Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-58941
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    25 packages
    • Fabric
    • fabric-ai
    • libfabric
    • fabric-installer
    • hyperledger-fabric
    • python312Packages.fabric
    • python313Packages.fabric
    • cudaPackages.fabricmanager
    • python312Packages.dtfabric
    • python313Packages.dtfabric
    • cudaPackages_11.fabricmanager
    • azure-cli-extensions.microsoft-fabric
    • python312Packages.azure-servicefabric
    • python313Packages.azure-servicefabric
    • python312Packages.llm-templates-fabric
    • python312Packages.mypy-boto3-appfabric
    • python313Packages.llm-templates-fabric
    • python313Packages.mypy-boto3-appfabric
    • azure-cli-extensions.managednetworkfabric
    • python312Packages.azure-mgmt-servicefabric
    • python313Packages.azure-mgmt-servicefabric
    • python312Packages.types-aiobotocore-appfabric
    • python313Packages.types-aiobotocore-appfabric
    • python312Packages.azure-mgmt-servicefabricmanagedclusters
    • python313Packages.azure-mgmt-servicefabricmanagedclusters
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Fabric theme <= 1.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion.This issue affects Fabric: from n/a through <= 1.5.0.

Affected products

fabric
  • =<<= 1.5.0
Ignored packages (25)

pkgs.Fabric

Pythonic remote execution

pkgs.fabric-ai

Fabric is an open-source framework for augmenting humans using AI. It provides a modular framework for solving specific problems using a crowdsourced set of AI prompts that can be used anywhere

WP theme not present in nixpkgs
Permalink CVE-2025-58932
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    11 packages
    • prisma
    • prisma-engines
    • prisma-language-server
    • python312Packages.prisma
    • python313Packages.prisma
    • typstPackages.prismath_0_1_0
    • vscode-extensions.prisma.prisma
    • tree-sitter-grammars.tree-sitter-prisma
    • vimPlugins.nvim-treesitter-parsers.prisma
    • python312Packages.tree-sitter-grammars.tree-sitter-prisma
    • python313Packages.tree-sitter-grammars.tree-sitter-prisma
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Prisma theme <= 1.10 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.

Affected products

prisma
  • =<<= 1.10
Ignored packages (11)

pkgs.prisma

Next-generation ORM for Node.js and TypeScript

WP theme not present in nixpkgs
Permalink CVE-2025-53448
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    8 packages
    • perl540Packages.SortNaturally
    • dwarf-fortress-packages.themes.rally-ho
    • perl538Packages.SortNaturally
    • perlPackages.SortNaturally
    • haskellPackages.literally
    • cro-mag-rally
    • stuntrally
    • trigger
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Rally theme <= 1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1.

Affected products

rally
  • =<<= 1.1
Ignored packages (8)

pkgs.stuntrally

Stunt Rally game with Track Editor, based on VDrift and OGRE

  • nixos-unstable 2.7
    • nixpkgs-unstable 2.7
    • nixos-unstable-small 2.7

pkgs.cro-mag-rally

Port of Cro-Mag Rally, a 2000 Macintosh game by Pangea Software, for modern operating systems

WP theme not present in nixpkgs
Permalink CVE-2025-53242
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    10 packages
    • seilfahrt
    • abseil-cpp
    • abseil-cpp_202103
    • abseil-cpp_202301
    • abseil-cpp_202401
    • abseil-cpp_202407
    • abseil-cpp_202501
    • abseil-cpp_202505
    • python312Packages.pybind11-abseil
    • python313Packages.pybind11-abseil
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Seil Theme <= 1.7.1 - Deserialization of untrusted data Vulnerability

Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.This issue affects Seil: from n/a through <= 1.7.1.

