Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-54725
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored
    2 packages
    • xfce.gigolo
    • ligolo-ng
    7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress Golo Theme <= 1.7.0 - Broken Authentication Vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0.

Affected products

golo
  • =<1.7.0
Ignored packages (2)

pkgs.ligolo-ng

Tunneling/pivoting tool that uses a TUN interface

  • nixos-unstable -

pkgs.xfce.gigolo

Frontend to easily manage connections to remote filesystems

  • nixos-unstable -
Permalink CVE-2024-3508
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored
    9 packages
    • bzip2
    • lbzip2
    • pbzip2
    • bzip2_1_1
    • indexed-bzip2
    • haskellPackages.bzip2-clib
    • python312Packages.indexed-bzip2
    • python313Packages.indexed-bzip2
    • tests.pkg-config.defaultPkgConfigPackages.bzip2
    7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
Bzip2: compressed content bomb leads to denial of service of bombastic api

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

References

Affected products

bzip2
  • ==faa7a496c5d98e0f0859dd2c623eddf82289eaa8
SBOM-Management-(Bombastic)
Ignored packages (9)

pkgs.bzip2

High-quality data compression program

  • nixos-unstable -

pkgs.lbzip2

Parallel bzip2 compression utility

  • nixos-unstable -
    • nixpkgs-unstable 2.5

pkgs.pbzip2

Parallel implementation of bzip2 for multi-core machines

  • nixos-unstable -

pkgs.bzip2_1_1

High-quality data compression program

pkgs.indexed-bzip2

Python library for parallel decompression and seeking within compressed bzip2 files

  • nixos-unstable -
Permalink CVE-2025-58806
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored
    6 packages
    • haskellPackages.bugsnag
    • python312Packages.bugsnag
    • python313Packages.bugsnag
    • haskellPackages.bugsnag-hs
    • haskellPackages.bugsnag-wai
    • haskellPackages.bugsnag-yesod
    7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress WordPress Error Monitoring by Bugsnag Plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in imjoehaines WordPress Error Monitoring by Bugsnag allows Stored XSS. This issue affects WordPress Error Monitoring by Bugsnag: from n/a through 1.6.3.

Affected products

bugsnag
  • =<1.6.3
Ignored packages (6)
Permalink CVE-2025-58801
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored package responder 7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress Responder Plugin <= 4.3.8 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in KCS Responder allows Cross Site Request Forgery. This issue affects Responder: from n/a through 4.3.8.

Affected products

responder
  • =<4.3.8
Ignored packages (1)

pkgs.responder

LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server

  • nixos-unstable -
Permalink CVE-2025-58820
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored package haskellPackages.data-carousel 7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress Carousel Ultimate Plugin <= 1.8 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Carousel Ultimate allows Stored XSS. This issue affects Carousel Ultimate: from n/a through 1.8.

Affected products

carousel
  • =<1.8
Ignored packages (1)
Permalink CVE-2025-58822
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored package wordpressPackages.plugins.wp-mail-smtp 7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress WP Mail Plugin <= 1.3 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail allows DOM-Based XSS. This issue affects WP Mail: from n/a through 1.3.

Affected products

wp-mail
  • =<1.3
Ignored packages (1)
Permalink CVE-2025-54709
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored
    4 packages
    • python312Packages.datasalad
    • python313Packages.datasalad
    • python312Packages.schema-salad
    • python313Packages.schema-salad
    7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress Sala Theme <= 1.1.6 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala. This issue affects Sala: from n/a through 1.1.6.

Affected products

sala
  • =<1.1.6
Ignored packages (4)

pkgs.python312Packages.datasalad

Pure-Python library with a collection of utilities for working with Git and git-annex

  • nixos-unstable -

pkgs.python313Packages.datasalad

Pure-Python library with a collection of utilities for working with Git and git-annex

  • nixos-unstable -
Permalink CVE-2025-58997
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored
    8 packages
    • libmowgli
    • python312Packages.aioautomower
    • python313Packages.aioautomower
    • python312Packages.automower-ble
    • python313Packages.automower-ble
    • home-assistant-component-tests.lawn_mower
    • home-assistant-component-tests.husqvarna_automower
    • home-assistant-component-tests.husqvarna_automower_ble
    7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress Mow Theme <= 4.10 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection. This issue affects Mow: from n/a through 4.10.

Affected products

mow
  • =<4.10
Ignored packages (8)

pkgs.libmowgli

Development framework for C providing high performance and highly flexible algorithms

  • nixos-unstable -
Permalink CVE-2025-58993
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 7 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months ago
  • @LeSuisse ignored
    6 packages
    • haskellPackages.timeless-tutorials
    • typstPackages.tutor_0_8_0
    • typstPackages.tutor_0_7_0
    • typstPackages.tutor_0_6_1
    • typstPackages.tutor_0_4_0
    • typstPackages.tutor_0_3_0
    7 months, 2 weeks ago
  • @LeSuisse dismissed 7 months, 2 weeks ago
WordPress Tutor LMS Plugin <= 3.7.4 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection. This issue affects Tutor LMS: from n/a through 3.7.4.

Affected products

tutor
  • =<3.7.4
Ignored packages (6)
Permalink CVE-2025-57924
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 7 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 8 months, 3 weeks ago
  • @mweinelt ignored package darwin.developer_cmds 7 months, 2 weeks ago
  • @mweinelt dismissed 7 months, 2 weeks ago
WordPress Developer Plugin <= 1.2.6 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery. This issue affects Developer: from n/a through 1.2.6.

Affected products

developer
  • =<1.2.6
Ignored packages (1)