Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-67528
5.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    31 packages
    • furnace
    • xournalpp
    • journalist
    • lazyjournal
    • qjournalctl
    • tui-journal
    • journalwatch
    • annapurna-sil
    • journaldriver
    • systemd-journal2gelf
    • kdePackages.kjournald
    • perlPackages.LogJournald
    • perl538Packages.LogJournald
    • perl540Packages.LogJournald
    • python312Packages.swh-journal
    • python313Packages.swh-journal
    • python312Packages.waterfurnace
    • typstPackages.starter-journal-article_0_4_0
    • typstPackages.starter-journal-article_0_3_3
    • typstPackages.starter-journal-article_0_3_2
    • typstPackages.starter-journal-article_0_3_1
    • typstPackages.starter-journal-article_0_3_0
    • typstPackages.starter-journal-article_0_2_0
    • typstPackages.starter-journal-article_0_1_1
    • haskellPackages.logging-facade-journald
    • typstPackages.starter-journal-article
    • python313Packages.logging-journald
    • python312Packages.logging-journald
    • haskellPackages.libsystemd-journal
    • haskellPackages.journalctl-stream
    • python313Packages.waterfurnace
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Urna theme <= 2.5.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.

Affected products

urna
  • =<<= 2.5.12
Ignored packages (31)

pkgs.furnace

Multi-system chiptune tracker compatible with DefleMask modules

pkgs.xournalpp

Xournal++ is a handwriting Notetaking software with PDF annotation support

pkgs.lazyjournal

TUI for journalctl, file system logs, as well as Docker and Podman containers

pkgs.qjournalctl

Qt-based graphical user interface for systemd's journalctl command

pkgs.journalwatch

Tool to find error messages in the systemd journal

pkgs.annapurna-sil

Unicode-based font family with broad support for writing systems that use the Devanagari script

WP theme not present in nixpkgs
Permalink CVE-2025-52739
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    4 packages
    • python313Packages.schema-salad
    • python312Packages.schema-salad
    • python313Packages.datasalad
    • python312Packages.datasalad
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Sala theme <= 1.1.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3.

Affected products

Sala
  • =<1.1.3
Ignored packages (4) 
WP theme not present in nixpkgs
Permalink CVE-2026-0906
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    25 packages
    • chromedriver
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • google-chrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • undetected-chromedriver
    • electron-chromedriver_33
    • grafanaPlugins.ventura-psychrometric-panel
    • python313Packages.undetected-chromedriver
    • python312Packages.undetected-chromedriver
    • python313Packages.pychromecast
    • python312Packages.pychromecast
    • noto-fonts-monochrome-emoji
    • ocamlPackages.chrome-trace
    • xorg.xf86videoopenchrome
    • electron-chromedriver_39
    • electron-chromedriver_38
    • electron-chromedriver_37
    • electron-chromedriver_36
    • electron-chromedriver_35
    • electron-chromedriver_34
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
Incorrect security UI in Google Chrome on Android prior to …

Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)

Affected products

Chrome
  • <144.0.7559.59
Ignored packages (25)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Seem to only impact Chrome on Android (and it's already upgrade in nixpkgs)
Permalink CVE-2025-62951
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.h5py
    • python313Packages.h5py
    • python312Packages.h5py-mpi
    • python313Packages.h5py-mpi
    • python312Packages.airtouch5py
    • python313Packages.airtouch5py
    • pkgsRocm.python3Packages.h5py-mpi
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Interactive Content – H5P plugin <= 1.16.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icc0rz Interactive Content – H5P h5p allows Stored XSS.This issue affects Interactive Content – H5P: from n/a through <= 1.16.0.

Affected products

h5p
  • =<<= 1.16.0
Ignored packages (7) 
WP plugin not present in nixpkgs
Permalink CVE-2025-68540
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    35 packages
    • grafana
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • grafana-image-renderer
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • terraform-providers.grafana_grafana
    • grafanaPlugins.grafana-pyroscope-app
    • python312Packages.mypy-boto3-grafana
    • python313Packages.mypy-boto3-grafana
    • grafanaPlugins.grafana-piechart-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-metricsdrilldown-app
    • python312Packages.types-aiobotocore-grafana
    • python313Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-clickhouse-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-googlesheets-datasource
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Fana theme <= 1.1.35 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.

Affected products

fana
  • =<<= 1.1.35
Ignored packages (35)

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

pkgs.grafana-image-renderer

Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data

WP theme not present in nixpkgs
Permalink CVE-2025-53447
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    19 packages
    • wasm-strip
    • wast-refmt
    • wasm-text-gen
    • assemblyscript
    • webassemblyjs-cli
    • webassemblyjs-repl
    • nodePackages.@webassemblyjs/wasm-strip
    • nodePackages."@webassemblyjs/cli-1.11.1"
    • nodePackages."@webassemblyjs/repl-1.11.1"
    • tests.dotnet.structured-attrs.check-output
    • nodePackages_latest.@webassemblyjs/wasm-strip
    • vimPlugins.nvim-treesitter-parsers.disassembly
    • nodePackages."@webassemblyjs/wast-refmt-1.11.1"
    • nodePackages_latest."@webassemblyjs/cli-1.11.1"
    • nodePackages_latest."@webassemblyjs/repl-1.11.1"
    • nodePackages."@webassemblyjs/wasm-text-gen-1.11.1"
    • vscode-extensions.13xforever.language-x86-64-assembly
    • nodePackages_latest."@webassemblyjs/wast-refmt-1.11.1"
    • nodePackages_latest."@webassemblyjs/wasm-text-gen-1.11.1"
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Assembly theme <= 1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Assembly assembly allows PHP Local File Inclusion.This issue affects Assembly: from n/a through <= 1.1.

