⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2025-49795
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 4 months, 1 week ago
Libxml: null pointer dereference leads to denial of service (dos)

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

libxml2
*

pkgs.libxml2.x86_64-linux

XML parsing library for C

pkgs.libxml2.aarch64-linux

XML parsing library for C

pkgs.libxml2.x86_64-darwin

XML parsing library for C

pkgs.libxml2.aarch64-darwin

XML parsing library for C

pkgs.python311Packages.libxml2

XML parsing library for C

pkgs.libxml2Python.x86_64-linux

pkgs.libxml2Python.aarch64-linux

pkgs.libxml2Python.x86_64-darwin

pkgs.libxml2Python.aarch64-darwin

pkgs.python312Packages.libxml2.x86_64-linux

XML parsing library for C

pkgs.python312Packages.libxml2.aarch64-linux

XML parsing library for C

pkgs.python312Packages.libxml2.x86_64-darwin

XML parsing library for C

pkgs.python312Packages.libxml2.aarch64-darwin

XML parsing library for C

pkgs.tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"

Test whether libxml2-2.13.8 exposes pkg-config modules libxml-2.0
Package maintainers: 6
CVE-2025-6052
3.7 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 4 months, 1 week ago
Glib: integer overflow in g_string_maybe_expand() leading to potential buffer overflow in glib gstring

A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.

bootc
glib2
loupe
librsvg2
rpm-ostree
mingw-glib2
glycin-loaders

pkgs.loupe

Simple image viewer application written with GTK4 and Rust

pkgs.rpm-ostree

Hybrid image/package system. It uses OSTree as an image format, and uses RPM as a component model

pkgs.systemd-bootchart

Boot performance graphing tool from systemd

pkgs.loupe.x86_64-linux

Simple image viewer application written with GTK4 and Rust

pkgs.loupe.aarch64-linux

Simple image viewer application written with GTK4 and Rust

pkgs.rpm-ostree.x86_64-linux

Hybrid image/package system. It uses OSTree as an image format, and uses RPM as a component model

pkgs.rpm-ostree.aarch64-linux

Hybrid image/package system. It uses OSTree as an image format, and uses RPM as a component model

pkgs.rubyPackages_3_1.glib2.x86_64-linux

pkgs.rubyPackages_3_2.glib2.x86_64-linux

pkgs.rubyPackages_3_3.glib2.x86_64-linux

pkgs.rubyPackages_3_4.glib2.x86_64-linux

pkgs.rubyPackages_3_1.glib2.aarch64-linux

pkgs.rubyPackages_3_1.glib2.x86_64-darwin

pkgs.rubyPackages_3_2.glib2.aarch64-linux

pkgs.rubyPackages_3_2.glib2.x86_64-darwin

pkgs.rubyPackages_3_3.glib2.aarch64-linux

pkgs.rubyPackages_3_3.glib2.x86_64-darwin

pkgs.rubyPackages_3_4.glib2.aarch64-linux

pkgs.rubyPackages_3_4.glib2.x86_64-darwin

pkgs.rubyPackages_3_1.glib2.aarch64-darwin

pkgs.rubyPackages_3_2.glib2.aarch64-darwin

pkgs.rubyPackages_3_3.glib2.aarch64-darwin

pkgs.rubyPackages_3_4.glib2.aarch64-darwin

Package maintainers: 10
CVE-2025-6021
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 4 months, 1 week ago
Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

rhcos
*
libxml2
*
<2.14.4
registry.redhat.io/discovery/discovery-server-rhel9
*
registry.redhat.io/insights-proxy/insights-proxy-container-rhel9
*

pkgs.libxml2.x86_64-linux

XML parsing library for C

pkgs.libxml2.aarch64-linux

XML parsing library for C

pkgs.libxml2.x86_64-darwin

XML parsing library for C

pkgs.libxml2.aarch64-darwin

XML parsing library for C

pkgs.python311Packages.libxml2

XML parsing library for C

pkgs.libxml2Python.x86_64-linux

pkgs.libxml2Python.aarch64-linux

pkgs.libxml2Python.x86_64-darwin

pkgs.libxml2Python.aarch64-darwin

pkgs.python312Packages.libxml2.x86_64-linux

XML parsing library for C

pkgs.python312Packages.libxml2.aarch64-linux

XML parsing library for C

pkgs.python312Packages.libxml2.x86_64-darwin

XML parsing library for C

pkgs.python312Packages.libxml2.aarch64-darwin

XML parsing library for C
Package maintainers: 1
CVE-2025-40914
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow

Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow. CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

CryptX
=<0.086
CVE-2025-40912
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode

CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode. CryptX embeds the tomcrypt library. The versions of that library in CryptX before 0.065 may be susceptible to CVE-2019-17362.

