⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2023-6787
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 5 months, 2 weeks ago
Keycloak: session hijacking via re-authentication

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.

keycloak
<24.0.3
<22.0.10
keycloak-core
rh-sso7-keycloak
rhbk/keycloak-rhel9
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python311Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-darwin

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-darwin

Provides access to the Keycloak API
Package maintainers: 3
CVE-2024-8176
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 5 months, 2 weeks ago
Libexpat: expat: improper restriction of xml entity expansion depth in libexpat

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

expat
*
rhcos
firefox
libexpat
<2.7.0
xmlrpc-c
*
lua-expat
mingw-expat
thunderbird
compat-expat1
firefox:flatpak/firefox
thunderbird:flatpak/thunderbird
registry.redhat.io/discovery/discovery-ui-rhel9
*
registry.redhat.io/discovery/discovery-server-rhel9
*
registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9
*

pkgs.expat

Stream-oriented XML parser library written in C

pkgs.xmlrpc_c

Lightweight RPC library based on XML and HTTP

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-unwrapped

Web browser built from Firefox source tree

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account.

pkgs.firefox-beta-unwrapped

Web browser built from Firefox Beta Release source tree

pkgs.haskellPackages.hexpat

XML parser/formatter based on expat

pkgs.lua52Packages.luaexpat

XML Expat parsing

pkgs.haskellPackages.hxt-expat

Expat parser for HXT

pkgs.firefox-devedition-unwrapped

Web browser built from Firefox Developer Edition source tree

pkgs.haskellPackages.hexpat-pickle

XML picklers based on hexpat, source-code-similar to those of the HXT package

pkgs.haskellPackages.hexpat-tagsoup

Parse (possibly malformed) HTML to hexpat tree

pkgs.gnomeExtensions.firefox-profiles

This GNOME extension makes it easy to launch Firefox with a specific profile from the indicator menu.
  • nixos-unstable 1
    • nixos-unstable-small 2
    • nixpkgs-unstable 1

pkgs.luaPackages.luaexpat.x86_64-linux

XML Expat parsing

pkgs.luaPackages.luaexpat.aarch64-linux

XML Expat parsing

pkgs.luaPackages.luaexpat.x86_64-darwin

XML Expat parsing

pkgs.chickenPackages_5.chickenEggs.expat

An interface to James Clark's Expat XML parser

pkgs.haskellPackages.hexpat.x86_64-linux

XML parser/formatter based on expat

pkgs.lua51Packages.luaexpat.x86_64-linux

XML Expat parsing

pkgs.lua53Packages.luaexpat.x86_64-linux

XML Expat parsing

pkgs.lua54Packages.luaexpat.x86_64-linux

XML Expat parsing

pkgs.luaPackages.luaexpat.aarch64-darwin

XML Expat parsing

pkgs.haskellPackages.hexpat.aarch64-linux

XML parser/formatter based on expat

pkgs.haskellPackages.hexpat.x86_64-darwin

XML parser/formatter based on expat

pkgs.lua51Packages.luaexpat.aarch64-linux

XML Expat parsing

pkgs.lua51Packages.luaexpat.x86_64-darwin

XML Expat parsing

pkgs.lua53Packages.luaexpat.aarch64-linux

XML Expat parsing

pkgs.lua53Packages.luaexpat.x86_64-darwin

XML Expat parsing

pkgs.lua54Packages.luaexpat.aarch64-linux

XML Expat parsing

pkgs.lua54Packages.luaexpat.x86_64-darwin

XML Expat parsing

pkgs.emacsPackages.firefox-javascript-repl

pkgs.haskellPackages.hexpat.aarch64-darwin

XML parser/formatter based on expat

pkgs.lua51Packages.luaexpat.aarch64-darwin

XML Expat parsing

pkgs.lua53Packages.luaexpat.aarch64-darwin

XML Expat parsing

pkgs.lua54Packages.luaexpat.aarch64-darwin

XML Expat parsing

pkgs.haskellPackages.hxt-expat.x86_64-linux

Expat parser for HXT

pkgs.thunderbirdPackages.thunderbird-latest

Full-featured e-mail client

pkgs.haskellPackages.hxt-expat.aarch64-linux

Expat parser for HXT

pkgs.haskellPackages.hxt-expat.x86_64-darwin

Expat parser for HXT

pkgs.haskellPackages.hxt-expat.aarch64-darwin

Expat parser for HXT

pkgs.gnomeExtensions.firefox-pip-always-on-top

Ensure that Firefox Picture-in-Picture window are always on top
  • nixos-unstable 8
    • nixos-unstable-small 8
    • nixpkgs-unstable 8

pkgs.haskellPackages.hexpat-pickle.x86_64-linux

XML picklers based on hexpat, source-code-similar to those of the HXT package

pkgs.haskellPackages.hexpat-pickle.aarch64-linux

XML picklers based on hexpat, source-code-similar to those of the HXT package

pkgs.haskellPackages.hexpat-pickle.x86_64-darwin

XML picklers based on hexpat, source-code-similar to those of the HXT package

pkgs.haskellPackages.hexpat-tagsoup.x86_64-linux

Parse (possibly malformed) HTML to hexpat tree

pkgs.haskellPackages.hexpat-pickle.aarch64-darwin

XML picklers based on hexpat, source-code-similar to those of the HXT package

pkgs.haskellPackages.hexpat-tagsoup.aarch64-linux

Parse (possibly malformed) HTML to hexpat tree

pkgs.haskellPackages.hexpat-tagsoup.x86_64-darwin

Parse (possibly malformed) HTML to hexpat tree

pkgs.haskellPackages.hexpat-tagsoup.aarch64-darwin

Parse (possibly malformed) HTML to hexpat tree

pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug

Visual Studio Code extension for debugging web applications and browser extensions in Firefox

pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug.x86_64-linux

Visual Studio Code extension for debugging web applications and browser extensions in Firefox

pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug.aarch64-linux

Visual Studio Code extension for debugging web applications and browser extensions in Firefox

pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug.x86_64-darwin

Visual Studio Code extension for debugging web applications and browser extensions in Firefox

pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug.aarch64-darwin

Visual Studio Code extension for debugging web applications and browser extensions in Firefox
Package maintainers: 17
CVE-2022-28652
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 5 months, 3 weeks ago
~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

apport
<2.21.0

pkgs.haskellPackages.apportionment

Round a set of numbers while maintaining its sum
Package maintainers: 1
CVE-2025-0650
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 5 months, 3 weeks ago
Ovn: egress acls may be bypassed via specially crafted udp packet

A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.

ovn
==24.09.2
==24.03.5
==22.03.8
ovn2.11
ovn2.12
ovn2.13
ovn-2021
ovn22.03
*
ovn22.06
*
ovn22.09
*
ovn22.12
*
ovn23.03
*
ovn23.06
*
ovn23.09
*
ovn24.03
*
ovn24.09
*

pkgs.novnc

VNC client web application

pkgs.turbovnc

High-speed version of VNC derived from TightVNC

pkgs.nanovna-saver

A tool for reading, displaying and saving data from the NanoVNA

pkgs.python311Packages.slovnet

Deep-learning based NLP modeling for Russian language
Package maintainers: 6
CVE-2024-2313
2.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 5 months, 3 weeks ago
If kernel headers need to be extracted, bpftrace will attempt …

If kernel headers need to be extracted, bpftrace will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default.

bpftrace
<v0.20.2

pkgs.bpftrace

High-level tracing language for Linux eBPF

pkgs.linuxPackages_zen.bpftrace

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_6_1.bpftrace

High-level tracing language for Linux eBPF

pkgs.linuxPackages_zen.bpftrace.x86_64-linux

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_5_10.bpftrace

High-level tracing language for Linux eBPF

pkgs.linuxPackages_zen.bpftrace.aarch64-linux

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_libre.bpftrace

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_latest_libre.bpftrace

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_5_10.bpftrace.x86_64-linux

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_5_10.bpftrace.aarch64-linux

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_latest_libre.bpftrace.x86_64-linux

High-level tracing language for Linux eBPF

pkgs.linuxKernel.packages.linux_latest_libre.bpftrace.aarch64-linux

High-level tracing language for Linux eBPF
Package maintainers: 4
CVE-2024-43437
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 5 months, 3 weeks ago
Moodle: xss risk when restoring malicious course backup file

A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.

moodle
<4.4.2
<4.1.12
<4.2.9
<4.3.6

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle
Package maintainers: 2
CVE-2023-26020
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 5 months, 3 weeks ago
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Crafter Studio

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.

Studio
=<4.0.1
=<3.1.26

pkgs.rstudio.x86_64-linux

Set of integrated tools for the R language

pkgs.rstudio-server.x86_64-linux

Set of integrated tools for the R language

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.x86_64-linux

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.aarch64-linux

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.x86_64-darwin

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.vscodeintellicode.aarch64-darwin

AI-assisted development

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.x86_64-linux

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.aarch64-linux

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.x86_64-darwin

See relevant code examples from GitHub for over 100K different APIs right in your editor

pkgs.vscode-extensions.visualstudioexptteam.intellicode-api-usage-examples.aarch64-darwin

See relevant code examples from GitHub for over 100K different APIs right in your editor
Package maintainers: 3
CVE-2025-27274
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
WordPress GPX Viewer plugin <= 2.2.11 - Path Traversal vulnerability

Path Traversal vulnerability in NotFound GPX Viewer allows Path Traversal. This issue affects GPX Viewer: from n/a through 2.2.11.

gpx-viewer
=<2.2.11

pkgs.gpx-viewer

Simple tool to visualize tracks and waypoints stored in a gpx file
Package maintainers: 1
CVE-2023-3899
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Subscription-manager: inadequate authorization of com.redhat.rhsm1 d-bus interface allows local users to modify configuration

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

subscription-manager
*

pkgs.python311Packages.graphql-subscription-manager

Python3 library for graphql subscription manager

pkgs.python312Packages.graphql-subscription-manager

Python3 library for graphql subscription manager

pkgs.python312Packages.graphql-subscription-manager.x86_64-linux

Python3 library for graphql subscription manager

pkgs.python312Packages.graphql-subscription-manager.aarch64-linux

Python3 library for graphql subscription manager

pkgs.python312Packages.graphql-subscription-manager.x86_64-darwin

Python3 library for graphql subscription manager

pkgs.python312Packages.graphql-subscription-manager.aarch64-darwin

Python3 library for graphql subscription manager
Package maintainers: 1
CVE-2025-26595
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Xorg: xwayland: buffer overflow in xkbvmodmasktext()

A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.

xserver
<24.1.6
<21.1.16
tigervnc
*
xorg-x11-server
*
xorg-x11-server-Xwayland
*

pkgs.tigervnc

Fork of tightVNC, made in cooperation with VirtualGL