Affected products

assembly
  • =<<= 1.1
Ignored packages (19)

pkgs.wasm-text-gen

Emit documentation/code for your WASM binary Edit

WP theme not present in nixpkgs
Permalink CVE-2025-53430
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    10 packages
    • chickenPackages_5.chickenEggs.henrietta-cache-git
    • chickenPackages_5.chickenEggs.henrietta-cache
    • chickenPackages_5.chickenEggs.henrietta
    • python313Packages.django-rosetta
    • python312Packages.django-rosetta
    • python313Packages.palettable
    • python312Packages.palettable
    • typstPackages.quetta_0_2_0
    • typstPackages.quetta_0_1_0
    • ocamlPackages.rosetta
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Etta theme <= 1.14.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Etta etta allows PHP Local File Inclusion.This issue affects Etta: from n/a through <= 1.14.0.

Affected products

etta
  • =<<= 1.14.0
Ignored packages (10) 
WP theme not present in nixpkgs
Permalink CVE-2025-58941
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    25 packages
    • Fabric
    • fabric-ai
    • libfabric
    • fabric-installer
    • hyperledger-fabric
    • python312Packages.fabric
    • python313Packages.fabric
    • cudaPackages.fabricmanager
    • python312Packages.dtfabric
    • python313Packages.dtfabric
    • cudaPackages_11.fabricmanager
    • azure-cli-extensions.microsoft-fabric
    • python312Packages.azure-servicefabric
    • python313Packages.azure-servicefabric
    • python312Packages.llm-templates-fabric
    • python312Packages.mypy-boto3-appfabric
    • python313Packages.llm-templates-fabric
    • python313Packages.mypy-boto3-appfabric
    • azure-cli-extensions.managednetworkfabric
    • python312Packages.azure-mgmt-servicefabric
    • python313Packages.azure-mgmt-servicefabric
    • python312Packages.types-aiobotocore-appfabric
    • python313Packages.types-aiobotocore-appfabric
    • python312Packages.azure-mgmt-servicefabricmanagedclusters
    • python313Packages.azure-mgmt-servicefabricmanagedclusters
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Fabric theme <= 1.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion.This issue affects Fabric: from n/a through <= 1.5.0.

Affected products

fabric
  • =<<= 1.5.0
Ignored packages (25)

pkgs.Fabric

Pythonic remote execution

pkgs.fabric-ai

Fabric is an open-source framework for augmenting humans using AI. It provides a modular framework for solving specific problems using a crowdsourced set of AI prompts that can be used anywhere

pkgs.cudaPackages_11.fabricmanager

NVIDIA Fabric Manager. By downloading and using the packages you accept the terms and conditions of the CUDA EULA

WP theme not present in nixpkgs
Permalink CVE-2025-58932
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    11 packages
    • prisma
    • prisma-engines
    • prisma-language-server
    • python312Packages.prisma
    • python313Packages.prisma
    • typstPackages.prismath_0_1_0
    • vscode-extensions.prisma.prisma
    • tree-sitter-grammars.tree-sitter-prisma
    • vimPlugins.nvim-treesitter-parsers.prisma
    • python312Packages.tree-sitter-grammars.tree-sitter-prisma
    • python313Packages.tree-sitter-grammars.tree-sitter-prisma
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Prisma theme <= 1.10 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.

Affected products

prisma
  • =<<= 1.10
Ignored packages (11)

pkgs.prisma

Next-generation ORM for Node.js and TypeScript

WP theme not present in nixpkgs
Permalink CVE-2025-53448
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • perl540Packages.SortNaturally
    • dwarf-fortress-packages.themes.rally-ho
    • perl538Packages.SortNaturally
    • perlPackages.SortNaturally
    • haskellPackages.literally
    • cro-mag-rally
    • stuntrally
    • trigger
    3 months, 1 week ago
  • @LeSuisse dismissed 3 months, 1 week ago
WordPress Rally theme <= 1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1.

Affected products

rally
  • =<<= 1.1
Ignored packages (8)

pkgs.stuntrally

Stunt Rally game with Track Editor, based on VDrift and OGRE

  • nixos-unstable 2.7
    • nixpkgs-unstable 2.7
    • nixos-unstable-small 2.7

pkgs.cro-mag-rally

Port of Cro-Mag Rally, a 2000 Macintosh game by Pangea Software, for modern operating systems

WP theme not present in nixpkgs