Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2025-52833
9.3 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    16 packages
    • lms
    • flmsg
    • helmsman
    • lmstudio
    • python312Packages.calmsize
    • python313Packages.calmsize
    • python312Packages.dlms-cosem
    • python313Packages.dlms-cosem
    • python312Packages.llama-index-llms-ollama
    • python312Packages.llama-index-llms-openai
    • python313Packages.llama-index-llms-ollama
    • python313Packages.llama-index-llms-openai
    • python312Packages.llama-index-llms-openai-like
    • python313Packages.llama-index-llms-openai-like
    • python312Packages.llama-index-multi-modal-llms-openai
    • python313Packages.llama-index-multi-modal-llms-openai
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress LMS <= 9.1 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1.

References

Affected products

lms
  • =<9.1
Permalink CVE-2025-52718
7.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Alone <= 7.8.2 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2.

References

Affected products

alone
  • =<7.8.2
Permalink CVE-2025-6505
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    45 packages
    • perlPackages.NetServer
    • perl538Packages.NetServer
    • perl540Packages.NetServer
    • perlPackages.NetLDAPServer
    • perlPackages.NetServerCoro
    • perlPackages.ServerStarter
    • perl538Packages.NetLDAPServer
    • perl538Packages.NetServerCoro
    • perl538Packages.ServerStarter
    • perl540Packages.NetLDAPServer
    • perl540Packages.NetServerCoro
    • perl540Packages.ServerStarter
    • perlPackages.HTTPServerSimple
    • perlPackages.NetLDAPServerTest
    • perlPackages.NetAsyncHTTPServer
    • perlPackages.NetServerSSPrefork
    • perlPackages.PerlLanguageServer
    • perl538Packages.HTTPServerSimple
    • perl540Packages.HTTPServerSimple
    • perl538Packages.NetLDAPServerTest
    • perl540Packages.NetLDAPServerTest
    • perlPackages.HTTPServerSimplePSGI
    • perlPackages.TestHTTPServerSimple
    • perl538Packages.NetAsyncHTTPServer
    • perl538Packages.NetServerSSPrefork
    • perl538Packages.PerlLanguageServer
    • perl540Packages.NetAsyncHTTPServer
    • perl540Packages.NetServerSSPrefork
    • perl540Packages.PerlLanguageServer
    • perlPackages.HTTPServerSimpleMason
    • perlPackages.HTTPServerSimpleAuthen
    • perl538Packages.HTTPServerSimplePSGI
    • perl538Packages.TestHTTPServerSimple
    • perl538Packages.HTTPServerSimpleAuthen
    • perl540Packages.HTTPServerSimpleMason
    • perl538Packages.HTTPServerSimpleMason
    • perlPackages.PlackTestExternalServer
    • perl540Packages.TestHTTPServerSimple
    • perl540Packages.HTTPServerSimplePSGI
    • perl540Packages.HTTPServerSimpleAuthen
    • perl538Packages.PlackTestExternalServer
    • perl540Packages.PlackTestExternalServer
    • perlPackages.CatalystXScriptServerStarman
    • perl538Packages.CatalystXScriptServerStarman
    • perl540Packages.CatalystXScriptServerStarman
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and …

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.  When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.

References

Affected products

Server
  • =<4.6.2.3226
Permalink CVE-2025-47444
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package filegive 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure

Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.

References

Affected products

give
  • <4.6.1
Permalink CVE-2025-54689
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    30 packages
    • furnace
    • xournalpp
    • journalist
    • lazyjournal
    • qjournalctl
    • tui-journal
    • journalwatch
    • annapurna-sil
    • journaldriver
    • systemd-journal2gelf
    • kdePackages.kjournald
    • perlPackages.LogJournald
    • perl538Packages.LogJournald
    • perl540Packages.LogJournald
    • python312Packages.swh-journal
    • python313Packages.swh-journal
    • python312Packages.waterfurnace
    • python313Packages.waterfurnace
    • haskellPackages.journalctl-stream
    • haskellPackages.libsystemd-journal
    • python312Packages.logging-journald
    • python313Packages.logging-journald
    • haskellPackages.logging-facade-journald
    • typstPackages.starter-journal-article_0_1_1
    • typstPackages.starter-journal-article_0_2_0
    • typstPackages.starter-journal-article_0_3_0
    • typstPackages.starter-journal-article_0_3_1
    • typstPackages.starter-journal-article_0_3_2
    • typstPackages.starter-journal-article_0_3_3
    • typstPackages.starter-journal-article_0_4_0
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7.

References

Affected products

urna
  • =<2.5.7
Permalink CVE-2025-54671
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package libvoikko 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress oik Plugin plugin <= 4.15.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2.

References

Affected products

oik
  • =<4.15.2
Permalink CVE-2025-54019
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    8 packages
    • selendroid
    • stalonetray
    • art-standalone
    • argp-standalone
    • cbqn-standalone
    • htmlunit-driver
    • cbqn-standalone-replxx
    • selenium-server-standalone
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a.

References

Affected products

alone
  • <7.8.5
Permalink CVE-2025-54670
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed package libvoikko 4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.

References

Affected products

oik
  • =<4.15.2
Permalink CVE-2025-57890
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    3 packages
    • haskellPackages.simple-sessions
    • python312Packages.langchain-azure-dynamic-sessions
    • python313Packages.langchain-azure-dynamic-sessions
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Sessions Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0.

References

Affected products

sessions
  • =<3.2.0
Permalink CVE-2025-58209
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 6 months ago
  • @LeSuisse removed
    5 packages
    • haskellPackages.amazonka-elastictranscoder
    • python312Packages.mypy-boto3-elastictranscoder
    • python313Packages.mypy-boto3-elastictranscoder
    • python312Packages.types-aiobotocore-elastictranscoder
    • python313Packages.types-aiobotocore-elastictranscoder
    4 months, 2 weeks ago
  • @LeSuisse dismissed 4 months, 2 weeks ago
WordPress Transcoder Plugin <= 1.4.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtCamp Transcoder allows Stored XSS. This issue affects Transcoder: from n/a through 1.4.0.

References

Affected products

transcoder
  • =<1.4.0