⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2025-27288
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 week, 4 days ago
WordPress File Icons Plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1.

file-icons
=<2.1
CVE-2025-39438
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 week, 4 days ago
WordPress Theme Changer plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in momen2009 Theme Changer allows Cross Site Request Forgery. This issue affects Theme Changer: from n/a through 1.3.

theme-changer
=<1.3

pkgs.gnomeExtensions.dm-theme-changer

Automatically change theme styles when dark mode is enabled or disabled.
  • nixos-24.11 4
    • nixpkgs-24.11-darwin 4
    • nixos-24.11-small 4
  • nixos-unstable 4
    • nixos-unstable-small 4
    • nixpkgs-unstable 4
Notify package maintainers: 1
CVE-2024-22051
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 week, 4 days ago
CommonMarker Integer Overflow Vulnerability

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.

commonmarker
<0.23.4
CVE-2025-39436
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 week, 4 days ago
WordPress I Draw <= 1.0 - Arbitrary File Upload Vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files. This issue affects I Draw: from n/a through 1.0.

idraw
=<1.0

pkgs.jitsi-excalidraw

Excalidraw collaboration backend for Jitsi
  • nixos-24.05 17
    • nixpkgs-24.05-darwin 17
    • nixos-24.05-small 17
  • nixos-24.11 21
    • nixpkgs-24.11-darwin 21
    • nixos-24.11-small 21
  • nixos-unstable 21
    • nixos-unstable-small 21
    • nixpkgs-unstable 21

pkgs.excalidraw_export

CLI to export Excalidraw drawings to SVG and PDF

pkgs.tests.pkg-config.defaultPkgConfigPackages.hidapi-hidraw

Test whether hidapi-0.14.0 exposes pkg-config modules hidapi-hidraw.
  • nixos-24.05 ???
    • nixpkgs-24.05-darwin
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixpkgs-24.11-darwin
    • nixos-24.11-small
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable
Notify package maintainers: 4
CVE-2025-27324
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 week, 4 days ago
WordPress 17TRACK for WooCommerce Plugin <= 1.2.10 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 17track 17TRACK for WooCommerce allows Reflected XSS. This issue affects 17TRACK for WooCommerce: from n/a through 1.2.10.

17track
=<1.2.10
Notify package maintainers: 1
CVE-2025-39580
5.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 week, 4 days ago
WordPress Dashi <= 3.1.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8.

dashi
=<3.1.8
Notify package maintainers: 1
CVE-2025-24655
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 week, 4 days ago
WordPress Wishlist Plugin <= 1.0.39 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 1.0.39.

wishlist
=<1.0.39
Notify package maintainers: 2
CVE-2025-32911
9.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 week, 6 days ago
Libsoup: double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" ghashtable value

A flaw was found in libsoup, which is vulnerable to a use-after-free memory issue not on the heap in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.

libsoup

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.gnome.libsoup

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4
Notify package maintainers: 6
CVE-2024-2182
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 week, 6 days ago
Ovn: insufficient validation of bfd packets may lead to denial of service

A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service.

ovn
*
ovn2.11
ovn2.12
ovn2.13
ovn-2021
*
ovn22.03
*
ovn22.06
ovn22.09
ovn22.12
*
ovn23.03
*
ovn23.06
*
ovn23.09
*

pkgs.python312Packages.slovnet

Deep-learning based NLP modeling for Russian language
Notify package maintainers: 6
CVE-2025-3576
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 week, 6 days ago
Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

krb5
rhcos
aap-cloud-metrics-collector-container
ansible-automation-platform-24/ee-minimal-rhel9
ansible-automation-platform-24/ee-supported-rhel8
ansible-automation-platform-25/ansible-builder-rhel8
ansible-automation-platform-24/platform-resource-runner-rhel8
Notify package maintainers: 2