Affected products

seil
  • =<<= 1.7.1
Ignored packages (10)

pkgs.seilfahrt

Tool to create a wiki page from a HedgeDoc

WP theme not present in nixpkgs
Permalink CVE-2025-49372
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    18 packages
    • happy
    • triggerhappy
    • haskellPackages.happy
    • haskellPackages.happy-dot
    • haskellPackages.happy-lib
    • haskellPackages.happy-meta
    • ocamlPackages.happy-eyeballs
    • haskellPackages.happy-arbitrary
    • ocamlPackages.happy-eyeballs-lwt
    • gnomeExtensions.happy-appy-hotkey
    • ocamlPackages.mimic-happy-eyeballs
    • python312Packages.aiohappyeyeballs
    • python313Packages.aiohappyeyeballs
    • ocamlPackages.happy-eyeballs-mirage
    • tests.testers.testBuildFailure.happy
    • tests.testers.testBuildFailure'.happy
    • tests.testers.testBuildFailure.happyStructuredAttrs
    • tests.testers.testBuildFailure'.happyStructuredAttrs
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress HAPPY plugin <= 1.0.7 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.

Affected products

happy-helpdesk-support-ticket-system
  • =<<= 1.0.7
Ignored packages (18)

pkgs.happy

Happy is a parser generator for Haskell

WP plugin not present in nixpkgs
Permalink CVE-2025-66164
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    6 packages
    • python313Packages.toptica-lasersdk
    • python312Packages.toptica-lasersdk
    • haskellPackages.lasercutter
    • ooklaserver
    • dell-530cdn
    • brlaser
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Laser plugin <= 1.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in merkulove Laser laser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laser: from n/a through <= 1.1.1.

Affected products

laser
  • =<<= 1.1.1
Ignored packages (6)

pkgs.brlaser

CUPS driver for Brother laser printers

WP plugin not present in nixpkgs
Permalink CVE-2025-22509
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    17 packages
    • atlas
    • nim-atlas
    • atlassian-cli
    • ripe-atlas-tools
    • mongodb-atlas-cli
    • atlassian-plugin-sdk
    • haskellPackages.atlas
    • prometheus-atlas-exporter
    • python312Packages.chatlas
    • python313Packages.chatlas
    • terraform-providers.mongodbatlas
    • python312Packages.ripe-atlas-sagan
    • python313Packages.ripe-atlas-sagan
    • python312Packages.ripe-atlas-cousteau
    • python313Packages.ripe-atlas-cousteau
    • python312Packages.atlassian-python-api
    • python313Packages.atlassian-python-api
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Atlas theme <= 2.1.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TMRW-studio Atlas atlas allows PHP Local File Inclusion.This issue affects Atlas: from n/a through <= 2.1.0.

Affected products

atlas
  • =<<= 2.1.0
Ignored packages (17)

pkgs.atlas

Manage your database schema as code

WP theme not present in nixpkgs
Permalink CVE-2025-58947
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • python312Packages.pathos
    • python313Packages.pathos
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Athos theme <= 1.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9.

Affected products

athos
  • =<<= 1.9
Ignored packages (2) 
WP theme not present in nixpkgs
Permalink CVE-2025-58946
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    3 packages
    • typstPackages.unequivocal-ams_0_1_2
    • typstPackages.unequivocal-ams_0_1_1
    • typstPackages.unequivocal-ams_0_1_0
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Vocal theme <= 1.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12.

Affected products

vocal
  • =<<= 1.12
Ignored packages (3) 
WP theme not present in nixpkgs
Permalink CVE-2025-64253
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 4 weeks ago
  • @LeSuisse ignored
    12 packages
    • health-check
    • grpc-health-check
    • python312Packages.django-health-check
    • python313Packages.django-health-check
    • rubyPackages.github-pages-health-check
    • python312Packages.grpcio-health-checking
    • python313Packages.grpcio-health-checking
    • rubyPackages_3_1.github-pages-health-check
    • rubyPackages_3_2.github-pages-health-check
    • rubyPackages_3_3.github-pages-health-check
    • rubyPackages_3_4.github-pages-health-check
    • rubyPackages_3_5.github-pages-health-check
    4 months, 4 weeks ago
  • @LeSuisse dismissed 4 months, 4 weeks ago
WordPress Health Check & Troubleshooting plugin <= 1.7.1 - Path Traversal vulnerability

Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1.

Affected products

health-check
  • =<<= 1.7.1
Ignored packages (12) 
WP plugin not present in nixpkgs