Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-62962
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    11 packages
    • python313Packages.types-aiobotocore-cloudsearchdomain
    • python312Packages.types-aiobotocore-cloudsearchdomain
    • python313Packages.types-aiobotocore-cloudsearch
    • python312Packages.types-aiobotocore-cloudsearch
    • python313Packages.mypy-boto3-cloudsearchdomain
    • python312Packages.mypy-boto3-cloudsearchdomain
    • haskellPackages.amazonka-cloudsearch-domains
    • python313Packages.mypy-boto3-cloudsearch
    • python312Packages.mypy-boto3-cloudsearch
    • haskellPackages.amazonka-cloudsearch
    • haskellPackages.gogol-cloudsearch
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress CloudSearch plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio CloudSearch cloud-search allows Stored XSS.This issue affects CloudSearch: from n/a through <= 3.0.0.

References

Affected products

cloud-search
  • =<<= 3.0.0 
WP plugin not present in nixpkgs
Permalink CVE-2021-47857
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • moodle-dl
    • moodle
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

References

Affected products

Moodle
  • ==3.10.3 
Current stable and unstable branches not impacted
Permalink CVE-2026-23524
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • hybridreverb2
    • dragonfly-reverb
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
Laravel Redis Horizontal Scaling Insecure Deserialization

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

References

Affected products

reverb
  • ==< 1.7.0 
Not present in nixpkgs
Permalink CVE-2026-23975
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • ligolo-ng
    • xfce.gigolo
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.

References

Affected products

golo
  • =<< 1.7.5 
WP theme not packaged in nixpkgs
Permalink CVE-2025-68008
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package wordpressPackages.plugins.wp-mail-smtp 1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.

References

Affected products

wp-mail
  • =<<= 1.3 
`wp-mail` plugin not packaged in nixpkgs
Permalink CVE-2026-23974
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • ligolo-ng
    • xfce.gigolo
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5.

References

Affected products

golo
  • =<< 1.7.5 
WP theme not present in nixpkgs
Permalink CVE-2025-49249
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    9 packages
    • python313Packages.dronecan
    • python312Packages.dronecan
    • drone-runner-docker
    • drone-runner-ssh
    • drone-runner-exec
    • drone-oss
    • drone-scp
    • drone-cli
    • drone
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress Drone theme <= 1.40 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.

References

Affected products

drone
  • =<<= 1.40 
WP theme not present in nixpkgs
Permalink CVE-2025-49994
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package athens 1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress Athens theme <= 1.1.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6.

References

Affected products

athens
  • =<<= 1.1.6 
WP theme not present in nixpkgs
Permalink CVE-2025-67614
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    11 packages
    • typstPackages.athena-tu-darmstadt-exercise_0_2_0
    • typstPackages.athena-tu-darmstadt-exercise_0_1_0
    • typstPackages.athena-tu-darmstadt-thesis_0_1_1
    • typstPackages.athena-tu-darmstadt-thesis_0_1_0
    • python313Packages.types-aiobotocore-athena
    • python312Packages.types-aiobotocore-athena
    • python313Packages.mypy-boto3-athena
    • python312Packages.mypy-boto3-athena
    • haskellPackages.amazonka-athena
    • python313Packages.pyathena
    • python312Packages.pyathena
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress TheNa theme <= 1.5.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5.

References

Affected products

thena
  • =<<= 1.5.5 
WP theme not packaged in nixpkgs
Permalink CVE-2025-69042
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • libsForQt5.calindori
    • kdePackages.calindori
    • plasma5Packages.calindori
    1 month, 3 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
WordPress Lindo theme <= 1.2.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5.

References

Affected products

lindo
  • =<<= 1.2.5 
WP theme not present in nixpkgs