⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2023-23708
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress Visualizer Plugin <= 3.9.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.4 versions.

visualizer
=<3.9.4

pkgs.cli-visualizer

CLI based audio visualizer

pkgs.midivisualizer

Small MIDI visualizer tool, using OpenGL

pkgs.gnomeExtensions.sound-visualizer

A Real Time Sound Visualizer Based On Gstreamer
  • nixos-24.11 8
    • nixpkgs-24.11-darwin 8
    • nixos-24.11-small 8
  • nixos-unstable 8
    • nixos-unstable-small 8
    • nixpkgs-unstable 8
Notify package maintainers: 13
CVE-2023-47238
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
WordPress Top 10 Plugin <= 3.3.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in WebberZone Top 10 – WordPress Popular posts by WebberZone plugin <= 3.3.2 versions.

top-10
=<3.3.2

pkgs.darwin.top

pkgs.budgie.budgie-desktop

A feature-rich, modern desktop designed to keep out the way of the user

pkgs.gnomeExtensions.pip-on-top

Makes "Picture-in-Picture" windows stay on top (even on Wayland session). Compatible with Firefox, but may work with few other browsers too.
  • nixos-24.11 10
    • nixpkgs-24.11-darwin 10
    • nixos-24.11-small 10
  • nixos-unstable 10
    • nixos-unstable-small 10
    • nixpkgs-unstable 10

pkgs.gnomeExtensions.show-apps-at-top

Put show apps icon at top in Gnome default dash
Notify package maintainers: 4
CVE-2023-26008
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress Top 10 Plugin <= 3.2.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay D'Souza Top 10 – Popular posts plugin for WordPress plugin <= 3.2.4 versions.

top-10
=<3.2.4

pkgs.darwin.top

pkgs.budgie.budgie-desktop

A feature-rich, modern desktop designed to keep out the way of the user

pkgs.gnomeExtensions.pip-on-top

Makes "Picture-in-Picture" windows stay on top (even on Wayland session). Compatible with Firefox, but may work with few other browsers too.
  • nixos-24.11 10
    • nixpkgs-24.11-darwin 10
    • nixos-24.11-small 10
  • nixos-unstable 10
    • nixos-unstable-small 10
    • nixpkgs-unstable 10

pkgs.gnomeExtensions.show-apps-at-top

Put show apps icon at top in Gnome default dash
Notify package maintainers: 4
CVE-2025-26465
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 2 weeks ago
Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

rhcos
openssh

pkgs.openssh_hpnWithKerberos

Implementation of the SSH protocol with high performance networking patches
Notify package maintainers: 6
CVE-2024-1062
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)

A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

389-ds:1.4
*
389-ds-base
=<2.2.*
*
<2.2.*
redhat-ds:11
*
redhat-ds:12
*
389-ds:1.4/389-ds-base
redhat-ds:11/389-ds-base
redhat-ds:12/389-ds-base
Notify package maintainers: 1
CVE-2024-3657
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
389-ds-base: potential denial of service via specially crafted kerberos as-req request

A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service

389-ds:1.4
*
389-ds-base
*
redhat-ds:11
*
redhat-ds:12
*
389-ds:1.4/389-ds-base
redhat-ds:11/389-ds-base
redhat-ds:12/389-ds-base
Notify package maintainers: 1
CVE-2024-5953
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
389-ds-base: malformed userpassword hash may cause denial of service

A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.

389-ds:1.4
*
389-ds-base
*
redhat-ds:11
*
redhat-ds:12
*
389-ds:1.4/389-ds-base
redhat-ds:11/389-ds-base
redhat-ds:12/389-ds-base
Notify package maintainers: 1
CVE-2025-26778
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress Gallery Custom Links Plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Gallery allows Stored XSS. This issue affects Gallery: from n/a through 2.2.1.

gallery
=<2.2.1

pkgs.texlivePackages.dtxgallery

A small collection of minimal DTX examples
  • nixos-24.05 1
    • nixpkgs-24.05-darwin 1
    • nixos-24.05-small 1

pkgs.texlivePackages.image-gallery

Create an overview of pictures from a digital camera or from other sources

pkgs.azure-cli-extensions.gallery-service-artifact

Microsoft Azure Command-Line Tools GalleryServiceArtifact Extension
Notify package maintainers: 13
CVE-2023-6918
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
Libssh: missing checks for return values for digests

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

libssh
*
libssh2
mingw-libssh2

pkgs.python311Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case

pkgs.python312Packages.ansible-pylibssh

Python bindings to client functionality of libssh specific to Ansible use case
Notify package maintainers: 3
CVE-2023-49920 created 1 month, 3 weeks ago
Apache Airflow: Missing CSRF protection on DAG/trigger

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

apache-airflow
<2.8.0
Notify package maintainers: 3