Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2023-43785
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse ignored
    2 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
Libx11: out-of-bounds memory access in _xkbreadkeysyms()

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.

References

Affected products

libX11
  • ==1.8.7
  • <1.8.7
  • *
Ignored packages (2) 
No impacted packages
Permalink CVE-2021-4472
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • mistralclient
    • python312Packages.python-mistralclient
    • python313Packages.python-mistralclient
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
Python-mistralclient: mistral-dashboard: local file inclusion through the 'create workbook' feature

The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.

Affected products

python-mistralclient
rhosp13/openstack-zaqar
rhosp13/openstack-ec2-api
rhosp13/openstack-horizon
rhosp13/openstack-tempest
rhosp13/openstack-aodh-api
rhosp13/openstack-collectd
rhosp13/openstack-heat-all
rhosp13/openstack-heat-api
rhosp13/openstack-keystone
rhosp13/openstack-nova-api
rhosp13/openstack-aodh-base
rhosp13/openstack-heat-base
rhosp13/openstack-nova-base
rhosp13/openstack-panko-api
rhosp13/openstack-cinder-api
rhosp13/openstack-glance-api
rhosp13/openstack-ironic-api
rhosp13/openstack-ironic-pxe
rhosp13/openstack-manila-api
rhosp13/openstack-panko-base
rhosp13/openstack-sahara-api
rhosp13/openstack-swift-base
rhosp13/openstack-cinder-base
rhosp13/openstack-glance-base
rhosp13/openstack-gnocchi-api
rhosp13/openstack-heat-engine
rhosp13/openstack-ironic-base
rhosp13/openstack-manila-base
rhosp13/openstack-mistral-api
rhosp13/openstack-octavia-api
rhosp13/openstack-sahara-base
rhosp-rhel8/openstack-heat-all
rhosp-rhel8/openstack-heat-api
rhosp-rhel9/openstack-heat-all
rhosp-rhel9/openstack-heat-api
rhosp13/openstack-barbican-api
rhosp13/openstack-dependencies
rhosp13/openstack-gnocchi-base
rhosp13/openstack-heat-api-cfn
rhosp13/openstack-horizon-base
rhosp13/openstack-manila-share
rhosp13/openstack-mistral-base
rhosp13/openstack-neutron-base
rhosp13/openstack-nova-compute
rhosp13/openstack-octavia-base
rhosp13/openstack-swift-object
rhosp-rhel8/openstack-heat-base
rhosp-rhel9/openstack-heat-base
rhosp13/openstack-aodh-listener
rhosp13/openstack-aodh-notifier
rhosp13/openstack-barbican-base
rhosp13/openstack-cinder-backup
rhosp13/openstack-cinder-volume
rhosp13/openstack-keystone-base
rhosp13/openstack-sahara-engine
rhosp13/openstack-swift-account
rhosp13/openstack-aodh-evaluator
rhosp13/openstack-gnocchi-statsd
rhosp13/openstack-mistral-engine
rhosp13/openstack-neutron-server
rhosp13/openstack-nova-conductor
rhosp13/openstack-nova-scheduler
rhosp13/openstack-octavia-worker
rhosp-rhel8/openstack-heat-engine
rhosp-rhel8/openstack-mistral-api
rhosp-rhel9/openstack-heat-engine
rhosp13/openstack-barbican-worker
rhosp13/openstack-ceilometer-base
rhosp13/openstack-ceilometer-ipmi
rhosp13/openstack-gnocchi-metricd
rhosp13/openstack-nova-novncproxy
rhosp13/openstack-swift-container
rhosp-rhel8/openstack-heat-api-cfn
rhosp-rhel8/openstack-mistral-base
rhosp-rhel9/openstack-heat-api-cfn
rhosp13/openstack-cinder-scheduler
rhosp13/openstack-ironic-conductor
rhosp13/openstack-ironic-inspector
rhosp13/openstack-manila-scheduler
rhosp13/openstack-mistral-executor
rhosp13/openstack-neutron-l3-agent
rhosp13/openstack-nova-consoleauth
rhosp-rhel8/openstack-tripleoclient
rhosp-rhel9/openstack-tripleoclient
rhosp-rhel8/openstack-mistral-engine
rhosp-rhel8/openstack-nova-scheduler
rhosp13/openstack-ceilometer-central
rhosp13/openstack-ceilometer-compute
rhosp13/openstack-neutron-dhcp-agent
rhosp13/openstack-neutron-server-ovn
rhosp13/openstack-nova-placement-api
rhosp13/openstack-swift-proxy-server
rhosp13/openstack-neutron-sriov-agent
rhosp13/openstack-nova-compute-ironic
rhosp-rhel8/openstack-mistral-executor
rhosp13/openstack-ironic-neutron-agent
rhosp13/openstack-mistral-event-engine
rhosp13/openstack-octavia-housekeeping
rhosp13/openstack-neutron-metadata-agent
rhosp13/openstack-octavia-health-manager
rhosp13/openstack-ceilometer-notification
rhosp-rhel8/openstack-mistral-event-engine
rhosp13/openstack-neutron-openvswitch-agent
rhosp13/openstack-barbican-keystone-listener
rhosp13/openstack-neutron-metadata-agent-ovn
rhosp13/openstack-neutron-server-opendaylight
Ignored packages (3) 
No impacted packages.
Permalink CVE-2025-64363
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 6 months ago
  • @pyrox0 dismissed 5 months, 2 weeks ago
WordPress Kleo theme < 5.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0.

