Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for a revision.

Permalink CVE-2025-68008
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package wordpressPackages.plugins.wp-mail-smtp 1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.

Affected products

wp-mail
  • =<<= 1.3 
`wp-mail` plugin not packaged in nixpkgs
Permalink CVE-2026-23974
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    2 packages
    • ligolo-ng
    • xfce.gigolo
    1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5.

Affected products

golo
  • =<< 1.7.5

Package maintainers

WP theme not present in nixpkgs
Permalink CVE-2025-49249
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    9 packages
    • python313Packages.dronecan
    • python312Packages.dronecan
    • drone-runner-docker
    • drone-runner-ssh
    • drone-runner-exec
    • drone-oss
    • drone-scp
    • drone-cli
    • drone
    1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress Drone theme <= 1.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.

Affected products

drone
  • =<<= 1.40

Package maintainers

WP theme not present in nixpkgs
Permalink CVE-2025-49994
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed package athens 1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress Athens theme <= 1.1.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6.

Affected products

athens
  • =<<= 1.1.6

Package maintainers

WP theme not present in nixpkgs
Permalink CVE-2025-67614
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    11 packages
    • typstPackages.athena-tu-darmstadt-exercise_0_2_0
    • typstPackages.athena-tu-darmstadt-exercise_0_1_0
    • typstPackages.athena-tu-darmstadt-thesis_0_1_1
    • typstPackages.athena-tu-darmstadt-thesis_0_1_0
    • python313Packages.types-aiobotocore-athena
    • python312Packages.types-aiobotocore-athena
    • python313Packages.mypy-boto3-athena
    • python312Packages.mypy-boto3-athena
    • haskellPackages.amazonka-athena
    • python313Packages.pyathena
    • python312Packages.pyathena
    1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress TheNa theme <= 1.5.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5.

Affected products

thena
  • =<<= 1.5.5

Package maintainers

WP theme not packaged in nixpkgs
Permalink CVE-2025-69042
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    3 packages
    • libsForQt5.calindori
    • kdePackages.calindori
    • plasma5Packages.calindori
    1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress Lindo theme <= 1.2.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5.

Affected products

lindo
  • =<<= 1.2.5

Package maintainers

WP theme not present in nixpkgs
Permalink CVE-2025-54003
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    3 packages
    • depotdownloader
    • python312Packages.filedepot
    • python313Packages.filedepot
    1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress Depot theme <= 1.16 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.

Affected products

depot
  • =<<= 1.16

Package maintainers

WP theme not present in nixpkgs
Permalink CVE-2025-68020
updated 1 week, 5 days ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 5 days ago
  • @LeSuisse removed
    11 packages
    • fsnotifier
    • mpris-notifier
    • terminal-notifier
    • usbguard-notifier
    • python312Packages.pynotifier
    • python313Packages.pynotifier
    • deadbeefPlugins.statusnotifier
    • python312Packages.desktop-notifier
    • kdePackages.kstatusnotifieritem
    • python313Packages.desktop-notifier
    • haskellPackages.status-notifier-item
    1 week, 5 days ago
  • @LeSuisse dismissed 1 week, 5 days ago
WordPress WANotifier plugin <= 2.7.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WANotifier: from n/a through <= 2.7.12.

Affected products

notifier
  • =<<= 2.7.12

Package maintainers

WP plugin not present in nixpkgs
Permalink CVE-2023-7334
updated 1 week, 6 days ago by @tomberek Activity log
  • Created automatic suggestion 2 weeks ago
  • @tomberek removed
    3 packages
    • websocketpp
    • nlojet
    • itpp
    1 week, 6 days ago
  • @tomberek dismissed 1 week, 6 days ago
Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC).

Affected products

T+
  • =<16.x

Package maintainers

Not Applicable
Permalink CVE-2025-13151
updated 1 week, 6 days ago by @tomberek Activity log
  • Created automatic suggestion 2 weeks ago
  • @tomberek dismissed 1 week, 6 days ago
CVE-2025-13151

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Affected products

libtasn1
  • =<4.20.0

Matching in nixpkgs

https://github.com/NixOS/nixpkgs/pull/478141 merged