Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-67928
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package haskellPackages.automotive-cse 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6.

Affected products

automotive
  • =<<= 18.6
Ignored packages (1) 
WP plugin not present in nixpkgs
Permalink CVE-2025-22712
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package cargo-typify 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Typify theme <= 3.0.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2.

Affected products

typify
  • =<<= 3.0.2
Ignored packages (1) 
WP theme not present in nixpkgs
Permalink CVE-2025-62136
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 5 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 5 months, 1 week ago
  • @LeSuisse ignored package melos 5 months, 1 week ago
  • @LeSuisse dismissed 5 months, 1 week ago
WordPress Melos theme <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0.

Affected products

melos
  • =<1.6.0
Ignored packages (1)

pkgs.melos

Tool for managing Dart projects with multiple packages

WP theme not present in nixpkgs
Permalink CVE-2025-62229
7.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 5 months, 4 weeks ago by @leona-ya Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @leona-ya ignored package tigervnc 5 months, 4 weeks ago
  • @leona-ya accepted 5 months, 4 weeks ago
  • @leona-ya dismissed 5 months, 4 weeks ago
Xorg: xmayland: use-after-free in xpresentnotify structure creation

A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

References

Affected products

tigervnc
  • *
xwayland
  • <24.1.9
xorg-x11-server
  • *
xorg-x11-server-Xwayland
  • *
Ignored packages (1)

pkgs.tigervnc

Fork of tightVNC, made in cooperation with VirtualGL

already updated in nixpkgs 25.05, 25.11 and unstable.
Permalink CVE-2023-43787
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months ago by @LeSuisse Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    6 months ago
  • @LeSuisse dismissed 6 months ago
Libx11: integer overflow in xcreateimage() leading to a heap overflow

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

References

Affected products

libX11
  • *
  • ==1.8.7
  • <1.8.7
Ignored packages (2) 
No impacted packages
Permalink CVE-2023-43786
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 6 months ago by @LeSuisse Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @LeSuisse ignored
    4 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    • xorg.libXpm
    • tests.pkg-config.defaultPkgConfigPackages.xpm
    6 months ago
  • @LeSuisse dismissed 6 months ago
Libx11: stack exhaustion from infinite recursion in putsubimage()

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.

References

Affected products

libX11
  • *
  • ==1.8.7
libXpm
  • <3.5.17
Ignored packages (4) 
No impacted packages
Permalink CVE-2023-43785
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 6 months ago by @LeSuisse Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @LeSuisse ignored
    2 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    6 months ago
  • @LeSuisse dismissed 6 months ago
Libx11: out-of-bounds memory access in _xkbreadkeysyms()

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.

References

Affected products

libX11
  • *
  • ==1.8.7
  • <1.8.7
Ignored packages (2) 
No impacted packages
Permalink CVE-2021-4472
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 6 months ago by @LeSuisse Activity log
  • Created suggestion 6 months, 2 weeks ago
  • @LeSuisse ignored
    3 packages
    • mistralclient
    • python312Packages.python-mistralclient
    • python313Packages.python-mistralclient
    6 months ago
  • @LeSuisse dismissed 6 months ago
Python-mistralclient: mistral-dashboard: local file inclusion through the 'create workbook' feature

The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.

