Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-67936
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • ocamlPackages.curly
    • haskellPackages.curly-expander
    • haskellPackages.recurly-client
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Curly theme < 3.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.

References

Affected products

curly
  • =<< 3.3 
WP theme not packaged in nixpkgs
Permalink CVE-2025-60206
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    8 packages
    • selenium-server-standalone
    • cbqn-standalone-replxx
    • htmlunit-driver
    • cbqn-standalone
    • argp-standalone
    • art-standalone
    • selendroid
    • stalonetray
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Alone theme <= 7.8.3 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.

References

Affected products

alone
  • =<<= 7.8.3 
WP theme not package in nixpkgs
Permalink CVE-2025-67568
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    10 packages
    • python312Packages.baseline
    • python313Packages.baseline
    • python312Packages.baselines
    • python313Packages.baselines
    • pkgsRocm.python3Packages.baselines
    • python312Packages.stable-baselines3
    • python313Packages.stable-baselines3
    • pkgsRocm.python3Packages.stable-baselines3
    • python312Packages.robotframework-databaselibrary
    • python313Packages.robotframework-databaselibrary
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Basel theme <= 5.9.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Basel: from n/a through <= 5.9.1.

References

Affected products

basel
  • =<<= 5.9.1 
WP theme not packaged in nixpkgs
Permalink CVE-2025-60212
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package ocamlPackages.reactivedata 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress VEDA Theme <= 4.2 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.

References

Affected products

veda
  • =<<= 4.2 
WP theme not present in nixpkgs
Permalink CVE-2025-68546
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • nika-fonts
    • python312Packages.minikanren
    • python313Packages.minikanren
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Nika theme <= 1.2.14 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through 1.2.14.

References

Affected products

Nika
  • =<1.2.14 
WP theme not present in nixpkgs
Permalink CVE-2025-52750
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package emu2 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Emu2 plugin <= 0.83b - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juergen Schulze Emu2 emu2-email-users-2 allows Reflected XSS.This issue affects Emu2: from n/a through <= 0.83b.

References

Affected products

emu2-email-users-2
  • =<<= 0.83b 
WP plugin not present in nixpkgs
Permalink CVE-2025-64230
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    5 packages
    • typstPackages.efilrst_0_3_2
    • typstPackages.efilrst_0_3_1
    • typstPackages.efilrst_0_3_0
    • typstPackages.efilrst_0_2_0
    • typstPackages.efilrst_0_1_0
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Filr plugin <= 1.2.10 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Chill Filr filr-protection allows Path Traversal.This issue affects Filr: from n/a through <= 1.2.10.

References

Affected products

filr-protection
  • =<<= 1.2.10 
WP plugin not present in nixpkgs
Permalink CVE-2025-62092
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Wiremo plugin <= 1.4.99 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99.

References

Affected products

woo-reviews-by-wiremo
  • =<1.4.99

Matching in nixpkgs

Package maintainers

WP plugin not present in nixpkgs
Permalink CVE-2025-58942
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • python312Packages.aioridwell
    • python313Packages.aioridwell
    • home-assistant-component-tests.ridwell
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Dwell theme <= 1.7.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion.This issue affects Dwell: from n/a through <= 1.7.0.

References

Affected products

dwell
  • =<<= 1.7.0 
WP theme note present in nixpkgs
Permalink CVE-2025-58708
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed package tests.haskell.upstreamStackHpackVersion 2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress 777 theme <= 1.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes 777 triple-seven allows PHP Local File Inclusion.This issue affects 777: from n/a through <= 1.3.

References

Affected products

triple-seven
  • =<<= 1.3 
WP theme note present in nixpkgs