Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-67549
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • libvoikko
    • voikko-fi
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress oik plugin <= 4.15.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3.

Affected products

oik
  • =<<= 4.15.3
Ignored packages (2)

pkgs.libvoikko

Finnish language processing library

pkgs.voikko-fi

Description of Finnish morphology written for libvoikko

  • nixos-unstable 2.5
    • nixpkgs-unstable 2.5
    • nixos-unstable-small 2.5 
WP plugin not present in nixpkgs
Permalink CVE-2025-60042
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package vscode-extensions.chrischinchilla.vscode-pandoc 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Chinchilla theme <= 1.16 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16.

Affected products

chinchilla
  • =<<= 1.16
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-53439
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • vscode-extensions.elijah-potter.harper
    • harper
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Harper theme <= 1.13 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13.

Affected products

harper
  • =<<= 1.13
Ignored packages (2) 
WP theme not present in nixpkgs
Permalink CVE-2025-58949
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package chickenPackages_5.chickenEggs.spock 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Spock theme <= 1.17 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17.

Affected products

spock
  • =<<= 1.17
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-58933
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package anubis 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Anubis theme <= 1.25 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Anubis anubis allows PHP Local File Inclusion.This issue affects Anubis: from n/a through <= 1.25.

Affected products

anubis
  • =<<= 1.25
Ignored packages (1)

pkgs.anubis

Weighs the soul of incoming HTTP requests using proof-of-work to stop AI crawlers

WP theme not present in nixpkgs
Permalink CVE-2025-58928
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored
    2 packages
    • heartbeat7
    • anytype-heart
    5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Heart theme <= 1.8 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Heart heart allows PHP Local File Inclusion.This issue affects Heart: from n/a through <= 1.8.

Affected products

heart
  • =<<= 1.8
Ignored packages (2) 
WP theme not present in nixpkgs
Permalink CVE-2025-66117
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package ocamlPackages.easy-format 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Easy Form plugin <= 2.7.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.8.

Affected products

easy-form
  • =<<= 2.7.8
Ignored packages (1) 
WP plugin not present in nixpkgs
Permalink CVE-2025-53445
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package catppuccin-catwalk 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Catwalk theme <= 1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catwalk catwalk allows PHP Local File Inclusion.This issue affects Catwalk: from n/a through <= 1.4.

Affected products

catwalk
  • =<<= 1.4
Ignored packages (1)

pkgs.catppuccin-catwalk

CLI for Catppuccin that takes in four showcase images and displays them all at once

WP theme not present in nixpkgs
Permalink CVE-2025-67921
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package colobot 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6.

Affected products

lobo
  • =<< 2.8.6
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-14430
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package brook 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Brook - Agency Business Creative theme <= 2.8.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9.

Affected products

brook
  • =<<= 2.8.9
Ignored packages (1) 
WP theme not present in nixpkgs