Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-66117
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package ocamlPackages.easy-format 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Easy Form plugin <= 2.7.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.8.

Affected products

easy-form
  • =<<= 2.7.8
Ignored packages (1) 
WP plugin not present in nixpkgs
Permalink CVE-2025-53445
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package catppuccin-catwalk 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Catwalk theme <= 1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catwalk catwalk allows PHP Local File Inclusion.This issue affects Catwalk: from n/a through <= 1.4.

Affected products

catwalk
  • =<<= 1.4
Ignored packages (1)

pkgs.catppuccin-catwalk

CLI for Catppuccin that takes in four showcase images and displays them all at once

WP theme not present in nixpkgs
Permalink CVE-2025-67921
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package colobot 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6.

Affected products

lobo
  • =<< 2.8.6
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-14430
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package brook 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Brook - Agency Business Creative theme <= 2.8.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9.

Affected products

brook
  • =<<= 2.8.9
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-67928
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package haskellPackages.automotive-cse 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6.

Affected products

automotive
  • =<<= 18.6
Ignored packages (1) 
WP plugin not present in nixpkgs
Permalink CVE-2025-22712
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package cargo-typify 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Typify theme <= 3.0.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2.

Affected products

typify
  • =<<= 3.0.2
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-62136
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored package melos 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Melos theme <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0.

Affected products

melos
  • =<1.6.0
Ignored packages (1)

pkgs.melos

Tool for managing Dart projects with multiple packages. With IntelliJ and Vscode IDE support. Supports automated versioning, changelogs & publishing via Conventional Commits. 

WP theme not present in nixpkgs
Permalink CVE-2025-62229
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months ago by @leona-ya Activity log
  • Created suggestion 6 months ago
  • @leona-ya ignored package tigervnc 5 months ago
  • @leona-ya accepted 5 months ago
  • @leona-ya dismissed 5 months ago
Xorg: xmayland: use-after-free in xpresentnotify structure creation

A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

References

Affected products

tigervnc
  • *
xwayland
  • <24.1.9
xorg-x11-server
  • *
xorg-x11-server-Xwayland
  • *
Ignored packages (1)

pkgs.tigervnc

Fork of tightVNC, made in cooperation with VirtualGL

already updated in nixpkgs 25.05, 25.11 and unstable.
Permalink CVE-2023-43787
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse ignored
    2 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
Libx11: integer overflow in xcreateimage() leading to a heap overflow

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

References

Affected products

libX11
  • ==1.8.7
  • <1.8.7
  • *
Ignored packages (2) 
No impacted packages
Permalink CVE-2023-43786
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse ignored
    4 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    • xorg.libXpm
    • tests.pkg-config.defaultPkgConfigPackages.xpm
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
Libx11: stack exhaustion from infinite recursion in putsubimage()

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.

References

Affected products

libX11
  • ==1.8.7
  • *
libXpm
  • <3.5.17
Ignored packages (4) 
No impacted packages