Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-49253
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    3 packages
    • typstPackages.lasagna_0_1_0
    • typstPackages.lasaveur_0_1_3
    • typstPackages.lasaveur_0_1_4
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Lasa <= 1.1 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1.

References

Affected products

lasa
  • =<1.1
Permalink CVE-2025-49259
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    11 packages
    • charasay
    • gnome-characters
    • keepass-charactercopy
    • unicode-character-database
    • haskellPackages.character-ps
    • coqPackages.mathcomp-character
    • python312Packages.characteristic
    • python313Packages.characteristic
    • magnetophonDSP.CharacterCompressor
    • python312Packages.character-encoding-utils
    • python313Packages.character-encoding-utils
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Hara <= 1.2.10 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through 1.2.10.

References

Affected products

hara
  • =<1.2.10
Permalink CVE-2025-23999
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    14 packages
    • kdePackages.breeze
    • kdePackages.breeze-gtk
    • kdePackages.breeze-grub
    • libsForQt5.breeze-icons
    • kdePackages.breeze-icons
    • breeze-hacked-cursor-theme
    • kdePackages.breeze-plymouth
    • python312Packages.seabreeze
    • python313Packages.seabreeze
    • plasma5Packages.breeze-icons
    • kdePackages.qqc2-breeze-style
    • wordpressPackages.plugins.breeze
    • kdePackages.sierra-breeze-enhanced
    • qt6Packages.sierra-breeze-enhanced
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Breeze plugin <= 2.2.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.2.13.

References

Affected products

breeze
  • =<2.2.13
Permalink CVE-2025-49976
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    10 packages
    • fsnotifier
    • mpris-notifier
    • terminal-notifier
    • usbguard-notifier
    • python312Packages.pynotifier
    • python312Packages.desktop-notifier
    • python313Packages.desktop-notifier
    • haskellPackages.status-notifier-item
    • kdePackages.kstatusnotifieritem
    • python313Packages.pynotifier
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress WANotifier plugin <= 2.7.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WANotifier WANotifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through 2.7.7.

References

Affected products

notifier
  • =<2.7.7
Permalink CVE-2025-49974
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    3 packages
    • git-upstream
    • lomiri.qtmir
    • tests.haskell.upstreamStackHpackVersion
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.

References

Affected products

upstream
  • =<2.1.0
Permalink CVE-2025-53338
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    23 packages
    • replace
    • fireplace
    • qsreplace
    • replacement
    • replace-secret
    • haskellPackages.replace-attoparsec
    • haskellPackages.replace-megaparsec
    • haskellPackages.text-regex-replace
    • tests.substitute.legacySingleReplace
    • tests.replaceVars.replaceVars.succeeds
    • tests.replaceVars.replaceVarsWith.succeeds
    • tests.replaceVars.replaceVars.fails-on-directory
    • tests.replaceVars.replaceVars.fails-in-build-phase
    • tests.replaceVars.replaceVars.fails-in-check-phase
    • tests.replaceVars.replaceVarsWith.fails-on-directory
    • tests.replaceVars.replaceVars.succeeds-with-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-build-phase
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase
    • tests.replaceVars.replaceVarsWith.succeeds-with-exemption
    • tests.replaceVars.replaceVars.fails-in-check-phase-with-exemption
    • tests.replaceVars.replaceVars.fails-in-check-phase-with-bad-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-exemption
    • tests.replaceVars.replaceVarsWith.fails-in-check-phase-with-bad-exemption
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress re.place plugin <= 0.2.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1.

References

Affected products

replace
  • =<0.2.1
Permalink CVE-2025-52826
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    4 packages
    • python312Packages.datasalad
    • python313Packages.datasalad
    • python312Packages.schema-salad
    • python313Packages.schema-salad
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.

References

Affected products

sala
  • =<1.1.3
Permalink CVE-2025-31428
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    11 packages
    • hydrogen
    • hydroxide
    • libhydrogen
    • tau-hydrogen
    • fishPlugins.hydro
    • hydrogen-web-unwrapped
    • python312Packages.hydrogram
    • python313Packages.hydrogram
    • haskellPackages.hydrogen-version
    • python312Packages.swisshydrodata
    • python313Packages.swisshydrodata
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress HYDRO theme <= 2.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddhaThemes HYDRO allows Reflected XSS. This issue affects HYDRO: from n/a through 2.8.

References

Affected products

hydro
  • =<2.8
Permalink CVE-2025-53200
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package gnomeExtensions.penguin-ai-chatbot 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress ChatBot plugin <= 6.7.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3.

References

Affected products

chatbot
  • =<6.7.3
Permalink CVE-2025-52799
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    16 packages
    • lms
    • flmsg
    • helmsman
    • lmstudio
    • python312Packages.calmsize
    • python313Packages.calmsize
    • python312Packages.dlms-cosem
    • python313Packages.dlms-cosem
    • python312Packages.llama-index-llms-ollama
    • python312Packages.llama-index-llms-openai
    • python313Packages.llama-index-llms-ollama
    • python313Packages.llama-index-llms-openai
    • python312Packages.llama-index-llms-openai-like
    • python313Packages.llama-index-llms-openai-like
    • python312Packages.llama-index-multi-modal-llms-openai
    • python313Packages.llama-index-multi-modal-llms-openai
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress LMS theme <= 9.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes LMS allows Reflected XSS. This issue affects LMS: from n/a through 9.1.

References

Affected products

lms
  • =<9.1