Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23974
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    2 packages
    • ligolo-ng
    • xfce.gigolo
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5.

Affected products

golo
  • =<< 1.7.5
Ignored packages (2)

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

WP theme not present in nixpkgs
Permalink CVE-2025-49249
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    9 packages
    • python313Packages.dronecan
    • python312Packages.dronecan
    • drone-runner-docker
    • drone-runner-ssh
    • drone-runner-exec
    • drone-oss
    • drone-scp
    • drone-cli
    • drone
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Drone theme <= 1.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.

Affected products

drone
  • =<<= 1.40
Ignored packages (9)

pkgs.drone

Continuous Integration platform built on container technology

pkgs.drone-cli

Command line client for the Drone continuous integration server

pkgs.drone-oss

Continuous Integration platform built on container technology

pkgs.drone-scp

Copy files and artifacts via SSH using a binary, docker or Drone CI

WP theme not present in nixpkgs
Permalink CVE-2025-49994
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored package athens 3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Athens theme <= 1.1.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6.

Affected products

athens
  • =<<= 1.1.6
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-67614
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    11 packages
    • typstPackages.athena-tu-darmstadt-exercise_0_2_0
    • typstPackages.athena-tu-darmstadt-exercise_0_1_0
    • typstPackages.athena-tu-darmstadt-thesis_0_1_1
    • typstPackages.athena-tu-darmstadt-thesis_0_1_0
    • python313Packages.types-aiobotocore-athena
    • python312Packages.types-aiobotocore-athena
    • python313Packages.mypy-boto3-athena
    • python312Packages.mypy-boto3-athena
    • haskellPackages.amazonka-athena
    • python313Packages.pyathena
    • python312Packages.pyathena
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress TheNa theme <= 1.5.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5.

Affected products

thena
  • =<<= 1.5.5
Ignored packages (11) 
WP theme not packaged in nixpkgs
Permalink CVE-2025-69042
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    3 packages
    • libsForQt5.calindori
    • kdePackages.calindori
    • plasma5Packages.calindori
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Lindo theme <= 1.2.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5.

Affected products

lindo
  • =<<= 1.2.5
Ignored packages (3) 
WP theme not present in nixpkgs
Permalink CVE-2025-54003
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    3 packages
    • depotdownloader
    • python312Packages.filedepot
    • python313Packages.filedepot
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress Depot theme <= 1.16 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.

Affected products

depot
  • =<<= 1.16
Ignored packages (3) 
WP theme not present in nixpkgs
Permalink CVE-2025-68020
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    11 packages
    • fsnotifier
    • mpris-notifier
    • terminal-notifier
    • usbguard-notifier
    • python312Packages.pynotifier
    • python313Packages.pynotifier
    • deadbeefPlugins.statusnotifier
    • python312Packages.desktop-notifier
    • kdePackages.kstatusnotifieritem
    • python313Packages.desktop-notifier
    • haskellPackages.status-notifier-item
    3 months ago
  • @LeSuisse dismissed 3 months ago
WordPress WANotifier plugin <= 2.7.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WANotifier: from n/a through <= 2.7.12.

Affected products

notifier
  • =<<= 2.7.12
Ignored packages (11)

pkgs.fsnotifier

IntelliJ Platform companion program for watching and reporting file and directory structure modification

pkgs.mpris-notifier

Dependency-light, highly-customizable, XDG desktop notification generator for MPRIS status changes

pkgs.usbguard-notifier

Notifications for detecting usbguard policy and device presence changes

WP plugin not present in nixpkgs
Permalink CVE-2023-7334
updated 3 months, 1 week ago by @tomberek Activity log
  • Created suggestion 3 months, 1 week ago
  • @tomberek ignored
    3 packages
    • websocketpp
    • nlojet
    • itpp
    3 months, 1 week ago
  • @tomberek dismissed 3 months, 1 week ago
Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC).

Affected products

T+
  • =<16.x
Ignored packages (3)

pkgs.itpp

IT++ is a C++ library of mathematical, signal processing and communication classes and functions

pkgs.nlojet

Implementation of calculation of the hadron jet cross sections

pkgs.websocketpp

C++/Boost Asio based websocket client/server library

Not Applicable
Permalink CVE-2025-13151
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @tomberek Activity log
  • Created suggestion 3 months, 1 week ago
  • @tomberek dismissed 3 months, 1 week ago
CVE-2025-13151

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Affected products

libtasn1
  • =<4.20.0

Matching in nixpkgs

https://github.com/NixOS/nixpkgs/pull/478141 merged
Permalink CVE-2025-58986
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • typstPackages.fh-joanneum-iit-thesis_1_1_0
    • typstPackages.fh-joanneum-iit-thesis_1_2_0
    • typstPackages.fh-joanneum-iit-thesis_1_2_2
    • typstPackages.fh-joanneum-iit-thesis_1_2_3
    • typstPackages.fh-joanneum-iit-thesis_2_0_2
    • typstPackages.fh-joanneum-iit-thesis_2_0_5
    • typstPackages.fh-joanneum-iit-thesis_2_1_2
    • typstPackages.fh-joanneum-iit-thesis_2_2_0
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Jock On Air Now (JOAN) plugin <= 6.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in ganddser Jock On Air Now (JOAN) joan allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jock On Air Now (JOAN): from n/a through <= 6.0.4.

Affected products

joan
  • =<<= 6.0.4
Ignored packages (8) 
WP plugin not packaged in nixpkgs