Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-58946
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    3 packages
    • typstPackages.unequivocal-ams_0_1_2
    • typstPackages.unequivocal-ams_0_1_1
    • typstPackages.unequivocal-ams_0_1_0
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Vocal theme <= 1.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12.

References

Affected products

vocal
  • =<<= 1.12 
WP theme not present in nixpkgs
Permalink CVE-2025-64253
4.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    12 packages
    • health-check
    • grpc-health-check
    • python312Packages.django-health-check
    • python313Packages.django-health-check
    • rubyPackages.github-pages-health-check
    • python312Packages.grpcio-health-checking
    • python313Packages.grpcio-health-checking
    • rubyPackages_3_1.github-pages-health-check
    • rubyPackages_3_2.github-pages-health-check
    • rubyPackages_3_3.github-pages-health-check
    • rubyPackages_3_4.github-pages-health-check
    • rubyPackages_3_5.github-pages-health-check
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Health Check & Troubleshooting plugin <= 1.7.1 - Path Traversal vulnerability

Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1.

References

Affected products

health-check
  • =<<= 1.7.1 
WP plugin not present in nixpkgs
Permalink CVE-2025-60050
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    25 packages
    • redpanda-client
    • python312Packages.pandas
    • python313Packages.pandas
    • python312Packages.biopandas
    • python312Packages.geopandas
    • python312Packages.pandantic
    • python312Packages.pandas-ta
    • python313Packages.biopandas
    • python313Packages.geopandas
    • python313Packages.pandantic
    • python313Packages.pandas-ta
    • python312Packages.pint-pandas
    • python313Packages.pint-pandas
    • python312Packages.pandas-stubs
    • python313Packages.pandas-stubs
    • python312Packages.awkward-pandas
    • python312Packages.netdata-pandas
    • python313Packages.awkward-pandas
    • python313Packages.netdata-pandas
    • python312Packages.geoarrow-pandas
    • python313Packages.geoarrow-pandas
    • pkgsRocm.python3Packages.pandantic
    • python312Packages.prometheus-pandas
    • python313Packages.prometheus-pandas
    • pkgsRocm.python3Packages.pandas-stubs
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Panda theme <= 1.21 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21.

References

Affected products

panda
  • =<<= 1.21 
WP theme not present in nixpkgs
Permalink CVE-2025-62014
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    5 packages
    • python313Packages.pypitoken
    • python312Packages.pypitoken
    • python313Packages.auditok
    • python312Packages.auditok
    • scitokens-cpp
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress ITok theme <= 1.1.42 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok.This issue affects ITok: from n/a through <= 1.1.42.

References

Affected products

itok
  • =<<= 1.1.42 
WP theme not present in nixpkgs
Permalink CVE-2025-53443
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    2 packages
    • l-smash
    • git-smash
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Smash theme <= 1.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Smash smash allows PHP Local File Inclusion.This issue affects Smash: from n/a through <= 1.7.

References

Affected products

smash
  • =<<= 1.7 
WP theme not present in nixpkgs
Permalink CVE-2025-58940
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse removed
    4 packages
    • basilk
    • basiliskii
    • typstPackages.dmi-basilea-thesis_0_1_0
    • typstPackages.dmi-basilea-thesis_0_1_1
    2 months ago
  • @LeSuisse dismissed 2 months ago
WordPress Basil theme <= 1.3.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12.

References

Affected products

basil
  • =<<= 1.3.12 
WP theme not present in nixpkgs
Permalink CVE-2025-55251
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months ago by @mweinelt Activity log
  • Created automatic suggestion 2 months ago
  • @mweinelt dismissed 2 months ago
HCL AION is affected by an Unrestricted File Upload vulnerability

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

References

Affected products

AION
  • ==2

Matching in nixpkgs

Package maintainers

not packaged
Permalink CVE-2026-1170
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 2 months ago by @mweinelt Activity log
  • Created automatic suggestion 2 months ago
  • @mweinelt dismissed 2 months ago
birkir prime GraphQL API graphql information disclosure

A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

Affected products

prime
  • ==0.4.0.beta

Matching in nixpkgs

pkgs.prime-server

Non-blocking (web)server API for distributed computing and SOA based on zeromq

Package maintainers

Not packaged
Permalink CVE-2025-55250
1.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 2 months ago by @mweinelt Activity log
  • Created automatic suggestion 2 months ago
  • @mweinelt dismissed 2 months ago
HCL AION is affected by a Technical Error Disclosure vulnerability

HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.

References

Affected products

AION
  • ==2

Matching in nixpkgs

Package maintainers

Not packaged
Permalink CVE-2026-21696
updated 2 months ago by @mweinelt Activity log
  • Created automatic suggestion 2 months ago
  • @mweinelt dismissed 2 months ago
Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue.

References

Affected products

wings
  • ==>= 1.7.0, < 1.12.0

Matching in nixpkgs

pkgs.wings

Subdivision modeler inspired by Nendo and Mirai from Izware

pkgs.swingsane

Java GUI for SANE scanner servers (saned)

Package maintainers

Not packaged