Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-54689
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    30 packages
    • furnace
    • xournalpp
    • journalist
    • lazyjournal
    • qjournalctl
    • tui-journal
    • journalwatch
    • annapurna-sil
    • journaldriver
    • systemd-journal2gelf
    • kdePackages.kjournald
    • perlPackages.LogJournald
    • perl538Packages.LogJournald
    • perl540Packages.LogJournald
    • python312Packages.swh-journal
    • python313Packages.swh-journal
    • python312Packages.waterfurnace
    • python313Packages.waterfurnace
    • haskellPackages.journalctl-stream
    • haskellPackages.libsystemd-journal
    • python312Packages.logging-journald
    • python313Packages.logging-journald
    • haskellPackages.logging-facade-journald
    • typstPackages.starter-journal-article_0_1_1
    • typstPackages.starter-journal-article_0_2_0
    • typstPackages.starter-journal-article_0_3_0
    • typstPackages.starter-journal-article_0_3_1
    • typstPackages.starter-journal-article_0_3_2
    • typstPackages.starter-journal-article_0_3_3
    • typstPackages.starter-journal-article_0_4_0
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7.

Affected products

urna
  • =<2.5.7
Ignored packages (30)

pkgs.furnace

Multi-system chiptune tracker compatible with DefleMask modules

  • nixos-unstable -

pkgs.xournalpp

Xournal++ is a handwriting Notetaking software with PDF annotation support

  • nixos-unstable -

pkgs.lazyjournal

TUI for journalctl, file system logs, as well as Docker and Podman containers

  • nixos-unstable -

pkgs.qjournalctl

Qt-based graphical user interface for systemd's journalctl command

  • nixos-unstable -

pkgs.tui-journal

Your journal app if you live in a terminal

  • nixos-unstable -

pkgs.journalwatch

Tool to find error messages in the systemd journal

  • nixos-unstable -

pkgs.annapurna-sil

Unicode-based font family with broad support for writing systems that use the Devanagari script

  • nixos-unstable -

pkgs.journaldriver

Log forwarder from journald to Stackdriver Logging

  • nixos-unstable -
Permalink CVE-2025-54671
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored package libvoikko 5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2.

Affected products

oik
  • =<4.15.2
Ignored packages (1)

pkgs.libvoikko

Finnish language processing library

  • nixos-unstable -
Permalink CVE-2025-54019
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a.

Affected products

alone
  • <7.8.5
Ignored packages (8)

pkgs.selendroid

Test automation for native or hybrid Android apps and the mobile web

  • nixos-unstable -

pkgs.argp-standalone

Standalone version of arguments parsing functions from Glibc

  • nixos-unstable -

pkgs.htmlunit-driver

WebDriver server for running Selenium tests on the HtmlUnit headless browser

  • nixos-unstable -
    • nixpkgs-unstable 2.27
Permalink CVE-2025-54670
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored package libvoikko 5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.

Affected products

oik
  • =<4.15.2
Ignored packages (1)

pkgs.libvoikko

Finnish language processing library

  • nixos-unstable -
Permalink CVE-2025-57890
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    3 packages
    • haskellPackages.simple-sessions
    • python312Packages.langchain-azure-dynamic-sessions
    • python313Packages.langchain-azure-dynamic-sessions
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Sessions Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0.

Affected products

sessions
  • =<3.2.0
Ignored packages (3)
Permalink CVE-2025-58209
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    5 packages
    • haskellPackages.amazonka-elastictranscoder
    • python312Packages.mypy-boto3-elastictranscoder
    • python313Packages.mypy-boto3-elastictranscoder
    • python312Packages.types-aiobotocore-elastictranscoder
    • python313Packages.types-aiobotocore-elastictranscoder
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Transcoder Plugin <= 1.4.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtCamp Transcoder allows Stored XSS. This issue affects Transcoder: from n/a through 1.4.0.

Affected products

transcoder
  • =<1.4.0
Ignored packages (5)
Permalink CVE-2025-54724
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • ligolo-ng
    • xfce.gigolo
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Golo Theme <= 1.7.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo allows Reflected XSS. This issue affects Golo: from n/a through 1.7.1.

Affected products

golo
  • =<1.7.1
Ignored packages (2)

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

  • nixos-unstable -

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

  • nixos-unstable -
Permalink CVE-2025-54725
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • xfce.gigolo
    • ligolo-ng
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Golo Theme <= 1.7.0 - Broken Authentication Vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0.

Affected products

golo
  • =<1.7.0
Ignored packages (2)

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

  • nixos-unstable -

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

  • nixos-unstable -
Permalink CVE-2024-3508
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    9 packages
    • bzip2
    • lbzip2
    • pbzip2
    • bzip2_1_1
    • indexed-bzip2
    • haskellPackages.bzip2-clib
    • python312Packages.indexed-bzip2
    • python313Packages.indexed-bzip2
    • tests.pkg-config.defaultPkgConfigPackages.bzip2
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
Bzip2: compressed content bomb leads to denial of service of bombastic api

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

References

Affected products

bzip2
  • ==faa7a496c5d98e0f0859dd2c623eddf82289eaa8
SBOM-Management-(Bombastic)
Ignored packages (9)

pkgs.bzip2

High-quality data compression program

  • nixos-unstable -

pkgs.lbzip2

Parallel bzip2 compression utility

  • nixos-unstable -
    • nixpkgs-unstable 2.5

pkgs.pbzip2

Parallel implementation of bzip2 for multi-core machines

  • nixos-unstable -

pkgs.bzip2_1_1

High-quality data compression program

pkgs.indexed-bzip2

Python library for parallel decompression and seeking within compressed bzip2 files

  • nixos-unstable -
Permalink CVE-2025-58806
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 7 months, 1 week ago
  • @LeSuisse ignored
    6 packages
    • haskellPackages.bugsnag
    • python312Packages.bugsnag
    • python313Packages.bugsnag
    • haskellPackages.bugsnag-hs
    • haskellPackages.bugsnag-wai
    • haskellPackages.bugsnag-yesod
    5 months, 3 weeks ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress WordPress Error Monitoring by Bugsnag Plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in imjoehaines WordPress Error Monitoring by Bugsnag allows Stored XSS. This issue affects WordPress Error Monitoring by Bugsnag: from n/a through 1.6.3.

Affected products

bugsnag
  • =<1.6.3
Ignored packages (6)