Affected products

kleo
  • =<< 5.5.0

Matching in nixpkgs

listed packages are not the ones with a vulnerability
Permalink CVE-2025-12695
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 6 months ago
  • @pyrox0 dismissed 5 months, 2 weeks ago
Insecure configuration in DSPy lead to arbitrary file read when running untrusted code inside the sandbox

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

Affected products

dspy
  • ==0

Matching in nixpkgs

Package maintainers

listed package is not the one with a vulnerability
Permalink CVE-2025-10622
8.0 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 6 months ago
  • @pyrox0 dismissed 5 months, 2 weeks ago
Foreman: os command injection via ct_location and fcct_location parameters

A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting.

References

Affected products

foreman
  • <3.16.1
  • *
satellite:el8/foreman

Matching in nixpkgs

pkgs.foreman

Process manager for applications with multiple components

Package maintainers

listed package is not one with the CVE
Permalink CVE-2025-66099
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 6 months ago
  • @pyrox0 dismissed 5 months, 2 weeks ago
WordPress Chat Help plugin <= 3.1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeAtelier Chat Help chat-help allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chat Help: from n/a through <= 3.1.3.

Affected products

chat-help
  • =<<= 3.1.3

Matching in nixpkgs

Package maintainers

listed package is not the same as CVE project.
Permalink CVE-2025-60093
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Download Manager Plugin <= 3.3.24 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Shahjada Download Manager allows Cross Site Request Forgery. This issue affects Download Manager: from n/a through 3.3.24.

Affected products

download-manager
  • =<3.3.24

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-60092
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Download Manager Plugin <= 3.3.24 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through 3.3.24.

Affected products

download-manager
  • =<3.3.24

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-60165
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Frames Theme <= 1.5.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in HaruTheme Frames allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Frames: from n/a through 1.5.7.

Affected products

frames
  • =<1.5.7

Matching in nixpkgs

pkgs.framesh

Native web3 interface that lets you sign data, securely manage accounts and transparently interact with dapps via web3 protocols like Ethereum and IPFS

Package maintainers

Permalink CVE-2025-62952
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress ChatBot plugin <= 7.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.0.

Affected products

chatbot
  • =<<= 7.3.0

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable 22
    • nixpkgs-unstable 22
    • nixos-unstable-small 22

Package maintainers