Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-53200
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored package gnomeExtensions.penguin-ai-chatbot 6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress ChatBot plugin <= 6.7.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3.

Affected products

chatbot
  • =<6.7.3
Ignored packages (1)

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable -
    • nixpkgs-unstable 22
Permalink CVE-2025-52799
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    16 packages
    • lms
    • flmsg
    • helmsman
    • lmstudio
    • python312Packages.calmsize
    • python313Packages.calmsize
    • python312Packages.dlms-cosem
    • python313Packages.dlms-cosem
    • python312Packages.llama-index-llms-ollama
    • python312Packages.llama-index-llms-openai
    • python313Packages.llama-index-llms-ollama
    • python313Packages.llama-index-llms-openai
    • python312Packages.llama-index-llms-openai-like
    • python313Packages.llama-index-llms-openai-like
    • python312Packages.llama-index-multi-modal-llms-openai
    • python313Packages.llama-index-multi-modal-llms-openai
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress LMS theme <= 9.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes LMS allows Reflected XSS. This issue affects LMS: from n/a through 9.1.

Affected products

lms
  • =<9.1
Ignored packages (16)

pkgs.lms

Lightweight Music Server - Access your self-hosted music using a web interface

  • nixos-unstable -

pkgs.flmsg

Digital modem message program

  • nixos-unstable -

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

  • nixos-unstable -

pkgs.lmstudio

LM Studio is an easy to use desktop app for experimenting with local and open-source Large Language Models (LLMs)

  • nixos-unstable -
Permalink CVE-2025-52833
9.3 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    16 packages
    • lms
    • flmsg
    • helmsman
    • lmstudio
    • python312Packages.calmsize
    • python313Packages.calmsize
    • python312Packages.dlms-cosem
    • python313Packages.dlms-cosem
    • python312Packages.llama-index-llms-ollama
    • python312Packages.llama-index-llms-openai
    • python313Packages.llama-index-llms-ollama
    • python313Packages.llama-index-llms-openai
    • python312Packages.llama-index-llms-openai-like
    • python313Packages.llama-index-llms-openai-like
    • python312Packages.llama-index-multi-modal-llms-openai
    • python313Packages.llama-index-multi-modal-llms-openai
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress LMS <= 9.1 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1.

Affected products

lms
  • =<9.1
Ignored packages (16)

pkgs.lms

Lightweight Music Server - Access your self-hosted music using a web interface

  • nixos-unstable -

pkgs.flmsg

Digital modem message program

  • nixos-unstable -

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

  • nixos-unstable -

pkgs.lmstudio

LM Studio is an easy to use desktop app for experimenting with local and open-source Large Language Models (LLMs)

  • nixos-unstable -
Permalink CVE-2025-52718
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Alone <= 7.8.2 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2.

Affected products

alone
  • =<7.8.2
Ignored packages (8)

pkgs.selendroid

Test automation for native or hybrid Android apps and the mobile web

  • nixos-unstable -

pkgs.argp-standalone

Standalone version of arguments parsing functions from Glibc

  • nixos-unstable -

pkgs.htmlunit-driver

WebDriver server for running Selenium tests on the HtmlUnit headless browser

  • nixos-unstable -
    • nixpkgs-unstable 2.27
Permalink CVE-2025-6505
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    45 packages
    • perlPackages.NetServer
    • perl538Packages.NetServer
    • perl540Packages.NetServer
    • perlPackages.NetLDAPServer
    • perlPackages.NetServerCoro
    • perlPackages.ServerStarter
    • perl538Packages.NetLDAPServer
    • perl538Packages.NetServerCoro
    • perl538Packages.ServerStarter
    • perl540Packages.NetLDAPServer
    • perl540Packages.NetServerCoro
    • perl540Packages.ServerStarter
    • perlPackages.HTTPServerSimple
    • perlPackages.NetLDAPServerTest
    • perlPackages.NetAsyncHTTPServer
    • perlPackages.NetServerSSPrefork
    • perlPackages.PerlLanguageServer
    • perl538Packages.HTTPServerSimple
    • perl540Packages.HTTPServerSimple
    • perl538Packages.NetLDAPServerTest
    • perl540Packages.NetLDAPServerTest
    • perlPackages.HTTPServerSimplePSGI
    • perlPackages.TestHTTPServerSimple
    • perl538Packages.NetAsyncHTTPServer
    • perl538Packages.NetServerSSPrefork
    • perl538Packages.PerlLanguageServer
    • perl540Packages.NetAsyncHTTPServer
    • perl540Packages.NetServerSSPrefork
    • perl540Packages.PerlLanguageServer
    • perlPackages.HTTPServerSimpleMason
    • perlPackages.HTTPServerSimpleAuthen
    • perl538Packages.HTTPServerSimplePSGI
    • perl538Packages.TestHTTPServerSimple
    • perl538Packages.HTTPServerSimpleAuthen
    • perl540Packages.HTTPServerSimpleMason
    • perl538Packages.HTTPServerSimpleMason
    • perlPackages.PlackTestExternalServer
    • perl540Packages.TestHTTPServerSimple
    • perl540Packages.HTTPServerSimplePSGI
    • perl540Packages.HTTPServerSimpleAuthen
    • perl538Packages.PlackTestExternalServer
    • perl540Packages.PlackTestExternalServer
    • perlPackages.CatalystXScriptServerStarman
    • perl538Packages.CatalystXScriptServerStarman
    • perl540Packages.CatalystXScriptServerStarman
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and …

