Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-22414
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Marra theme <= 1.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Marra marra allows PHP Local File Inclusion.This issue affects Marra: from n/a through <= 1.2.

References

Affected products

marra
  • =<<= 1.2

Matching in nixpkgs

Package maintainers

Not present in nixpkgs
Permalink CVE-2026-27993
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    3 packages
    • aldo
    • saldo
    • banking
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Aldo theme <= 1.0.10 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aldo aldo allows PHP Local File Inclusion.This issue affects Aldo: from n/a through <= 1.0.10.

References

Affected products

aldo
  • =<<= 1.0.10
Ignored packages (3) 
Not present in nixpkgs
Permalink CVE-2026-27382
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    21 packages
    • metronome
    • gmetronome
    • kmetronome
    • typstPackages.metro
    • haskellPackages.metro
    • typstPackages.metronic
    • typstPackages.metro_0_1_0
    • typstPackages.metro_0_1_1
    • typstPackages.metro_0_2_0
    • typstPackages.metro_0_3_0
    • typstPackages.metropolyst
    • haskellPackages.metro-socket
    • typstPackages.metronic_1_0_0
    • typstPackages.metronic_1_1_0
    • typstPackages.metropolyst_0_1_0
    • typstPackages.metropolis-polylux
    • haskellPackages.mighty-metropolis
    • haskellPackages.metro-transport-xor
    • haskellPackages.metro-transport-crypto
    • typstPackages.metropolis-polylux_0_1_0
    • haskellPackages.metro-transport-websockets
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Metro theme <= 2.13 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13.

References

Affected products

metro
  • =<<= 2.13
Ignored packages (21) 
Not present in nixpkgs
Permalink CVE-2026-27369
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    5 packages
    • celeste
    • celeste64
    • celestegame
    • celeste-classic
    • celeste-classic-pm
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Celeste theme <= 1.3.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.

References

Affected products

celeste
  • =<<= 1.3.6
Ignored packages (5) 
Not present in nixpkgs
Permalink CVE-2025-69343
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed package haskellPackages.theatre-dev 2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Theater for WordPress plugin <= 0.19 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19.

References

Affected products

theatre
  • =<<= 0.19
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-22443
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed package alliance 2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Alliance theme <= 3.1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Alliance alliance allows PHP Local File Inclusion.This issue affects Alliance: from n/a through <= 3.1.1.

References

Affected products

alliance
  • =<<= 3.1.1
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-28032
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    4 packages
    • python312Packages.finetuning-scheduler
    • python313Packages.finetuning-scheduler
    • python314Packages.finetuning-scheduler
    • pkgsRocm.python3Packages.finetuning-scheduler
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Tuning theme <= 1.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tuning tuning allows PHP Local File Inclusion.This issue affects Tuning: from n/a through <= 1.3.

References

Affected products

tuning
  • =<<= 1.3
Ignored packages (4) 
Not present in nixpkgs
Permalink CVE-2026-22475
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed package restate 2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Estate theme <= 1.3.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4.

References

Affected products

estate
  • =<<= 1.3.4
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-28076
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed package guff 2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
WordPress Guff theme <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Frenify Guff guff allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Guff: from n/a through <= 1.0.1.

References

Affected products

guff
  • =<<= 1.0.1
Ignored packages (1) 
Not present in nixpkgs
Permalink CVE-2026-29081
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @LeSuisse removed
    3 packages
    • nixos-artwork.wallpapers.catppuccin-frappe
    • nixos-artwork.wallpapers.nineish-catppuccin-frappe
    • nixos-artwork.wallpapers.nineish-catppuccin-frappe-alt
    2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 2 days ago
Frappe: Possibility of SQL Injection due to improper fieldname sanitization

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.

References

Affected products

frappe
  • ==< 14.100.1
  • ==< 15.100.0
Ignored packages (3) 
Not present in nixpkgs