Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-68540
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    35 packages
    • grafana
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • grafana-image-renderer
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • terraform-providers.grafana_grafana
    • grafanaPlugins.grafana-pyroscope-app
    • python312Packages.mypy-boto3-grafana
    • python313Packages.mypy-boto3-grafana
    • grafanaPlugins.grafana-piechart-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-metricsdrilldown-app
    • python312Packages.types-aiobotocore-grafana
    • python313Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-clickhouse-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-googlesheets-datasource
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Fana theme <= 1.1.35 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.

Affected products

fana
  • =<<= 1.1.35
Ignored packages (35)

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

pkgs.grafana-image-renderer

Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data

WP theme not present in nixpkgs
Permalink CVE-2025-53447
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    19 packages
    • wasm-strip
    • wast-refmt
    • wasm-text-gen
    • assemblyscript
    • webassemblyjs-cli
    • webassemblyjs-repl
    • nodePackages.@webassemblyjs/wasm-strip
    • nodePackages."@webassemblyjs/cli-1.11.1"
    • nodePackages."@webassemblyjs/repl-1.11.1"
    • tests.dotnet.structured-attrs.check-output
    • nodePackages_latest.@webassemblyjs/wasm-strip
    • vimPlugins.nvim-treesitter-parsers.disassembly
    • nodePackages."@webassemblyjs/wast-refmt-1.11.1"
    • nodePackages_latest."@webassemblyjs/cli-1.11.1"
    • nodePackages_latest."@webassemblyjs/repl-1.11.1"
    • nodePackages."@webassemblyjs/wasm-text-gen-1.11.1"
    • vscode-extensions.13xforever.language-x86-64-assembly
    • nodePackages_latest."@webassemblyjs/wast-refmt-1.11.1"
    • nodePackages_latest."@webassemblyjs/wasm-text-gen-1.11.1"
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Assembly theme <= 1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Assembly assembly allows PHP Local File Inclusion.This issue affects Assembly: from n/a through <= 1.1.

Affected products

assembly
  • =<<= 1.1
Ignored packages (19)

pkgs.wasm-text-gen

Emit documentation/code for your WASM binary Edit

WP theme not present in nixpkgs
Permalink CVE-2025-53430
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    10 packages
    • chickenPackages_5.chickenEggs.henrietta-cache-git
    • chickenPackages_5.chickenEggs.henrietta-cache
    • chickenPackages_5.chickenEggs.henrietta
    • python313Packages.django-rosetta
    • python312Packages.django-rosetta
    • python313Packages.palettable
    • python312Packages.palettable
    • typstPackages.quetta_0_2_0
    • typstPackages.quetta_0_1_0
    • ocamlPackages.rosetta
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Etta theme <= 1.14.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Etta etta allows PHP Local File Inclusion.This issue affects Etta: from n/a through <= 1.14.0.

Affected products

etta
  • =<<= 1.14.0
Ignored packages (10) 
WP theme not present in nixpkgs
Permalink CVE-2025-58941
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    25 packages
    • Fabric
    • fabric-ai
    • libfabric
    • fabric-installer
    • hyperledger-fabric
    • python312Packages.fabric
    • python313Packages.fabric
    • cudaPackages.fabricmanager
    • python312Packages.dtfabric
    • python313Packages.dtfabric
    • cudaPackages_11.fabricmanager
    • azure-cli-extensions.microsoft-fabric
    • python312Packages.azure-servicefabric
    • python313Packages.azure-servicefabric
    • python312Packages.llm-templates-fabric
    • python312Packages.mypy-boto3-appfabric
    • python313Packages.llm-templates-fabric
    • python313Packages.mypy-boto3-appfabric
    • azure-cli-extensions.managednetworkfabric
    • python312Packages.azure-mgmt-servicefabric
    • python313Packages.azure-mgmt-servicefabric
    • python312Packages.types-aiobotocore-appfabric
    • python313Packages.types-aiobotocore-appfabric
    • python312Packages.azure-mgmt-servicefabricmanagedclusters
    • python313Packages.azure-mgmt-servicefabricmanagedclusters
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Fabric theme <= 1.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion.This issue affects Fabric: from n/a through <= 1.5.0.

Affected products

fabric
  • =<<= 1.5.0
Ignored packages (25)

pkgs.Fabric

Pythonic remote execution

pkgs.fabric-ai

Fabric is an open-source framework for augmenting humans using AI. It provides a modular framework for solving specific problems using a crowdsourced set of AI prompts that can be used anywhere

pkgs.cudaPackages_11.fabricmanager

NVIDIA Fabric Manager. By downloading and using the packages you accept the terms and conditions of the CUDA EULA

WP theme not present in nixpkgs
Permalink CVE-2025-58932
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    11 packages
    • prisma
    • prisma-engines
    • prisma-language-server
    • python312Packages.prisma
    • python313Packages.prisma
    • typstPackages.prismath_0_1_0
    • vscode-extensions.prisma.prisma
    • tree-sitter-grammars.tree-sitter-prisma
    • vimPlugins.nvim-treesitter-parsers.prisma
    • python312Packages.tree-sitter-grammars.tree-sitter-prisma
    • python313Packages.tree-sitter-grammars.tree-sitter-prisma
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Prisma theme <= 1.10 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.

