CVE-2025-69031 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 21 hours ago @LeSuisse removed 2 packages arcanechat-tui deltachat-cursed 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Arcane theme <= 3.6.6 - Broken Access Control vulnerability Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6. Affected products arcane =<<= 3.6.6 Matching in nixpkgs Package maintainers: 1 @dotlambda Robert Schütz <rschuetz17@gmail.com>
CVE-2025-68985 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 21 hours ago @LeSuisse removed 2 packages typstPackages.aoran typstPackages.aoran_0_1_0 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Aora theme <= 1.3.15 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15. Affected products aora =<<= 1.3.15 Matching in nixpkgs Package maintainers: 1 @cherrypiejam Gongqi Huang
CVE-2025-69331 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 20 hours ago @LeSuisse removed package haskellPackages.theatre-dev 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. Affected products theatre =<<= 0.19 Matching in nixpkgs
CVE-2025-63070 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): NONE Availability impact (A): NONE updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 23 hours ago @LeSuisse removed package lomiri.lomiri-download-manager 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32. Affected products download-manager =<<= 3.3.32 Matching in nixpkgs Package maintainers: 1 @OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
CVE-2025-62103 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): NONE Availability impact (A): NONE updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 23 hours ago @LeSuisse removed package media-downloader 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Media Library File Download plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery.This issue affects Media Library File Download: from n/a through <= 1.4. Affected products media-download =<<= 1.4 Matching in nixpkgs Package maintainers: 2 @Aleksanaa Aleksana QwQ <me@aleksana.moe> @zendo zendo <linzway@qq.com>
CVE-2025-66533 7.8 HIGH CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 23 hours ago @LeSuisse removed package filegive 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress GiveWP plugin <= 4.13.1 - Arbitrary Shortocde Execution vulnerability Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1. Affected products give =<<= 4.13.1 Matching in nixpkgs
CVE-2025-67549 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 23 hours ago @LeSuisse removed 2 packages libvoikko voikko-fi 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress oik plugin <= 4.15.3 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3. Affected products oik =<<= 4.15.3 Matching in nixpkgs Package maintainers: 2 @Lurkki14 Jussi Kuokkanen <jussi.kuokkanen@protonmail.com> @lajp Luukas Pörtfors <lajp@iki.fi>
CVE-2025-60042 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): NONE updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 21 hours ago @LeSuisse removed package vscode-extensions.chrischinchilla.vscode-pandoc 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Chinchilla theme <= 1.16 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16. Affected products chinchilla =<<= 1.16 Matching in nixpkgs Package maintainers: 1 @Pandapip1 Gavin John <gavinnjohn@gmail.com>
CVE-2025-53439 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 21 hours ago @LeSuisse removed 2 packages vscode-extensions.elijah-potter.harper harper 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Harper theme <= 1.13 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13. Affected products harper =<<= 1.13 Matching in nixpkgs Package maintainers: 4 @pbsds Peder Bergebakken Sundt <pbsds@hotmail.com> @sumnerevans Sumner Evans <me@sumnerevans.com> @ddogfoodd Jost Alemann @MasterEvarior MasterEvarior <nix-maintainer@giannin.ch>
CVE-2025-58949 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): NONE updated 3 days, 6 hours ago by @LeSuisse Activity log Created automatic suggestion 3 days, 21 hours ago @LeSuisse removed package chickenPackages_5.chickenEggs.spock 3 days, 6 hours ago @LeSuisse dismissed 3 days, 6 hours ago WordPress Spock theme <= 1.17 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17. Affected products spock =<<= 1.17 Matching in nixpkgs