Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-23524
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • hybridreverb2
    • dragonfly-reverb
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
Laravel Redis Horizontal Scaling Insecure Deserialization

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

Affected products

reverb
  • ==< 1.7.0
Ignored packages (2) 
Not present in nixpkgs
Permalink CVE-2026-23975
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • ligolo-ng
    • xfce.gigolo
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.

Affected products

golo
  • =<< 1.7.5
Ignored packages (2)

pkgs.ligolo-ng

Advanced TUN-based tunneling/pivoting tool

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

WP theme not packaged in nixpkgs
Permalink CVE-2025-68008
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored package wordpressPackages.plugins.wp-mail-smtp 4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.

Affected products

wp-mail
  • =<<= 1.3
Ignored packages (1) 
`wp-mail` plugin not packaged in nixpkgs
Permalink CVE-2026-23974
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • ligolo-ng
    • xfce.gigolo
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5.

Affected products

golo
  • =<< 1.7.5
Ignored packages (2)

pkgs.ligolo-ng

Advanced TUN-based tunneling/pivoting tool

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

WP theme not present in nixpkgs
Permalink CVE-2025-49249
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    9 packages
    • python313Packages.dronecan
    • python312Packages.dronecan
    • drone-runner-docker
    • drone-runner-ssh
    • drone-runner-exec
    • drone-oss
    • drone-scp
    • drone-cli
    • drone
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Drone theme <= 1.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.

Affected products

drone
  • =<<= 1.40
Ignored packages (9)

pkgs.drone

Continuous Integration platform built on container technology

pkgs.drone-cli

Command line client for the Drone continuous integration server

pkgs.drone-oss

Continuous Integration platform built on container technology

pkgs.drone-scp

Copy files and artifacts via SSH using a binary, docker or Drone CI

WP theme not present in nixpkgs
Permalink CVE-2025-49994
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored package athens 4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Athens theme <= 1.1.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6.

Affected products

athens
  • =<<= 1.1.6
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-67614
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    11 packages
    • typstPackages.athena-tu-darmstadt-exercise_0_2_0
    • typstPackages.athena-tu-darmstadt-exercise_0_1_0
    • typstPackages.athena-tu-darmstadt-thesis_0_1_1
    • typstPackages.athena-tu-darmstadt-thesis_0_1_0
    • python313Packages.types-aiobotocore-athena
    • python312Packages.types-aiobotocore-athena
    • python313Packages.mypy-boto3-athena
    • python312Packages.mypy-boto3-athena
    • haskellPackages.amazonka-athena
    • python313Packages.pyathena
    • python312Packages.pyathena
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress TheNa theme <= 1.5.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5.

Affected products

thena
  • =<<= 1.5.5
Ignored packages (11) 
WP theme not packaged in nixpkgs
Permalink CVE-2025-69042
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • libsForQt5.calindori
    • kdePackages.calindori
    • plasma5Packages.calindori
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Lindo theme <= 1.2.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5.

Affected products

lindo
  • =<<= 1.2.5
Ignored packages (3) 
WP theme not present in nixpkgs
Permalink CVE-2025-54003
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • depotdownloader
    • python312Packages.filedepot
    • python313Packages.filedepot
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Depot theme <= 1.16 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.

Affected products

depot
  • =<<= 1.16
Ignored packages (3) 
WP theme not present in nixpkgs
Permalink CVE-2025-68020
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    11 packages
    • fsnotifier
    • mpris-notifier
    • terminal-notifier
    • usbguard-notifier
    • python312Packages.pynotifier
    • python313Packages.pynotifier
    • deadbeefPlugins.statusnotifier
    • python312Packages.desktop-notifier
    • kdePackages.kstatusnotifieritem
    • python313Packages.desktop-notifier
    • haskellPackages.status-notifier-item
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress WANotifier plugin <= 2.7.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WANotifier: from n/a through <= 2.7.12.

Affected products

notifier
  • =<<= 2.7.12
Ignored packages (11)

pkgs.fsnotifier

IntelliJ Platform companion program for watching and reporting file and directory structure modification

pkgs.mpris-notifier

Dependency-light, highly-customizable, XDG desktop notification generator for MPRIS status changes

pkgs.usbguard-notifier

Notifications for detecting usbguard policy and device presence changes

WP plugin not present in nixpkgs