Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-52750
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package emu2 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Emu2 plugin <= 0.83b - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juergen Schulze Emu2 emu2-email-users-2 allows Reflected XSS.This issue affects Emu2: from n/a through <= 0.83b.

Affected products

emu2-email-users-2
  • =<<= 0.83b
Ignored packages (1) 
WP plugin not present in nixpkgs
Permalink CVE-2025-64230
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    5 packages
    • typstPackages.efilrst_0_3_2
    • typstPackages.efilrst_0_3_1
    • typstPackages.efilrst_0_3_0
    • typstPackages.efilrst_0_2_0
    • typstPackages.efilrst_0_1_0
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Filr plugin <= 1.2.10 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Chill Filr filr-protection allows Path Traversal.This issue affects Filr: from n/a through <= 1.2.10.

Affected products

filr-protection
  • =<<= 1.2.10
Ignored packages (5) 
WP plugin not present in nixpkgs
Permalink CVE-2025-62092
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Wiremo plugin <= 1.4.99 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99.

Affected products

woo-reviews-by-wiremo
  • =<1.4.99

Matching in nixpkgs

Package maintainers

WP plugin not present in nixpkgs
Permalink CVE-2025-58942
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.aioridwell
    • python313Packages.aioridwell
    • home-assistant-component-tests.ridwell
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Dwell theme <= 1.7.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion.This issue affects Dwell: from n/a through <= 1.7.0.

Affected products

dwell
  • =<<= 1.7.0
Ignored packages (3) 
WP theme note present in nixpkgs
Permalink CVE-2025-58708
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored package tests.haskell.upstreamStackHpackVersion 3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress 777 theme <= 1.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes 777 triple-seven allows PHP Local File Inclusion.This issue affects 777: from n/a through <= 1.3.

Affected products

triple-seven
  • =<<= 1.3
Ignored packages (1) 
WP theme note present in nixpkgs
Permalink CVE-2025-62759
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    10 packages
    • dsseries
    • git-series
    • python312Packages.eseries
    • python312Packages.pyseries
    • python313Packages.pyseries
    • haskellPackages.timezone-series
    • epson-workforce-635-nx625-series
    • pkgsRocm.python3Packages.pyseries
    • azure-cli-extensions.timeseriesinsights
    • epson-inkjet-printer-workforce-840-series
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Series plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series allows Stored XSS.This issue affects Series: from n/a through 2.0.1.

Affected products

series
  • =<2.0.1
Ignored packages (10) 
WP plugin not present in nixpkgs
Permalink CVE-2025-58709
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    37 packages
    • spago
    • etlegacy
    • spago-legacy
    • ifstat-legacy
    • libewf-legacy
    • geolite-legacy
    • etlegacy-assets
    • etlegacy-unwrapped
    • rquickshare-legacy
    • perlPackages.MenloLegacy
    • adwaita-icon-theme-legacy
    • perl538Packages.MenloLegacy
    • perl540Packages.MenloLegacy
    • haskellPackages.spago-legacy
    • python312Packages.legacy-cgi
    • python313Packages.legacy-cgi
    • intel-compute-runtime-legacy1
    • ocamlPackages.legacy_diffable
    • php81Extensions.openssl-legacy
    • php82Extensions.openssl-legacy
    • php83Extensions.openssl-legacy
    • php84Extensions.openssl-legacy
    • python312Packages.spacy-legacy
    • python313Packages.spacy-legacy
    • python312Packages.legacy-api-wrap
    • python313Packages.legacy-api-wrap
    • python312Packages.packaging-legacy
    • python312Packages.pyoppleio-legacy
    • python313Packages.packaging-legacy
    • python313Packages.pyoppleio-legacy
    • python312Packages.llama-index-legacy
    • python313Packages.llama-index-legacy
    • ocamlPackages.janeStreet.legacy_diffable
    • pkgsRocm.python3Packages.llama-index-legacy
    • python312Packages.azure-servicemanagement-legacy
    • python313Packages.azure-servicemanagement-legacy
    • gnomeExtensions.legacy-gtk3-theme-scheme-auto-switcher
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Legacy theme <= 1.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Legacy legacy allows PHP Local File Inclusion.This issue affects Legacy: from n/a through <= 1.9.

Affected products

legacy
  • =<<= 1.9
Ignored packages (37)

pkgs.etlegacy

ET: Legacy is an open source project based on the code of Wolfenstein: Enemy Territory which was released in 2010 under the terms of the GPLv3 license

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.ifstat-legacy

Report network interfaces bandwith just like vmstat/iostat do for other system counters - legacy version

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1

pkgs.etlegacy-unwrapped

ET: Legacy is an open source project based on the code of Wolfenstein: Enemy Territory which was released in 2010 under the terms of the GPLv3 license

pkgs.rquickshare-legacy

Rust implementation of NearbyShare/QuickShare from Android for Linux and macOS

WP theme not present in nixpkgs
Permalink CVE-2025-62137
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • sshuttle
    • cargo-shuttle
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Shuttle theme <= 1.5.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0.

Affected products

shuttle
  • =<1.5.0
Ignored packages (2)

pkgs.sshuttle

Transparent proxy server that works as a poor man's VPN

WP theme not present in nixpkgs
Permalink CVE-2025-67935
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    10 packages
    • pngoptimizer
    • meshoptimizer
    • openorbitaloptimizer
    • elmPackages.elm-optimize-level-2
    • akkuPackages.cyclone-iset-optimize
    • haskellPackages.amazonka-compute-optimizer
    • python312Packages.mypy-boto3-compute-optimizer
    • python313Packages.mypy-boto3-compute-optimizer
    • python312Packages.types-aiobotocore-compute-optimizer
    • python313Packages.types-aiobotocore-compute-optimizer
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Optimize theme < 2.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4.

Affected products

optimizewp
  • =<< 2.4
Ignored packages (10)

pkgs.pngoptimizer

PNG optimizer and converter

  • nixos-unstable 2.7
    • nixpkgs-unstable 2.7
    • nixos-unstable-small 2.7

pkgs.meshoptimizer

Mesh optimization library that makes meshes smaller and faster to render

  • nixos-unstable 0.25
    • nixpkgs-unstable 0.25
    • nixos-unstable-small 0.25 
WP theme not present in nixpkgs
Permalink CVE-2025-60053
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.maxcube-api
    • python313Packages.maxcube-api
    • home-assistant-component-tests.maxcube
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress MaxCube theme <= 1.3.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MaxCube maxcube allows PHP Local File Inclusion.This issue affects MaxCube: from n/a through <= 1.3.1.

Affected products

maxcube
  • =<<= 1.3.1
Ignored packages (3) 
WP theme not present in nixpkgs