Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-14430
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed package brook 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Brook - Agency Business Creative theme <= 2.8.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9.

References

Affected products

brook
  • =<<= 2.8.9 
WP theme not present in nixpkgs
Permalink CVE-2025-67928
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed package haskellPackages.automotive-cse 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6.

References

Affected products

automotive
  • =<<= 18.6 
WP plugin not present in nixpkgs
Permalink CVE-2025-22712
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed package cargo-typify 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Typify theme <= 3.0.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2.

References

Affected products

typify
  • =<<= 3.0.2 
WP theme not present in nixpkgs
Permalink CVE-2025-62136
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed package melos 2 months, 1 week ago
  • @LeSuisse dismissed 2 months, 1 week ago
WordPress Melos theme <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0.

References

Affected products

melos
  • =<1.6.0 
WP theme not present in nixpkgs
Permalink CVE-2025-62229
7.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @leona-ya Activity log
  • Created automatic suggestion 4 months ago
  • @leona-ya removed package tigervnc 3 months ago
  • @leona-ya accepted 3 months ago
  • @leona-ya dismissed 3 months ago
Xorg: xmayland: use-after-free in xpresentnotify structure creation

A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

References

Affected products

tigervnc
  • *
xwayland
  • <24.1.9
xorg-x11-server
  • *
xorg-x11-server-Xwayland
  • * 
already updated in nixpkgs 25.05, 25.11 and unstable.
Permalink CVE-2023-43787
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse removed
    2 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    3 months ago
  • @LeSuisse dismissed 3 months ago
Libx11: integer overflow in xcreateimage() leading to a heap overflow

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

References

Affected products

libX11
  • <1.8.7
  • ==1.8.7
  • * 
No impacted packages
Permalink CVE-2023-43786
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 3 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse removed
    4 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    • xorg.libXpm
    • tests.pkg-config.defaultPkgConfigPackages.xpm
    3 months ago
  • @LeSuisse dismissed 3 months ago
Libx11: stack exhaustion from infinite recursion in putsubimage()

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.

References

Affected products

libX11
  • ==1.8.7
  • *
libXpm
  • <3.5.17 
No impacted packages
Permalink CVE-2023-43785
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse removed
    2 packages
    • xorg.libX11
    • tests.pkg-config.defaultPkgConfigPackages.x11
    3 months ago
  • @LeSuisse dismissed 3 months ago
Libx11: out-of-bounds memory access in _xkbreadkeysyms()

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.

References

Affected products

libX11
  • <1.8.7
  • ==1.8.7
  • * 
No impacted packages
Permalink CVE-2021-4472
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 2 weeks ago
  • @LeSuisse removed
    3 packages
    • mistralclient
    • python312Packages.python-mistralclient
    • python313Packages.python-mistralclient
    3 months ago
  • @LeSuisse dismissed 3 months ago
Python-mistralclient: mistral-dashboard: local file inclusion through the 'create workbook' feature

The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.

