Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-69364
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    27 packages
    • kdePackages.breeze
    • libsForQt5.breeze-gtk
    • libsForQt5.breeze-qt5
    • kdePackages.breeze-gtk
    • libsForQt5.breeze-grub
    • sierra-breeze-enhanced
    • kdePackages.breeze-grub
    • libsForQt5.breeze-icons
    • kdePackages.breeze-icons
    • breeze-hacked-cursor-theme
    • libsForQt5.breeze-plymouth
    • plasma5Packages.breeze-gtk
    • plasma5Packages.breeze-qt5
    • kdePackages.breeze-plymouth
    • plasma5Packages.breeze-grub
    • python312Packages.seabreeze
    • python313Packages.seabreeze
    • libsForQt5.qqc2-breeze-style
    • plasma5Packages.breeze-icons
    • kdePackages.qqc2-breeze-style
    • plasma5Packages.breeze-plymouth
    • wordpressPackages.plugins.breeze
    • libsForQt5.sierra-breeze-enhanced
    • plasma5Packages.qqc2-breeze-style
    • kdePackages.sierra-breeze-enhanced
    • qt6Packages.sierra-breeze-enhanced
    • plasma5Packages.sierra-breeze-enhanced
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Breeze plugin <= 2.2.21 - Broken Access Control vulnerability

Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21.

Affected products

breeze
  • =<<= 2.2.21
Ignored packages (27)

pkgs.kdePackages.breeze

Artwork, styles and assets for the Breeze visual style for the Plasma Desktop

WP plugin not packaged in nixpkgs
Permalink CVE-2025-68505
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.h5py
    • python313Packages.h5py
    • python312Packages.h5py-mpi
    • python313Packages.h5py-mpi
    • python312Packages.airtouch5py
    • python313Packages.airtouch5py
    • pkgsRocm.python3Packages.h5py-mpi
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress H5P plugin <= 1.16.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects H5P: from n/a through <= 1.16.1.

Affected products

h5p
  • =<<= 1.16.1
Ignored packages (7) 
WP plugin not packaged in nixpkgs
Permalink CVE-2025-32283
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    47 packages
    • solarus
    • solargraph
    • coc-solargraph
    • solarc-gtk-theme
    • solarus-launcher
    • dircolors-solarized
    • solarus-quest-editor
    • rubyPackages.solargraph
    • numix-solarized-gtk-theme
    • vimPlugins.coc-solargraph
    • nodePackages.coc-solargraph
    • rubyPackages_3_1.solargraph
    • rubyPackages_3_2.solargraph
    • rubyPackages_3_3.solargraph
    • rubyPackages_3_4.solargraph
    • rubyPackages_3_5.solargraph
    • python312Packages.zeversolar
    • python313Packages.zeversolar
    • rubyPackages.yard-solargraph
    • prometheus-solaredge-exporter
    • python312Packages.aiosolaredge
    • python312Packages.pysolarmanv5
    • python312Packages.solarlog-cli
    • python313Packages.aiosolaredge
    • python313Packages.pysolarmanv5
    • python313Packages.solarlog-cli
    • python312Packages.solaredge-web
    • python313Packages.solaredge-web
    • python312Packages.forecast-solar
    • python313Packages.forecast-solar
    • rubyPackages_3_1.yard-solargraph
    • rubyPackages_3_2.yard-solargraph
    • rubyPackages_3_3.yard-solargraph
    • rubyPackages_3_4.yard-solargraph
    • rubyPackages_3_5.yard-solargraph
    • python312Packages.solaredge-local
    • python312Packages.zeversolarlocal
    • python313Packages.solaredge-local
    • python313Packages.zeversolarlocal
    • nodePackages_latest.coc-solargraph
    • vscode-extensions.castwide.solargraph
    • home-assistant-component-tests.solarlog
    • home-assistant-component-tests.solaredge
    • home-assistant-component-tests.zeversolar
    • home-assistant-custom-components.solarman
    • home-assistant-component-tests.forecast_solar
    • vscode-extensions.brandonkirbyson.solarized-palenight
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Solar Energy theme <= 3.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.