Affected products

python-mistralclient
rhosp13/openstack-zaqar
rhosp13/openstack-ec2-api
rhosp13/openstack-horizon
rhosp13/openstack-tempest
rhosp13/openstack-aodh-api
rhosp13/openstack-collectd
rhosp13/openstack-heat-all
rhosp13/openstack-heat-api
rhosp13/openstack-keystone
rhosp13/openstack-nova-api
rhosp13/openstack-aodh-base
rhosp13/openstack-heat-base
rhosp13/openstack-nova-base
rhosp13/openstack-panko-api
rhosp13/openstack-cinder-api
rhosp13/openstack-glance-api
rhosp13/openstack-ironic-api
rhosp13/openstack-ironic-pxe
rhosp13/openstack-manila-api
rhosp13/openstack-panko-base
rhosp13/openstack-sahara-api
rhosp13/openstack-swift-base
rhosp13/openstack-cinder-base
rhosp13/openstack-glance-base
rhosp13/openstack-gnocchi-api
rhosp13/openstack-heat-engine
rhosp13/openstack-ironic-base
rhosp13/openstack-manila-base
rhosp13/openstack-mistral-api
rhosp13/openstack-octavia-api
rhosp13/openstack-sahara-base
rhosp-rhel8/openstack-heat-all
rhosp-rhel8/openstack-heat-api
rhosp-rhel9/openstack-heat-all
rhosp-rhel9/openstack-heat-api
rhosp13/openstack-barbican-api
rhosp13/openstack-dependencies
rhosp13/openstack-gnocchi-base
rhosp13/openstack-heat-api-cfn
rhosp13/openstack-horizon-base
rhosp13/openstack-manila-share
rhosp13/openstack-mistral-base
rhosp13/openstack-neutron-base
rhosp13/openstack-nova-compute
rhosp13/openstack-octavia-base
rhosp13/openstack-swift-object
rhosp-rhel8/openstack-heat-base
rhosp-rhel9/openstack-heat-base
rhosp13/openstack-aodh-listener
rhosp13/openstack-aodh-notifier
rhosp13/openstack-barbican-base
rhosp13/openstack-cinder-backup
rhosp13/openstack-cinder-volume
rhosp13/openstack-keystone-base
rhosp13/openstack-sahara-engine
rhosp13/openstack-swift-account
rhosp13/openstack-aodh-evaluator
rhosp13/openstack-gnocchi-statsd
rhosp13/openstack-mistral-engine
rhosp13/openstack-neutron-server
rhosp13/openstack-nova-conductor
rhosp13/openstack-nova-scheduler
rhosp13/openstack-octavia-worker
rhosp-rhel8/openstack-heat-engine
rhosp-rhel8/openstack-mistral-api
rhosp-rhel9/openstack-heat-engine
rhosp13/openstack-barbican-worker
rhosp13/openstack-ceilometer-base
rhosp13/openstack-ceilometer-ipmi
rhosp13/openstack-gnocchi-metricd
rhosp13/openstack-nova-novncproxy
rhosp13/openstack-swift-container
rhosp-rhel8/openstack-heat-api-cfn
rhosp-rhel8/openstack-mistral-base
rhosp-rhel9/openstack-heat-api-cfn
rhosp13/openstack-cinder-scheduler
rhosp13/openstack-ironic-conductor
rhosp13/openstack-ironic-inspector
rhosp13/openstack-manila-scheduler
rhosp13/openstack-mistral-executor
rhosp13/openstack-neutron-l3-agent
rhosp13/openstack-nova-consoleauth
rhosp-rhel8/openstack-tripleoclient
rhosp-rhel9/openstack-tripleoclient
rhosp-rhel8/openstack-mistral-engine
rhosp-rhel8/openstack-nova-scheduler
rhosp13/openstack-ceilometer-central
rhosp13/openstack-ceilometer-compute
rhosp13/openstack-neutron-dhcp-agent
rhosp13/openstack-neutron-server-ovn
rhosp13/openstack-nova-placement-api
rhosp13/openstack-swift-proxy-server
rhosp13/openstack-neutron-sriov-agent
rhosp13/openstack-nova-compute-ironic
rhosp-rhel8/openstack-mistral-executor
rhosp13/openstack-ironic-neutron-agent
rhosp13/openstack-mistral-event-engine
rhosp13/openstack-octavia-housekeeping
rhosp13/openstack-neutron-metadata-agent
rhosp13/openstack-octavia-health-manager
rhosp13/openstack-ceilometer-notification
rhosp-rhel8/openstack-mistral-event-engine
rhosp13/openstack-neutron-openvswitch-agent
rhosp13/openstack-barbican-keystone-listener
rhosp13/openstack-neutron-metadata-agent-ovn
rhosp13/openstack-neutron-server-opendaylight
Ignored packages (3) 
No impacted packages.
Permalink CVE-2025-64363
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @pyrox0 dismissed 6 months, 2 weeks ago
WordPress Kleo theme < 5.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0.

Affected products

kleo
  • =<< 5.5.0

Matching in nixpkgs

listed packages are not the ones with a vulnerability
Permalink CVE-2025-12695
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 6 months, 2 weeks ago by @pyrox0 Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @pyrox0 dismissed 6 months, 2 weeks ago
Insecure configuration in DSPy lead to arbitrary file read when running untrusted code inside the sandbox

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

Affected products

dspy
  • ==0

Matching in nixpkgs

Package maintainers

listed package is not the one with a vulnerability