⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2025-5278
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 month, 1 week ago
Coreutils: heap buffer under-read in gnu coreutils sort via key specification

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

rhcos
coreutils

pkgs.coreutils

GNU Core Utilities

pkgs.coreutils-full

GNU Core Utilities

pkgs.policycoreutils

SELinux policy core utilities

pkgs.coreutils-prefixed

GNU Core Utilities

pkgs.coreutils.x86_64-linux

GNU Core Utilities

pkgs.coreutils.aarch64-linux

GNU Core Utilities

pkgs.coreutils.x86_64-darwin

GNU Core Utilities

pkgs.coreutils.aarch64-darwin

GNU Core Utilities

pkgs.coreutils-full.x86_64-linux

GNU Core Utilities

pkgs.coreutils-full.aarch64-linux

GNU Core Utilities

pkgs.coreutils-full.x86_64-darwin

GNU Core Utilities

pkgs.policycoreutils.x86_64-linux

SELinux policy core utilities

pkgs.coreutils-full.aarch64-darwin

GNU Core Utilities

pkgs.policycoreutils.aarch64-linux

SELinux policy core utilities

pkgs.coreutils-prefixed.x86_64-linux

GNU Core Utilities

pkgs.coreutils-prefixed.aarch64-linux

GNU Core Utilities

pkgs.coreutils-prefixed.x86_64-darwin

GNU Core Utilities

pkgs.coreutils-prefixed.aarch64-darwin

GNU Core Utilities

pkgs.uutils-coreutils-noprefix.x86_64-linux

Cross-platform Rust rewrite of the GNU coreutils

pkgs.uutils-coreutils-noprefix.aarch64-linux

Cross-platform Rust rewrite of the GNU coreutils

pkgs.uutils-coreutils-noprefix.x86_64-darwin

Cross-platform Rust rewrite of the GNU coreutils

pkgs.uutils-coreutils-noprefix.aarch64-darwin

Cross-platform Rust rewrite of the GNU coreutils
Package maintainers: 4
CVE-2025-23394
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 1 week ago
daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

cyrus-imapd
<3.8.4-2.1

pkgs.cyrus-imapd.x86_64-linux

Email, contacts and calendar server

pkgs.cyrus-imapd.aarch64-linux

Email, contacts and calendar server
Package maintainers: 2
CVE-2025-32286
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
WordPress Butcher <= 2.40 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Butcher allows PHP Local File Inclusion. This issue affects Butcher: from n/a through 2.40.

butcher
=<2.40
CVE-2025-46448
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress Document Management System <= 1.24 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reifsnyderb Document Management System allows Reflected XSS. This issue affects Document Management System: from n/a through 1.24.