Affected products

solar
  • =<<= 3.5
Ignored packages (47)

pkgs.solarus

Zelda-like ARPG game engine

WP theme not packaged in nixpkgs
Permalink CVE-2025-67532
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • charasay
    • gnome-characters
    • keepass-charactercopy
    • unicode-character-database
    • haskellPackages.character-ps
    • coqPackages.mathcomp-character
    • python312Packages.characteristic
    • python313Packages.characteristic
    • magnetophonDSP.CharacterCompressor
    • python312Packages.character-encoding-utils
    • python313Packages.character-encoding-utils
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.

Affected products

hara
  • =<<= 1.2.17
Ignored packages (11)

pkgs.charasay

Future of cowsay - Colorful characters saying something

pkgs.gnome-characters

Simple utility application to find and insert unusual characters

  • nixos-unstable 49.1
    • nixpkgs-unstable 49.1
    • nixos-unstable-small 49.1 
WP theme not packaged in nixpkgs
Permalink CVE-2025-68556
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    18 packages
    • happy
    • triggerhappy
    • haskellPackages.happy
    • haskellPackages.happy-dot
    • haskellPackages.happy-lib
    • haskellPackages.happy-meta
    • ocamlPackages.happy-eyeballs
    • haskellPackages.happy-arbitrary
    • ocamlPackages.happy-eyeballs-lwt
    • gnomeExtensions.happy-appy-hotkey
    • ocamlPackages.mimic-happy-eyeballs
    • python312Packages.aiohappyeyeballs
    • python313Packages.aiohappyeyeballs
    • ocamlPackages.happy-eyeballs-mirage
    • tests.testers.testBuildFailure.happy
    • tests.testers.testBuildFailure'.happy
    • tests.testers.testBuildFailure.happyStructuredAttrs
    • tests.testers.testBuildFailure'.happyStructuredAttrs
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress HAPPY plugin <= 1.0.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through 1.0.9.

Affected products

happy-helpdesk-support-ticket-system
  • =<1.0.9
Ignored packages (18)

pkgs.happy

Happy is a parser generator for Haskell

WP plugin not package in nixpkgs
Permalink CVE-2025-67936
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • ocamlPackages.curly
    • haskellPackages.curly-expander
    • haskellPackages.recurly-client
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Curly theme < 3.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.

Affected products

curly
  • =<< 3.3
Ignored packages (3) 
WP theme not packaged in nixpkgs
Permalink CVE-2025-60206
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • selenium-server-standalone
    • cbqn-standalone-replxx
    • htmlunit-driver
    • cbqn-standalone
    • argp-standalone
    • art-standalone
    • selendroid
    • stalonetray
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Alone theme <= 7.8.3 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.

Affected products

alone
  • =<<= 7.8.3
Ignored packages (8)

pkgs.selendroid

Test automation for native or hybrid Android apps and the mobile web

pkgs.argp-standalone

Standalone version of arguments parsing functions from Glibc

pkgs.htmlunit-driver

WebDriver server for running Selenium tests on the HtmlUnit headless browser

  • nixos-unstable 2.27
    • nixpkgs-unstable 2.27
    • nixos-unstable-small 2.27 
WP theme not package in nixpkgs
Permalink CVE-2025-67568
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    10 packages
    • python312Packages.baseline
    • python313Packages.baseline
    • python312Packages.baselines
    • python313Packages.baselines
    • pkgsRocm.python3Packages.baselines
    • python312Packages.stable-baselines3
    • python313Packages.stable-baselines3
    • pkgsRocm.python3Packages.stable-baselines3
    • python312Packages.robotframework-databaselibrary
    • python313Packages.robotframework-databaselibrary
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Basel theme <= 5.9.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Basel: from n/a through <= 5.9.1.

Affected products

basel
  • =<<= 5.9.1
Ignored packages (10) 
WP theme not packaged in nixpkgs
Permalink CVE-2025-60212
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package ocamlPackages.reactivedata 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress VEDA Theme <= 4.2 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.

Affected products

veda
  • =<<= 4.2
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-68546
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • nika-fonts
    • python312Packages.minikanren
    • python313Packages.minikanren
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Nika theme <= 1.2.14 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through 1.2.14.

Affected products

Nika
  • =<1.2.14
Ignored packages (3) 
WP theme not present in nixpkgs