Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-54709
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 1 week ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.datasalad
    • python313Packages.datasalad
    • python312Packages.schema-salad
    • python313Packages.schema-salad
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Sala Theme <= 1.1.6 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala. This issue affects Sala: from n/a through 1.1.6.

Affected products

sala
  • =<1.1.6
Ignored packages (4)

pkgs.python312Packages.datasalad

Pure-Python library with a collection of utilities for working with Git and git-annex

  • nixos-unstable -

pkgs.python313Packages.datasalad

Pure-Python library with a collection of utilities for working with Git and git-annex

  • nixos-unstable -
Permalink CVE-2025-58997
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 1 week ago
  • @LeSuisse ignored
    8 packages
    • libmowgli
    • python312Packages.aioautomower
    • python313Packages.aioautomower
    • python312Packages.automower-ble
    • python313Packages.automower-ble
    • home-assistant-component-tests.lawn_mower
    • home-assistant-component-tests.husqvarna_automower
    • home-assistant-component-tests.husqvarna_automower_ble
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Mow Theme <= 4.10 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection. This issue affects Mow: from n/a through 4.10.

Affected products

mow
  • =<4.10
Ignored packages (8)

pkgs.libmowgli

Development framework for C providing high performance and highly flexible algorithms

  • nixos-unstable -
Permalink CVE-2025-58993
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 8 months, 1 week ago
  • @LeSuisse ignored
    6 packages
    • haskellPackages.timeless-tutorials
    • typstPackages.tutor_0_8_0
    • typstPackages.tutor_0_7_0
    • typstPackages.tutor_0_6_1
    • typstPackages.tutor_0_4_0
    • typstPackages.tutor_0_3_0
    6 months, 3 weeks ago
  • @LeSuisse dismissed 6 months, 3 weeks ago
WordPress Tutor LMS Plugin <= 3.7.4 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection. This issue affects Tutor LMS: from n/a through 3.7.4.

Affected products

tutor
  • =<3.7.4
Ignored packages (6)
Permalink CVE-2025-57924
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored package darwin.developer_cmds 6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Developer Plugin <= 1.2.6 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery. This issue affects Developer: from n/a through 1.2.6.

Affected products

developer
  • =<1.2.6
Ignored packages (1)
Permalink CVE-2025-58199
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored
    3 packages
    • fastly
    • prometheus-fastly-exporter
    • terraform-providers.fastly
    6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Fastly Plugin <= 1.2.28 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Fastly Fastly allows Cross Site Request Forgery. This issue affects Fastly: from n/a through 1.2.28.

Affected products

fastly
  • =<1.2.28
Ignored packages (3)

pkgs.fastly

Command line tool for interacting with the Fastly API

Permalink CVE-2025-57996
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored
    3 packages
    • buckets
    • python312Packages.bucketstore
    • python313Packages.bucketstore
    6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Buckets Plugin <= 0.3.9 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matthewordie Buckets allows Stored XSS. This issue affects Buckets: from n/a through 0.3.9.

Affected products

buckets
  • =<0.3.9
Ignored packages (3)
Permalink CVE-2025-58245
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored
    2 packages
    • traderepublic-portfolio-downloader
    • portfolio-filemanager
    6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Portfolio Plugin <= 2.58 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bestweblayout Portfolio allows DOM-Based XSS. This issue affects Portfolio : from n/a through 2.58.

Affected products

portfolio
  • =<2.58
Ignored packages (2)
Permalink CVE-2025-58244
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored package akkuPackages.cyclone-iset-constructors 6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Constructo Theme <= 4.3.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo allows Object Injection. This issue affects Constructo: from n/a through 4.3.9.

Affected products

constructo
  • =<4.3.9
Ignored packages (1)
Permalink CVE-2025-58020
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored package haskellPackages.theatre-dev 6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Theater for WordPress Plugin <= 0.18.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress allows Stored XSS. This issue affects Theater for WordPress: from n/a through 0.18.8.

Affected products

theatre
  • =<0.18.8
Ignored packages (1)
Permalink CVE-2025-58652
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months ago
  • @mweinelt ignored package haskellPackages.data-carousel 6 months, 3 weeks ago
  • @mweinelt dismissed 6 months, 3 weeks ago
WordPress Carousel Ultimate Plugin <= 1.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Carousel Ultimate allows Stored XSS. This issue affects Carousel Ultimate: from n/a through 1.8.

Affected products

carousel
  • =<1.8
Ignored packages (1)