Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-58947
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.pathos
    • python313Packages.pathos
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Athos theme <= 1.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9.

Affected products

athos
  • =<<= 1.9
Ignored packages (2) 
WP theme not present in nixpkgs
Permalink CVE-2025-58946
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    3 packages
    • typstPackages.unequivocal-ams_0_1_2
    • typstPackages.unequivocal-ams_0_1_1
    • typstPackages.unequivocal-ams_0_1_0
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Vocal theme <= 1.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12.

Affected products

vocal
  • =<<= 1.12
Ignored packages (3) 
WP theme not present in nixpkgs
Permalink CVE-2025-64253
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    12 packages
    • health-check
    • grpc-health-check
    • python312Packages.django-health-check
    • python313Packages.django-health-check
    • rubyPackages.github-pages-health-check
    • python312Packages.grpcio-health-checking
    • python313Packages.grpcio-health-checking
    • rubyPackages_3_1.github-pages-health-check
    • rubyPackages_3_2.github-pages-health-check
    • rubyPackages_3_3.github-pages-health-check
    • rubyPackages_3_4.github-pages-health-check
    • rubyPackages_3_5.github-pages-health-check
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Health Check & Troubleshooting plugin <= 1.7.1 - Path Traversal vulnerability

Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1.

Affected products

health-check
  • =<<= 1.7.1
Ignored packages (12) 
WP plugin not present in nixpkgs
Permalink CVE-2025-60050
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    25 packages
    • redpanda-client
    • python312Packages.pandas
    • python313Packages.pandas
    • python312Packages.biopandas
    • python312Packages.geopandas
    • python312Packages.pandantic
    • python312Packages.pandas-ta
    • python313Packages.biopandas
    • python313Packages.geopandas
    • python313Packages.pandantic
    • python313Packages.pandas-ta
    • python312Packages.pint-pandas
    • python313Packages.pint-pandas
    • python312Packages.pandas-stubs
    • python313Packages.pandas-stubs
    • python312Packages.awkward-pandas
    • python312Packages.netdata-pandas
    • python313Packages.awkward-pandas
    • python313Packages.netdata-pandas
    • python312Packages.geoarrow-pandas
    • python313Packages.geoarrow-pandas
    • pkgsRocm.python3Packages.pandantic
    • python312Packages.prometheus-pandas
    • python313Packages.prometheus-pandas
    • pkgsRocm.python3Packages.pandas-stubs
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Panda theme <= 1.21 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21.

Affected products

panda
  • =<<= 1.21
Ignored packages (25) 
WP theme not present in nixpkgs
Permalink CVE-2025-62014
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    5 packages
    • python313Packages.pypitoken
    • python312Packages.pypitoken
    • python313Packages.auditok
    • python312Packages.auditok
    • scitokens-cpp
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress ITok theme <= 1.1.42 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok.This issue affects ITok: from n/a through <= 1.1.42.

Affected products

itok
  • =<<= 1.1.42
Ignored packages (5)

pkgs.scitokens-cpp

A C++ implementation of the SciTokens library with a C library interface

WP theme not present in nixpkgs
Permalink CVE-2025-53443
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    2 packages
    • l-smash
    • git-smash
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Smash theme <= 1.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Smash smash allows PHP Local File Inclusion.This issue affects Smash: from n/a through <= 1.7.

Affected products

smash
  • =<<= 1.7
Ignored packages (2)

pkgs.git-smash

Smash staged changes into previous commits to support your Git workflow, pull request and feature branch maintenance

WP theme not present in nixpkgs
Permalink CVE-2025-58940
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    4 packages
    • basilk
    • basiliskii
    • typstPackages.dmi-basilea-thesis_0_1_0
    • typstPackages.dmi-basilea-thesis_0_1_1
    4 months ago
  • @LeSuisse dismissed 4 months ago
WordPress Basil theme <= 1.3.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12.

Affected products

basil
  • =<<= 1.3.12
Ignored packages (4)

pkgs.basilk

Terminal User Interface (TUI) to manage your tasks with minimal kanban logic

WP theme not present in nixpkgs
Permalink CVE-2025-55251
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months ago by @mweinelt Activity log
  • Created suggestion 4 months ago
  • @mweinelt dismissed 4 months ago
HCL AION is affected by an Unrestricted File Upload vulnerability

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

Affected products

AION
  • ==2

Matching in nixpkgs

Package maintainers

not packaged
Permalink CVE-2026-1170
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Reasonable (R)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months ago by @mweinelt Activity log
  • Created suggestion 4 months ago
  • @mweinelt dismissed 4 months ago
birkir prime GraphQL API graphql information disclosure

A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected products

prime
  • ==0.4.0.beta

Matching in nixpkgs

pkgs.primecount

Fast prime counting function implementations

  • nixos-unstable 7.20
    • nixpkgs-unstable 7.20
    • nixos-unstable-small 7.20

pkgs.prime-server

Non-blocking (web)server API for distributed computing and SOA based on zeromq

pkgs.CuboCore.libcprime

Library for bookmarking, saving recent activites, managing settings of C-Suite

pkgs.python312Packages.primepy

This module contains several useful functions to work with prime numbers. from primePy import primes

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3

pkgs.python313Packages.primepy

This module contains several useful functions to work with prime numbers. from primePy import primes

  • nixos-unstable 1.3
    • nixpkgs-unstable 1.3
    • nixos-unstable-small 1.3

Package maintainers

Not packaged
Permalink CVE-2025-55250
1.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 4 months ago by @mweinelt Activity log
  • Created suggestion 4 months ago
  • @mweinelt dismissed 4 months ago
HCL AION is affected by a Technical Error Disclosure vulnerability

HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.

Affected products

AION
  • ==2

Matching in nixpkgs

Package maintainers

Not packaged