Affected products

prisma
  • =<<= 1.10
Ignored packages (11)

pkgs.prisma

Next-generation ORM for Node.js and TypeScript

WP theme not present in nixpkgs
Permalink CVE-2025-53448
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    8 packages
    • perl540Packages.SortNaturally
    • dwarf-fortress-packages.themes.rally-ho
    • perl538Packages.SortNaturally
    • perlPackages.SortNaturally
    • haskellPackages.literally
    • cro-mag-rally
    • stuntrally
    • trigger
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Rally theme <= 1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1.

Affected products

rally
  • =<<= 1.1
Ignored packages (8)

pkgs.stuntrally

Stunt Rally game with Track Editor, based on VDrift and OGRE

  • nixos-unstable 2.7
    • nixpkgs-unstable 2.7
    • nixos-unstable-small 2.7

pkgs.cro-mag-rally

Port of Cro-Mag Rally, a 2000 Macintosh game by Pangea Software, for modern operating systems

WP theme not present in nixpkgs
Permalink CVE-2025-53242
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    10 packages
    • seilfahrt
    • abseil-cpp
    • abseil-cpp_202103
    • abseil-cpp_202301
    • abseil-cpp_202401
    • abseil-cpp_202407
    • abseil-cpp_202501
    • abseil-cpp_202505
    • python312Packages.pybind11-abseil
    • python313Packages.pybind11-abseil
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Seil Theme <= 1.7.1 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.This issue affects Seil: from n/a through <= 1.7.1.

Affected products

seil
  • =<<= 1.7.1
Ignored packages (10)

pkgs.seilfahrt

Tool to create a wiki page from a HedgeDoc

pkgs.abseil-cpp_202301

Open-source collection of C++ code designed to augment the C++ standard library

pkgs.abseil-cpp_202501

Open-source collection of C++ code designed to augment the C++ standard library

WP theme not present in nixpkgs
Permalink CVE-2025-49372
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    18 packages
    • happy
    • triggerhappy
    • haskellPackages.happy
    • haskellPackages.happy-dot
    • haskellPackages.happy-lib
    • haskellPackages.happy-meta
    • ocamlPackages.happy-eyeballs
    • haskellPackages.happy-arbitrary
    • ocamlPackages.happy-eyeballs-lwt
    • gnomeExtensions.happy-appy-hotkey
    • ocamlPackages.mimic-happy-eyeballs
    • python312Packages.aiohappyeyeballs
    • python313Packages.aiohappyeyeballs
    • ocamlPackages.happy-eyeballs-mirage
    • tests.testers.testBuildFailure.happy
    • tests.testers.testBuildFailure'.happy
    • tests.testers.testBuildFailure.happyStructuredAttrs
    • tests.testers.testBuildFailure'.happyStructuredAttrs
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress HAPPY plugin <= 1.0.7 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.

Affected products

happy-helpdesk-support-ticket-system
  • =<<= 1.0.7
Ignored packages (18)

pkgs.happy

Happy is a parser generator for Haskell

WP plugin not present in nixpkgs
Permalink CVE-2025-66164
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    6 packages
    • python313Packages.toptica-lasersdk
    • python312Packages.toptica-lasersdk
    • haskellPackages.lasercutter
    • ooklaserver
    • dell-530cdn
    • brlaser
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Laser plugin <= 1.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in merkulove Laser laser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laser: from n/a through <= 1.1.1.

Affected products

laser
  • =<<= 1.1.1
Ignored packages (6)

pkgs.brlaser

CUPS driver for Brother laser printers

WP plugin not present in nixpkgs
Permalink CVE-2025-22509
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    17 packages
    • atlas
    • nim-atlas
    • atlassian-cli
    • ripe-atlas-tools
    • mongodb-atlas-cli
    • atlassian-plugin-sdk
    • haskellPackages.atlas
    • prometheus-atlas-exporter
    • python312Packages.chatlas
    • python313Packages.chatlas
    • terraform-providers.mongodbatlas
    • python312Packages.ripe-atlas-sagan
    • python313Packages.ripe-atlas-sagan
    • python312Packages.ripe-atlas-cousteau
    • python313Packages.ripe-atlas-cousteau
    • python312Packages.atlassian-python-api
    • python313Packages.atlassian-python-api
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Atlas theme <= 2.1.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TMRW-studio Atlas atlas allows PHP Local File Inclusion.This issue affects Atlas: from n/a through <= 2.1.0.

Affected products

atlas
  • =<<= 2.1.0
Ignored packages (17)

pkgs.atlas

Manage your database schema as code

pkgs.atlassian-cli

Integrated family of CLI’s for various Atlassian applications

WP theme not present in nixpkgs