CryptX
<0.065
CVE-2025-49075
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 4 months, 2 weeks ago by @06kellyjac Activity log
  • Created automatic suggestion 4 months, 2 weeks ago
  • @06kellyjac accepted as draft 4 months, 2 weeks ago
  • @06kellyjac marked as untriaged 4 months, 2 weeks ago
WordPress Wishlist plugin <= 1.0.43 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Stored XSS.This issue affects Wishlist: from n/a through 1.0.43.

wishlist
=<1.0.43
Package maintainers: 2
CVE-2025-5914
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 4 months, 2 weeks ago
Libarchive: double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

rhcos
libarchive
*
<3.8.0
web-terminal/web-terminal-tooling-rhel9
*
web-terminal/web-terminal-rhel9-operator
*
registry.redhat.io/rhosdt/jaeger-agent-rhel8
*
registry.redhat.io/rhosdt/jaeger-query-rhel8
*
registry.redhat.io/rhosdt/jaeger-ingester-rhel8
*
registry.redhat.io/rhosdt/jaeger-rhel8-operator
*
registry.redhat.io/rhosdt/jaeger-collector-rhel8
*
registry.redhat.io/rhosdt/jaeger-operator-bundle
*
registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8
*
registry.redhat.io/rhosdt/jaeger-es-rollover-rhel8
*
registry.redhat.io/discovery/discovery-server-rhel9
*
registry.redhat.io/rhosdt/jaeger-es-index-cleaner-rhel8
*
registry.redhat.io/insights-proxy/insights-proxy-container-rhel9
*
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
*
registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator
*
registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9
*
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
*
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
*
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
*
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9
*

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

pkgs.python311Packages.libarchive-c

Python interface to libarchive

pkgs.python312Packages.libarchive-c

Python interface to libarchive

pkgs.python313Packages.libarchive-c

Python interface to libarchive

pkgs.haskellPackages.libarchive.x86_64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.aarch64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.x86_64-darwin

Haskell interface to libarchive

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.haskellPackages.libarchive.aarch64-darwin

Haskell interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-darwin

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-darwin

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit.x86_64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.x86_64-darwin

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-darwin

Read many archive formats with libarchive and conduit
Package maintainers: 10
CVE-2025-31638
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 4 months, 2 weeks ago
WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.

spare
=<1.7

pkgs.asciiquarium-transparent

Aquarium/sea animation in ASCII art (with option of transparent background)

pkgs.gnomeExtensions.transparent-top-bar

Bring back the transparent top bar when free-floating in GNOME Shell 3.32.
  • nixos-25.05 24
    • nixpkgs-25.05-darwin 24
    • nixos-25.05-small 24
  • nixos-unstable 23
    • nixos-unstable-small 23
    • nixpkgs-unstable 24

pkgs.vimPlugins.transparent-nvim.x86_64-linux

pkgs.gnomeExtensions.transparent-window-moving

Makes the window semi-transparent when moving or resizing
  • nixos-25.05 19
    • nixpkgs-25.05-darwin 19
    • nixos-25.05-small 19
  • nixos-unstable 18
    • nixos-unstable-small 18
    • nixpkgs-unstable 18

pkgs.vimPlugins.transparent-nvim.aarch64-linux

pkgs.vimPlugins.transparent-nvim.x86_64-darwin

pkgs.vimPlugins.transparent-nvim.aarch64-darwin

pkgs.gnomeExtensions.transparent-top-bar-adjustable-transparency

Fork of: https://github.com/zhanghai/gnome-shell-extension-transparent-top-bar
  • nixos-25.05 24
    • nixpkgs-25.05-darwin 24
    • nixos-25.05-small 24
  • nixos-unstable 21
    • nixos-unstable-small 21
    • nixpkgs-unstable 24
Package maintainers: 4
CVE-2025-39476
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
WordPress Revo theme <= 4.0.26 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Revo allows PHP Local File Inclusion. This issue affects Revo: from n/a through 4.0.26.

revo
=<4.0.26

pkgs.prevo

offline version of the Esperanto dictionary Reta Vortaro

pkgs.prevo-tools

CLI tools for the offline version of the Esperanto dictionary Reta Vortaro

pkgs.python311Packages.pyrevolve

Python library to manage checkpointing for adjoints

pkgs.python312Packages.pyrevolve

Python library to manage checkpointing for adjoints

pkgs.revolt-desktop.x86_64-linux

Open source user-first chat platform

pkgs.revolt-desktop.aarch64-linux

Open source user-first chat platform

pkgs.revolt-desktop.x86_64-darwin

Open source user-first chat platform

pkgs.revolt-desktop.aarch64-darwin

Open source user-first chat platform

pkgs.python312Packages.brevo-python

Fully-featured Python API client to interact with Brevo

pkgs.python313Packages.brevo-python

Fully-featured Python API client to interact with Brevo
Package maintainers: 8
CVE-2025-28945
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 4 months, 2 weeks ago
WordPress Valen - Sport, Fashion WooCommerce WordPress Theme <= 2.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through 2.4.

valen
=<2.4

pkgs.haskellPackages.equivalence

Maintaining an equivalence relation implemented as union-find using STT

pkgs.sbclPackages.cl-prevalence.x86_64-linux

pkgs.haskellPackages.equivalence.x86_64-linux

Maintaining an equivalence relation implemented as union-find using STT

pkgs.sbclPackages.cl-prevalence.aarch64-linux

pkgs.sbclPackages.cl-prevalence.x86_64-darwin

pkgs.haskellPackages.equivalence.aarch64-linux

Maintaining an equivalence relation implemented as union-find using STT

pkgs.haskellPackages.equivalence.x86_64-darwin

Maintaining an equivalence relation implemented as union-find using STT

pkgs.sbclPackages.cl-prevalence.aarch64-darwin

pkgs.haskellPackages.equivalence.aarch64-darwin

Maintaining an equivalence relation implemented as union-find using STT

pkgs.vscode-extensions.valentjn.vscode-ltex.x86_64-linux

pkgs.vscode-extensions.valentjn.vscode-ltex.aarch64-linux

pkgs.vscode-extensions.valentjn.vscode-ltex.x86_64-darwin

pkgs.vscode-extensions.valentjn.vscode-ltex.aarch64-darwin

Package maintainers: 7