References

Affected products

python-mistralclient
rhosp13/openstack-zaqar
rhosp13/openstack-ec2-api
rhosp13/openstack-horizon
rhosp13/openstack-tempest
rhosp13/openstack-aodh-api
rhosp13/openstack-collectd
rhosp13/openstack-heat-all
rhosp13/openstack-heat-api
rhosp13/openstack-keystone
rhosp13/openstack-nova-api
rhosp13/openstack-aodh-base
rhosp13/openstack-heat-base
rhosp13/openstack-nova-base
rhosp13/openstack-panko-api
rhosp13/openstack-cinder-api
rhosp13/openstack-glance-api
rhosp13/openstack-ironic-api
rhosp13/openstack-ironic-pxe
rhosp13/openstack-manila-api
rhosp13/openstack-panko-base
rhosp13/openstack-sahara-api
rhosp13/openstack-swift-base
rhosp13/openstack-cinder-base
rhosp13/openstack-glance-base
rhosp13/openstack-gnocchi-api
rhosp13/openstack-heat-engine
rhosp13/openstack-ironic-base
rhosp13/openstack-manila-base
rhosp13/openstack-mistral-api
rhosp13/openstack-octavia-api
rhosp13/openstack-sahara-base
rhosp-rhel8/openstack-heat-all
rhosp-rhel8/openstack-heat-api
rhosp-rhel9/openstack-heat-all
rhosp-rhel9/openstack-heat-api
rhosp13/openstack-barbican-api
rhosp13/openstack-dependencies
rhosp13/openstack-gnocchi-base
rhosp13/openstack-heat-api-cfn
rhosp13/openstack-horizon-base
rhosp13/openstack-manila-share
rhosp13/openstack-mistral-base
rhosp13/openstack-neutron-base
rhosp13/openstack-nova-compute
rhosp13/openstack-octavia-base
rhosp13/openstack-swift-object
rhosp-rhel8/openstack-heat-base
rhosp-rhel9/openstack-heat-base
rhosp13/openstack-aodh-listener
rhosp13/openstack-aodh-notifier
rhosp13/openstack-barbican-base
rhosp13/openstack-cinder-backup
rhosp13/openstack-cinder-volume
rhosp13/openstack-keystone-base
rhosp13/openstack-sahara-engine
rhosp13/openstack-swift-account
rhosp13/openstack-aodh-evaluator
rhosp13/openstack-gnocchi-statsd
rhosp13/openstack-mistral-engine
rhosp13/openstack-neutron-server
rhosp13/openstack-nova-conductor
rhosp13/openstack-nova-scheduler
rhosp13/openstack-octavia-worker
rhosp-rhel8/openstack-heat-engine
rhosp-rhel8/openstack-mistral-api
rhosp-rhel9/openstack-heat-engine
rhosp13/openstack-barbican-worker
rhosp13/openstack-ceilometer-base
rhosp13/openstack-ceilometer-ipmi
rhosp13/openstack-gnocchi-metricd
rhosp13/openstack-nova-novncproxy
rhosp13/openstack-swift-container
rhosp-rhel8/openstack-heat-api-cfn
rhosp-rhel8/openstack-mistral-base
rhosp-rhel9/openstack-heat-api-cfn
rhosp13/openstack-cinder-scheduler
rhosp13/openstack-ironic-conductor
rhosp13/openstack-ironic-inspector
rhosp13/openstack-manila-scheduler
rhosp13/openstack-mistral-executor
rhosp13/openstack-neutron-l3-agent
rhosp13/openstack-nova-consoleauth
rhosp-rhel8/openstack-tripleoclient
rhosp-rhel9/openstack-tripleoclient
rhosp-rhel8/openstack-mistral-engine
rhosp-rhel8/openstack-nova-scheduler
rhosp13/openstack-ceilometer-central
rhosp13/openstack-ceilometer-compute
rhosp13/openstack-neutron-dhcp-agent
rhosp13/openstack-neutron-server-ovn
rhosp13/openstack-nova-placement-api
rhosp13/openstack-swift-proxy-server
rhosp13/openstack-neutron-sriov-agent
rhosp13/openstack-nova-compute-ironic
rhosp-rhel8/openstack-mistral-executor
rhosp13/openstack-ironic-neutron-agent
rhosp13/openstack-mistral-event-engine
rhosp13/openstack-octavia-housekeeping
rhosp13/openstack-neutron-metadata-agent
rhosp13/openstack-octavia-health-manager
rhosp13/openstack-ceilometer-notification
rhosp-rhel8/openstack-mistral-event-engine
rhosp13/openstack-neutron-openvswitch-agent
rhosp13/openstack-barbican-keystone-listener
rhosp13/openstack-neutron-metadata-agent-ovn
rhosp13/openstack-neutron-server-opendaylight 
No impacted packages.
Permalink CVE-2025-64363
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @pyrox0 Activity log
  • Created automatic suggestion 4 months ago
  • @pyrox0 dismissed 3 months, 2 weeks ago
WordPress Kleo theme < 5.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0.

References

Affected products

kleo
  • =<< 5.5.0

Matching in nixpkgs

listed packages are not the ones with a vulnerability