Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-62034
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

References

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-58964
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Enzy theme < 1.6.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Enzy enzy allows Reflected XSS.This issue affects Enzy: from n/a through < 1.6.4.

References

Affected products

enzy
  • =<< 1.6.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62033
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

References

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62037
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

References

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62036
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

References

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-62035
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Togo theme < 1.0.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.

References

Affected products

togo
  • =<< 1.0.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-54721
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Resca theme <= 3.0.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Resca resca allows Reflected XSS.This issue affects Resca: from n/a through <= 3.0.2.

References

Affected products

resca
  • =<<= 3.0.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-64277
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress ChatBot plugin <= 7.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.9.

References

Affected products

chatbot
  • =<<= 7.3.9

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable 22
    • nixpkgs-unstable 22
    • nixos-unstable-small 22

Package maintainers

Permalink CVE-2025-64259
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 4 months ago
  • @LeSuisse dismissed 3 months, 2 weeks ago
WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8.

References

Affected products

theatre
  • =<<= 0.18.8

Matching in nixpkgs

Permalink CVE-2025-49251
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    33 packages
    • grafana
    • grafanactl
    • mcp-grafana
    • grafana-loki
    • grafana-alloy
    • grafana-kiosk
    • grafana-to-ntfy
    • grafana-dash-n-grab
    • dhallPackages.dhall-grafana
    • terraform-providers.grafana
    • python312Packages.grafanalib
    • python313Packages.grafanalib
    • haskellPackages.amazonka-grafana
    • grafanaPlugins.grafana-oncall-app
    • grafanaPlugins.grafana-clock-panel
    • grafanaPlugins.grafana-pyroscope-app
    • grafanaPlugins.grafana-googlesheets-datasource
    • grafanaPlugins.grafana-opensearch-datasource
    • grafanaPlugins.grafana-clickhouse-datasource
    • python313Packages.types-aiobotocore-grafana
    • python312Packages.types-aiobotocore-grafana
    • grafanaPlugins.grafana-metricsdrilldown-app
    • grafanaPlugins.grafana-discourse-datasource
    • grafanaPlugins.grafana-sentry-datasource
    • grafanaPlugins.grafana-github-datasource
    • grafanaPlugins.grafana-exploretraces-app
    • grafanaPlugins.grafana-mqtt-datasource
    • grafanaPlugins.grafana-lokiexplore-app
    • grafanaPlugins.grafana-worldmap-panel
    • grafanaPlugins.grafana-polystat-panel
    • grafanaPlugins.grafana-piechart-panel
    • python313Packages.mypy-boto3-grafana
    • python312Packages.mypy-boto3-grafana
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Fana <= 1.1.28 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28.

References

Affected products

fana
  • =<1.1.28