Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-64259
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 5 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 6 months ago
  • @LeSuisse dismissed 5 months, 3 weeks ago
WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8.

Affected products

theatre
  • =<<= 0.18.8

Matching in nixpkgs

Permalink CVE-2025-49251
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    33 packages
    • grafana
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • grafanaPlugins.grafana-pyroscope-app
    • grafanaPlugins.grafana-googlesheets-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-clickhouse-datasource
    • python313Packages.types-aiobotocore-grafana
    • python312Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-metricsdrilldown-app
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-piechart-panel
    • python313Packages.mypy-boto3-grafana
    • python312Packages.mypy-boto3-grafana
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Fana <= 1.1.28 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28.

Affected products

fana
  • =<1.1.28
Ignored packages (33)

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

  • nixos-unstable -

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

  • nixos-unstable -

pkgs.mcp-grafana

MCP server for Grafana

  • nixos-unstable -

pkgs.grafana-loki

Like Prometheus, but for logs

  • nixos-unstable -

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

  • nixos-unstable -

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

  • nixos-unstable -

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data

  • nixos-unstable -
Permalink CVE-2025-49253
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    3 packages
    • typstPackages.lasagna_0_1_0
    • typstPackages.lasaveur_0_1_3
    • typstPackages.lasaveur_0_1_4
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Lasa <= 1.1 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1.

Affected products

lasa
  • =<1.1
Ignored packages (3)

pkgs.typstPackages.lasaveur_0_1_3

Porting vim-latex's math shorthands to Typst. An accommendating vim syntax file is provided in the repo

  • nixos-unstable -

pkgs.typstPackages.lasaveur_0_1_4

Porting vim-latex's math shorthands to Typst. An accommendating vim syntax file is provided in the repo

  • nixos-unstable -
Permalink CVE-2025-49259
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    11 packages
    • charasay
    • gnome-characters
    • keepass-charactercopy
    • unicode-character-database
    • haskellPackages.character-ps
    • coqPackages.mathcomp-character
    • python312Packages.characteristic
    • python313Packages.characteristic
    • magnetophonDSP.CharacterCompressor
    • python312Packages.character-encoding-utils
    • python313Packages.character-encoding-utils
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Hara <= 1.2.10 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through 1.2.10.

Affected products

hara
  • =<1.2.10
Ignored packages (11)

pkgs.charasay

Future of cowsay - Colorful characters saying something

  • nixos-unstable -

pkgs.gnome-characters

Simple utility application to find and insert unusual characters

  • nixos-unstable -
    • nixpkgs-unstable 48.0
Permalink CVE-2025-23999
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    14 packages
    • kdePackages.breeze
    • kdePackages.breeze-gtk
    • kdePackages.breeze-grub
    • libsForQt5.breeze-icons
    • kdePackages.breeze-icons
    • breeze-hacked-cursor-theme
    • kdePackages.breeze-plymouth
    • python312Packages.seabreeze
    • python313Packages.seabreeze
    • plasma5Packages.breeze-icons
    • kdePackages.qqc2-breeze-style
    • wordpressPackages.plugins.breeze
    • kdePackages.sierra-breeze-enhanced
    • qt6Packages.sierra-breeze-enhanced
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Breeze plugin <= 2.2.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.2.13.

Affected products

breeze
  • =<2.2.13
Ignored packages (14)

pkgs.kdePackages.breeze

Artwork, styles and assets for the Breeze visual style for the Plasma Desktop

  • nixos-unstable -
Permalink CVE-2025-49976
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    10 packages
    • fsnotifier
    • mpris-notifier
    • terminal-notifier
    • usbguard-notifier
    • python312Packages.pynotifier
    • python312Packages.desktop-notifier
    • python313Packages.desktop-notifier
    • haskellPackages.status-notifier-item
    • kdePackages.kstatusnotifieritem
    • python313Packages.pynotifier
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress WANotifier plugin <= 2.7.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WANotifier WANotifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through 2.7.7.

Affected products

notifier
  • =<2.7.7
Ignored packages (10)

pkgs.fsnotifier

IntelliJ Platform companion program for watching and reporting file and directory structure modification

  • nixos-unstable -

pkgs.mpris-notifier

Dependency-light, highly-customizable, XDG desktop notification generator for MPRIS status changes

  • nixos-unstable -

pkgs.usbguard-notifier

Notifications for detecting usbguard policy and device presence changes

  • nixos-unstable -
Permalink CVE-2025-49974
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    3 packages
    • git-upstream
    • lomiri.qtmir
    • tests.haskell.upstreamStackHpackVersion
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.

Affected products

upstream
  • =<2.1.0
Ignored packages (3)

pkgs.git-upstream

Shortcut for `git push --set-upstream`

  • nixos-unstable -
Permalink CVE-2025-53338
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    23 packages
    • replace
    • fireplace
    • qsreplace
    • replacement
    • replace-secret
    • haskellPackages.replace-attoparsec
    • haskellPackages.replace-megaparsec
    • haskellPackages.text-regex-replace
    • tests.substitute.legacySingleReplace
    • tests.replaceVars.replaceVars.succeeds
    • tests.replaceVars.replaceVarsWith.succeeds
    • tests.replaceVars.replaceVars.fails-on-directory
    • tests.replaceVars.replaceVars.fails-in-build-phase
    • tests.replaceVars.replaceVars.fails-in-check-phase
    • tests.replaceVars.replaceVarsWith.fails-on-directory
    • tests.replaceVars.replaceVars.succeeds-with-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-build-phase
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase
    • tests.replaceVars.replaceVarsWith.succeeds-with-exemption
    • tests.replaceVars.replaceVars.fails-in-check-phase-with-exemption
    • tests.replaceVars.replaceVars.fails-in-check-phase-with-bad-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-bad-exemption
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress re.place plugin <= 0.2.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1.

Affected products

replace
  • =<0.2.1
Ignored packages (23)

pkgs.replace

Tool to replace verbatim strings

  • nixos-unstable -
    • nixpkgs-unstable 2.24

pkgs.qsreplace

Accept URLs on stdin, replace all query string values with a user-supplied value

  • nixos-unstable -

pkgs.replacement

Tool to execute yaml templates and output text

  • nixos-unstable -

pkgs.replace-secret

Replace a string in one file with a secret from a second file

  • nixos-unstable -
    • nixpkgs-unstable
Permalink CVE-2025-52826
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.datasalad
    • python313Packages.datasalad
    • python312Packages.schema-salad
    • python313Packages.schema-salad
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.

Affected products

sala
  • =<1.1.3
Ignored packages (4)

pkgs.python312Packages.datasalad

Pure-Python library with a collection of utilities for working with Git and git-annex

  • nixos-unstable -

pkgs.python313Packages.datasalad

Pure-Python library with a collection of utilities for working with Git and git-annex

  • nixos-unstable -
Permalink CVE-2025-31428
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    11 packages
    • hydrogen
    • hydroxide
    • libhydrogen
    • tau-hydrogen
    • fishPlugins.hydro
    • hydrogen-web-unwrapped
    • python312Packages.hydrogram
    • python313Packages.hydrogram
    • haskellPackages.hydrogen-version
    • python312Packages.swisshydrodata
    • python313Packages.swisshydrodata
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress HYDRO theme <= 2.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddhaThemes HYDRO allows Reflected XSS. This issue affects HYDRO: from n/a through 2.8.

Affected products

hydro
  • =<2.8
Ignored packages (11)

pkgs.hydrogen

Advanced drum machine

  • nixos-unstable -

pkgs.hydroxide

Third-party, open-source ProtonMail bridge

  • nixos-unstable -

pkgs.libhydrogen

Lightweight, secure, easy-to-use crypto library suitable for constrained environments