - nixpkgs-unstable 0.04 pkgs.perl540Packages.MojoliciousPluginGravatar Globally Recognized Avatars for Mojolicious nixos-unstable - nixpkgs-unstable 0.04 pkgs.wordpressPackages.plugins.wp-user-avatars nixos-unstable - nixpkgs-unstable 1.4.1 pkgs.gnomeExtensions.user-avatar-in-quick-settings Display the user avatar in the Quick Settings menu, part of the "System" settings nixos-unstable - nixpkgs-unstable 9 Package maintainers: 11 @honnip Jung seungwoo <me@honnip.page> @LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev> @K900 Ilya K. <me@0upti.me> @NickCao Nick Cao <nickcao@nichi.co> @ttuegel Thomas Tuegel <ttuegel@mailbox.org> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru> @mjm Matt Moriarity <matt@mattmoriarity.com> @stigtsp Stig Palmquist <stig@stig.io> @gador Florian Brandes <florian.brandes@posteo.de> @yunfachi Yunfachi <yunfachi@gmail.com>
pkgs.yunfaavatar Utility for automatic centralized changing of avatar in Github, Discord, Steam, Shikimori, and many more nixos-unstable - nixpkgs-unstable 0.2.0
pkgs.kdePackages.libgravatar Library that provides Gravatar support nixos-unstable - nixpkgs-unstable 25.08.1
pkgs.gnomeExtensions.gravatar Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar. nixos-unstable - nixpkgs-unstable 8
pkgs.haskellPackages.libravatar Use Libravatar, the decentralized avatar delivery service nixos-unstable - nixpkgs-unstable 0.4.0.2
pkgs.python312Packages.libgravatar Library that provides a Python 3 interface for the Gravatar API nixos-unstable - nixpkgs-unstable 1.0.4
pkgs.python313Packages.libgravatar Library that provides a Python 3 interface for the Gravatar API nixos-unstable - nixpkgs-unstable 1.0.4
pkgs.python312Packages.flask-gravatar Small and simple integration of gravatar into flask nixos-unstable - nixpkgs-unstable 0.5.0
pkgs.python313Packages.flask-gravatar Small and simple integration of gravatar into flask nixos-unstable - nixpkgs-unstable 0.5.0
pkgs.python312Packages.django-gravatar2 Essential Gravatar support for Django nixos-unstable - nixpkgs-unstable gravatar2-1.4.5
pkgs.python313Packages.django-gravatar2 Essential Gravatar support for Django nixos-unstable - nixpkgs-unstable gravatar2-1.4.5
pkgs.perlPackages.MojoliciousPluginGravatar Globally Recognized Avatars for Mojolicious nixos-unstable - nixpkgs-unstable 0.04
pkgs.perl538Packages.MojoliciousPluginGravatar Globally Recognized Avatars for Mojolicious nixos-unstable - nixpkgs-unstable 0.04
pkgs.perl540Packages.MojoliciousPluginGravatar Globally Recognized Avatars for Mojolicious nixos-unstable - nixpkgs-unstable 0.04
pkgs.gnomeExtensions.user-avatar-in-quick-settings Display the user avatar in the Quick Settings menu, part of the "System" settings nixos-unstable - nixpkgs-unstable 9
CVE-2025-39438 created 4 months ago WordPress Theme Changer plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability in momen2009 Theme Changer allows Cross Site Request Forgery. This issue affects Theme Changer: from n/a through 1.3. Affected products theme-changer =<1.3 Matching in nixpkgs pkgs.gnomeExtensions.dm-theme-changer Automatically change theme styles when dark mode is enabled or disabled. nixos-unstable - nixpkgs-unstable 4 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
pkgs.gnomeExtensions.dm-theme-changer Automatically change theme styles when dark mode is enabled or disabled. nixos-unstable - nixpkgs-unstable 4
CVE-2025-3576 created 4 months ago Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. Affected products krb5 <1.22 * rhcos discovery/discovery-server-rhel9 * aap-cloud-metrics-collector-container ansible-automation-platform-24/ee-minimal-rhel9 ansible-automation-platform-25/ee-minimal-rhel8 ansible-automation-platform-24/ee-supported-rhel8 ansible-automation-platform-24/ee-supported-rhel9 registry.redhat.io/discovery/discovery-server-rhel9 * ansible-automation-platform-25/ansible-builder-rhel8 ansible-automation-platform-24/platform-resource-runner-rhel8 ansible-automation-platform-25/platform-resource-runner-rhel8 Matching in nixpkgs pkgs.libkrb5 MIT Kerberos 5 nixos-unstable - nixpkgs-unstable 1.22.1 pkgs.krb5Full MIT Kerberos 5 nixos-unstable - nixpkgs-unstable 1.22.1 pkgs.pam_krb5 PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC nixos-unstable - nixpkgs-unstable krb5-4.11 pkgs.python312Packages.krb5 Kerberos API bindings for Python nixos-unstable - nixpkgs-unstable krb5-0.7.1 pkgs.python313Packages.krb5 Kerberos API bindings for Python nixos-unstable - nixpkgs-unstable krb5-0.7.1 Package maintainers: 3 @invokes-su Souvik Sen <nixpkgs-commits@deshaw.com> @despsyched Priyanshu Tripathi <priyanshu.tripathi@deshaw.com> @de11n Elliot Cameron <nixpkgs-commits@deshaw.com>
pkgs.pam_krb5 PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC nixos-unstable - nixpkgs-unstable krb5-4.11
pkgs.python312Packages.krb5 Kerberos API bindings for Python nixos-unstable - nixpkgs-unstable krb5-0.7.1
pkgs.python313Packages.krb5 Kerberos API bindings for Python nixos-unstable - nixpkgs-unstable krb5-0.7.1