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.  When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.

Affected products

Server
  • =<4.6.2.3226
Ignored packages (45)
Permalink CVE-2025-47444
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored package filegive 6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure

Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.

Affected products

give
  • <4.6.1
Ignored packages (1)

pkgs.filegive

Easy p2p file sending program

Permalink CVE-2025-54689
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    30 packages
    • furnace
    • xournalpp
    • journalist
    • lazyjournal
    • qjournalctl
    • tui-journal
    • journalwatch
    • annapurna-sil
    • journaldriver
    • systemd-journal2gelf
    • kdePackages.kjournald
    • perlPackages.LogJournald
    • perl538Packages.LogJournald
    • perl540Packages.LogJournald
    • python312Packages.swh-journal
    • python313Packages.swh-journal
    • python312Packages.waterfurnace
    • python313Packages.waterfurnace
    • haskellPackages.journalctl-stream
    • haskellPackages.libsystemd-journal
    • python312Packages.logging-journald
    • python313Packages.logging-journald
    • haskellPackages.logging-facade-journald
    • typstPackages.starter-journal-article_0_1_1
    • typstPackages.starter-journal-article_0_2_0
    • typstPackages.starter-journal-article_0_3_0
    • typstPackages.starter-journal-article_0_3_1
    • typstPackages.starter-journal-article_0_3_2
    • typstPackages.starter-journal-article_0_3_3
    • typstPackages.starter-journal-article_0_4_0
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7.

Affected products

urna
  • =<2.5.7
Ignored packages (30)

pkgs.furnace

Multi-system chiptune tracker compatible with DefleMask modules

  • nixos-unstable -

pkgs.xournalpp

Xournal++ is a handwriting Notetaking software with PDF annotation support

  • nixos-unstable -

pkgs.lazyjournal

TUI for journalctl, file system logs, as well as Docker and Podman containers

  • nixos-unstable -

pkgs.qjournalctl

Qt-based graphical user interface for systemd's journalctl command

  • nixos-unstable -

pkgs.tui-journal

Your journal app if you live in a terminal

  • nixos-unstable -

pkgs.journalwatch

Tool to find error messages in the systemd journal

  • nixos-unstable -

pkgs.annapurna-sil

Unicode-based font family with broad support for writing systems that use the Devanagari script

  • nixos-unstable -

pkgs.journaldriver

Log forwarder from journald to Stackdriver Logging

  • nixos-unstable -
Permalink CVE-2025-54671
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored package libvoikko 6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2.

Affected products

oik
  • =<4.15.2
Ignored packages (1)

pkgs.libvoikko

Finnish language processing library

  • nixos-unstable -
Permalink CVE-2025-54019
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a.

Affected products

alone
  • <7.8.5
Ignored packages (8)

pkgs.selendroid

Test automation for native or hybrid Android apps and the mobile web

  • nixos-unstable -

pkgs.argp-standalone

Standalone version of arguments parsing functions from Glibc

  • nixos-unstable -

pkgs.htmlunit-driver

WebDriver server for running Selenium tests on the HtmlUnit headless browser

  • nixos-unstable -
    • nixpkgs-unstable 2.27
Permalink CVE-2025-54670
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months ago
  • @LeSuisse ignored package libvoikko 6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.

Affected products

oik
  • =<4.15.2
Ignored packages (1)

pkgs.libvoikko

Finnish language processing library

  • nixos-unstable -