Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-60092
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Download Manager Plugin <= 3.3.24 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through 3.3.24.

Affected products

download-manager
  • =<3.3.24

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-60165
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Frames Theme <= 1.5.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in HaruTheme Frames allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Frames: from n/a through 1.5.7.

Affected products

frames
  • =<1.5.7

Matching in nixpkgs

pkgs.framesh

Native web3 interface that lets you sign data, securely manage accounts and transparently interact with dapps via web3 protocols like Ethereum and IPFS

Package maintainers

Permalink CVE-2025-62952
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress ChatBot plugin <= 7.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.0.

Affected products

chatbot
  • =<<= 7.3.0

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable 22
    • nixpkgs-unstable 22
    • nixos-unstable-small 22

Package maintainers

Permalink CVE-2025-64228
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress SUMO Affiliates Pro plugin <= 11.0.0 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Retrieve Embedded Sensitive Data.This issue affects SUMO Affiliates Pro: from n/a through <= 11.0.0.

Affected products

affs
  • =<<= 11.0.0

Matching in nixpkgs

pkgs.unyaffs

Tool to extract files from a YAFFS2 file system image

  • nixos-unstable 0.9
    • nixpkgs-unstable 0.9
    • nixos-unstable-small 0.9

Package maintainers

Permalink CVE-2025-64354
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Gutenberg plugin <= 21.8.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matias Ventura Gutenberg gutenberg allows Stored XSS.This issue affects Gutenberg: from n/a through <= 21.8.2.

Affected products

gutenberg
  • =<<= 21.8.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-60202
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Favorites plugin <= 2.3.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion.This issue affects Favorites: from n/a through <= 2.3.6.

Affected products

favorites
  • =<<= 2.3.6

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62034
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Togo theme < 1.0.4 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-58964
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Enzy theme < 1.6.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Enzy enzy allows Reflected XSS.This issue affects Enzy: from n/a through < 1.6.4.

Affected products

enzy
  • =<< 1.6.4

Matching in nixpkgs

pkgs.enzyme

High-performance automatic differentiation of LLVM and MLIR

Package maintainers

Permalink CVE-2025-62033
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Togo theme < 1.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62037
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse dismissed 4 months, 3 weeks ago
WordPress Togo theme < 1.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers