Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2023-7334
updated 4 months, 4 weeks ago by @tomberek Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @tomberek ignored
    3 packages
    • websocketpp
    • nlojet
    • itpp
    4 months, 4 weeks ago
  • @tomberek dismissed 4 months, 4 weeks ago
Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC).

Affected products

T+
  • =<16.x
Ignored packages (3)

pkgs.nlojet

Implementation of calculation of the hadron jet cross sections

pkgs.websocketpp

C++/Boost Asio based websocket client/server library

Not Applicable
Permalink CVE-2025-13151
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @tomberek Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @tomberek dismissed 4 months, 4 weeks ago
CVE-2025-13151

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Affected products

libtasn1
  • =<4.20.0

Matching in nixpkgs

https://github.com/NixOS/nixpkgs/pull/478141 merged
Permalink CVE-2025-58986
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • typstPackages.fh-joanneum-iit-thesis_1_1_0
    • typstPackages.fh-joanneum-iit-thesis_1_2_0
    • typstPackages.fh-joanneum-iit-thesis_1_2_2
    • typstPackages.fh-joanneum-iit-thesis_1_2_3
    • typstPackages.fh-joanneum-iit-thesis_2_0_2
    • typstPackages.fh-joanneum-iit-thesis_2_0_5
    • typstPackages.fh-joanneum-iit-thesis_2_1_2
    • typstPackages.fh-joanneum-iit-thesis_2_2_0
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Jock On Air Now (JOAN) plugin <= 6.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in ganddser Jock On Air Now (JOAN) joan allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jock On Air Now (JOAN): from n/a through <= 6.0.4.

Affected products

joan
  • =<<= 6.0.4
Ignored packages (8) 
WP plugin not packaged in nixpkgs
Permalink CVE-2025-69364
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    27 packages
    • kdePackages.breeze
    • libsForQt5.breeze-gtk
    • libsForQt5.breeze-qt5
    • kdePackages.breeze-gtk
    • libsForQt5.breeze-grub
    • sierra-breeze-enhanced
    • kdePackages.breeze-grub
    • libsForQt5.breeze-icons
    • kdePackages.breeze-icons
    • breeze-hacked-cursor-theme
    • libsForQt5.breeze-plymouth
    • plasma5Packages.breeze-gtk
    • plasma5Packages.breeze-qt5
    • kdePackages.breeze-plymouth
    • plasma5Packages.breeze-grub
    • python312Packages.seabreeze
    • python313Packages.seabreeze
    • libsForQt5.qqc2-breeze-style
    • plasma5Packages.breeze-icons
    • kdePackages.qqc2-breeze-style
    • plasma5Packages.breeze-plymouth
    • wordpressPackages.plugins.breeze
    • libsForQt5.sierra-breeze-enhanced
    • plasma5Packages.qqc2-breeze-style
    • kdePackages.sierra-breeze-enhanced
    • qt6Packages.sierra-breeze-enhanced
    • plasma5Packages.sierra-breeze-enhanced
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Breeze plugin <= 2.2.21 - Broken Access Control vulnerability

Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21.

Affected products

breeze
  • =<<= 2.2.21
Ignored packages (27)

pkgs.kdePackages.breeze

Artwork, styles and assets for the Breeze visual style for the Plasma Desktop

WP plugin not packaged in nixpkgs
Permalink CVE-2025-68505
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    7 packages
    • python312Packages.h5py
    • python313Packages.h5py
    • python312Packages.h5py-mpi
    • python313Packages.h5py-mpi
    • python312Packages.airtouch5py
    • python313Packages.airtouch5py
    • pkgsRocm.python3Packages.h5py-mpi
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress H5P plugin <= 1.16.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects H5P: from n/a through <= 1.16.1.

Affected products

h5p
  • =<<= 1.16.1
Ignored packages (7) 
WP plugin not packaged in nixpkgs
Permalink CVE-2025-32283
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    47 packages
    • solarus
    • solargraph
    • coc-solargraph
    • solarc-gtk-theme
    • solarus-launcher
    • dircolors-solarized
    • solarus-quest-editor
    • rubyPackages.solargraph
    • numix-solarized-gtk-theme
    • vimPlugins.coc-solargraph
    • nodePackages.coc-solargraph
    • rubyPackages_3_1.solargraph
    • rubyPackages_3_2.solargraph
    • rubyPackages_3_3.solargraph
    • rubyPackages_3_4.solargraph
    • rubyPackages_3_5.solargraph
    • python312Packages.zeversolar
    • python313Packages.zeversolar
    • rubyPackages.yard-solargraph
    • prometheus-solaredge-exporter
    • python312Packages.aiosolaredge
    • python312Packages.pysolarmanv5
    • python312Packages.solarlog-cli
    • python313Packages.aiosolaredge
    • python313Packages.pysolarmanv5
    • python313Packages.solarlog-cli
    • python312Packages.solaredge-web
    • python313Packages.solaredge-web
    • python312Packages.forecast-solar
    • python313Packages.forecast-solar
    • rubyPackages_3_1.yard-solargraph
    • rubyPackages_3_2.yard-solargraph
    • rubyPackages_3_3.yard-solargraph
    • rubyPackages_3_4.yard-solargraph
    • rubyPackages_3_5.yard-solargraph
    • python312Packages.solaredge-local
    • python312Packages.zeversolarlocal
    • python313Packages.solaredge-local
    • python313Packages.zeversolarlocal
    • nodePackages_latest.coc-solargraph
    • vscode-extensions.castwide.solargraph
    • home-assistant-component-tests.solarlog
    • home-assistant-component-tests.solaredge
    • home-assistant-component-tests.zeversolar
    • home-assistant-custom-components.solarman
    • home-assistant-component-tests.forecast_solar
    • vscode-extensions.brandonkirbyson.solarized-palenight
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Solar Energy theme <= 3.5 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.

Affected products

solar
  • =<<= 3.5
Ignored packages (47)

pkgs.solarus

Zelda-like ARPG game engine

WP theme not packaged in nixpkgs
Permalink CVE-2025-67532
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    11 packages
    • charasay
    • gnome-characters
    • keepass-charactercopy
    • unicode-character-database
    • haskellPackages.character-ps
    • coqPackages.mathcomp-character
    • python312Packages.characteristic
    • python313Packages.characteristic
    • magnetophonDSP.CharacterCompressor
    • python312Packages.character-encoding-utils
    • python313Packages.character-encoding-utils
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.

Affected products

hara
  • =<<= 1.2.17
Ignored packages (11)

pkgs.charasay

Future of cowsay - Colorful characters saying something

pkgs.gnome-characters

Simple utility application to find and insert unusual characters

  • nixos-unstable 49.1
    • nixpkgs-unstable 49.1
    • nixos-unstable-small 49.1 
WP theme not packaged in nixpkgs
Permalink CVE-2025-68556
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    18 packages
    • happy
    • triggerhappy
    • haskellPackages.happy
    • haskellPackages.happy-dot
    • haskellPackages.happy-lib
    • haskellPackages.happy-meta
    • ocamlPackages.happy-eyeballs
    • haskellPackages.happy-arbitrary
    • ocamlPackages.happy-eyeballs-lwt
    • gnomeExtensions.happy-appy-hotkey
    • ocamlPackages.mimic-happy-eyeballs
    • python312Packages.aiohappyeyeballs
    • python313Packages.aiohappyeyeballs
    • ocamlPackages.happy-eyeballs-mirage
    • tests.testers.testBuildFailure.happy
    • tests.testers.testBuildFailure'.happy
    • tests.testers.testBuildFailure.happyStructuredAttrs
    • tests.testers.testBuildFailure'.happyStructuredAttrs
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress HAPPY plugin <= 1.0.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through 1.0.9.

Affected products

happy-helpdesk-support-ticket-system
  • =<1.0.9
Ignored packages (18)

pkgs.happy

Happy is a parser generator for Haskell

WP plugin not package in nixpkgs
Permalink CVE-2025-67936
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • ocamlPackages.curly
    • haskellPackages.curly-expander
    • haskellPackages.recurly-client
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Curly theme < 3.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.

Affected products

curly
  • =<< 3.3
Ignored packages (3) 
WP theme not packaged in nixpkgs
Permalink CVE-2025-60206
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • selenium-server-standalone
    • cbqn-standalone-replxx
    • htmlunit-driver
    • cbqn-standalone
    • argp-standalone
    • art-standalone
    • selendroid
    • stalonetray
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Alone theme <= 7.8.3 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.

Affected products

alone
  • =<<= 7.8.3
Ignored packages (8)

pkgs.selendroid

Test automation for native or hybrid Android apps and the mobile web

pkgs.argp-standalone

Standalone version of arguments parsing functions from Glibc

pkgs.htmlunit-driver

WebDriver server for running Selenium tests on the HtmlUnit headless browser

  • nixos-unstable 2.27
    • nixpkgs-unstable 2.27
    • nixos-unstable-small 2.27 
WP theme not package in nixpkgs