dms
=<1.24

pkgs.dms

UPnP DLNA Digital Media Server with basic video transcoding

pkgs.dms.x86_64-linux

UPnP DLNA Digital Media Server with basic video transcoding

pkgs.dms.aarch64-linux

UPnP DLNA Digital Media Server with basic video transcoding

pkgs.haskellPackages.amazonka-dms

Amazon Database Migration Service SDK

pkgs.python313Packages.ndms2-client

Keenetic NDMS 2.x and 3.x client

pkgs.python313Packages.mypy-boto3-dms

Type annotations for boto3 dms

pkgs.python313Packages.types-aiobotocore-dms

Type annotations for aiobotocore dms

pkgs.haskellPackages.amazonka-dms.x86_64-linux

Amazon Database Migration Service SDK

pkgs.haskellPackages.amazonka-dms.aarch64-linux

Amazon Database Migration Service SDK

pkgs.haskellPackages.amazonka-dms.x86_64-darwin

Amazon Database Migration Service SDK

pkgs.haskellPackages.amazonka-dms.aarch64-darwin

Amazon Database Migration Service SDK

pkgs.azure-cli-extensions.dms-preview.x86_64-linux

Support for new Database Migration Service scenarios

pkgs.azure-cli-extensions.dms-preview.aarch64-linux

Support for new Database Migration Service scenarios

pkgs.azure-cli-extensions.dms-preview.x86_64-darwin

Support for new Database Migration Service scenarios

pkgs.azure-cli-extensions.dms-preview.aarch64-darwin

Support for new Database Migration Service scenarios

pkgs.home-assistant-component-tests.dlna_dms.x86_64-linux

Open source home automation that puts local control and privacy first

pkgs.python312Packages.types-aiobotocore-dms.x86_64-linux

Type annotations for aiobotocore dms

pkgs.home-assistant-component-tests.dlna_dms.aarch64-linux

Open source home automation that puts local control and privacy first

pkgs.python312Packages.types-aiobotocore-dms.aarch64-linux

Type annotations for aiobotocore dms

pkgs.python312Packages.types-aiobotocore-dms.x86_64-darwin

Type annotations for aiobotocore dms

pkgs.python312Packages.types-aiobotocore-dms.aarch64-darwin

Type annotations for aiobotocore dms
Package maintainers: 9
CVE-2025-32293
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
WordPress Finance Consultant <= 2.8 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Finance Consultant allows Object Injection. This issue affects Finance Consultant: from n/a through 2.8.

finance
=<2.8

pkgs.python313Packages.yfinance

Module to doiwnload Yahoo! Finance market data

pkgs.python313Packages.mplfinance

Matplotlib utilities for the visualization, and visual analysis, of financial data

pkgs.python313Packages.finvizfinance

Finviz Finance information downloader

pkgs.python312Packages.yfinance.x86_64-linux

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.yfinance.aarch64-linux

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.yfinance.x86_64-darwin

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.yfinance.aarch64-darwin

Module to doiwnload Yahoo! Finance market data

pkgs.python312Packages.finvizfinance.x86_64-linux

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance.aarch64-linux

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance.x86_64-darwin

Finviz Finance information downloader

pkgs.python312Packages.finvizfinance.aarch64-darwin

Finviz Finance information downloader
Package maintainers: 2
CVE-2024-22309
8.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 2 weeks ago
WordPress ChatBot Plugin <= 5.1.0 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0.

chatbot
=<5.1.0

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

pkgs.gnomeExtensions.penguin-ai-chatbot.x86_64-linux

A GNOME Shell extension that uses openrouter.ai services - a platform/marketplace that offers APIs to talk to LLMs. Some of these APIs are free to use, including the one used by default in the extension: Llama 3.1 8B.

pkgs.gnomeExtensions.penguin-ai-chatbot.aarch64-linux

A GNOME Shell extension that uses openrouter.ai services - a platform/marketplace that offers APIs to talk to LLMs. Some of these APIs are free to use, including the one used by default in the extension: Llama 3.1 8B.
Package maintainers: 1
CVE-2023-52125
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress iFrame Plugin <= 4.8 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly iframe allows Stored XSS.This issue affects iframe: from n/a through 4.8.

iframe
=<4.8

pkgs.home-assistant-component-tests.panel_iframe

Open source home automation that puts local control and privacy first

pkgs.home-assistant-component-tests.panel_iframe.x86_64-linux

Open source home automation that puts local control and privacy first

pkgs.home-assistant-component-tests.panel_iframe.aarch64-linux

Open source home automation that puts local control and privacy first
Package maintainers: 3
CVE-2025-31423
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
WordPress Umberto <= 1.2.8 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection. This issue affects Umberto: from n/a through 1.2.8.

umberto
=<1.2.8
CVE-2025-32285
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress Butcher theme <= 2.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Butcher allows Reflected XSS. This issue affects Butcher: from n/a through 2.40.

butcher
=<2.40
CVE-2025-5024
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
Gnome-remote-desktop: uncontrolled resource consumption due to malformed rdp pdus

A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop listens for RDP connections, an unauthenticated attacker can exhaust system resources and repeatedly crash the process. There may be a resource leak after many attacks, which will also result in gnome-remote-desktop no longer being able to open files even after it is restarted via systemd.

gnome-remote-desktop

pkgs.gnome-remote-desktop

GNOME Remote Desktop server

pkgs.gnome.gnome-remote-desktop

GNOME Remote Desktop server

pkgs.gnome-remote-desktop.x86_64-linux

GNOME Remote Desktop server

pkgs.gnome-remote-desktop.aarch64-linux

GNOME Remote Desktop server

pkgs.gnome.gnome-remote-desktop.x86_64-linux

GNOME Remote Desktop server

pkgs.gnome.gnome-remote-desktop.aarch64-linux

GNOME Remote Desktop server
Package maintainers: 4