CVE-2025-22712 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 9 hours ago WordPress Typify theme <= 3.0.2 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2. Affected products typify =<<= 3.0.2 Matching in nixpkgs pkgs.cargo-typify JSON Schema to Rust type converter nixos-25.05 0.1.0 nixos-25.05-small 0.1.0 nixpkgs-25.05-darwin 0.1.0 nixos-25.11 0.1.0 nixos-25.11-small 0.1.0 nixpkgs-25.11-darwin 0.1.0 nixos-unstable 0.1.0 nixpkgs-unstable 0.1.0 nixos-unstable-small 0.1.0 Package maintainers: 1 @david-r-cox David Cox <david@integrated-reasoning.com>
pkgs.cargo-typify JSON Schema to Rust type converter nixos-25.05 0.1.0 nixos-25.05-small 0.1.0 nixpkgs-25.05-darwin 0.1.0 nixos-25.11 0.1.0 nixos-25.11-small 0.1.0 nixpkgs-25.11-darwin 0.1.0 nixos-unstable 0.1.0 nixpkgs-unstable 0.1.0 nixos-unstable-small 0.1.0
CVE-2025-67928 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 9 hours ago WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6. Affected products automotive =<<= 18.6 Matching in nixpkgs pkgs.haskellPackages.automotive-cse Automotive CSE emulation nixos-25.05 0.1.8.0 nixos-25.05-small 0.1.8.0 nixpkgs-25.05-darwin 0.1.8.0 nixos-25.11 0.1.8.0 nixos-25.11-small 0.1.8.0 nixpkgs-25.11-darwin 0.1.8.0 nixos-unstable 0.1.8.0 nixpkgs-unstable 0.1.8.0 nixos-unstable-small 0.1.8.0
pkgs.haskellPackages.automotive-cse Automotive CSE emulation nixos-25.05 0.1.8.0 nixos-25.05-small 0.1.8.0 nixpkgs-25.05-darwin 0.1.8.0 nixos-25.11 0.1.8.0 nixos-25.11-small 0.1.8.0 nixpkgs-25.11-darwin 0.1.8.0 nixos-unstable 0.1.8.0 nixpkgs-unstable 0.1.8.0 nixos-unstable-small 0.1.8.0
CVE-2025-14430 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 9 hours ago WordPress Brook - Agency Business Creative theme <= 2.8.9 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9. Affected products brook =<<= 2.8.9 Matching in nixpkgs pkgs.brook Cross-platform Proxy/VPN software nixos-25.05 20240606 nixos-25.05-small 20240606 nixpkgs-25.05-darwin 20240606 nixos-25.11 20240606 nixos-25.11-small 20240606 nixpkgs-25.11-darwin 20240606 nixos-unstable 20240606 nixpkgs-unstable 20240606 nixos-unstable-small 20240606 Package maintainers: 1 @xrelkd xrelkd
pkgs.brook Cross-platform Proxy/VPN software nixos-25.05 20240606 nixos-25.05-small 20240606 nixpkgs-25.05-darwin 20240606 nixos-25.11 20240606 nixos-25.11-small 20240606 nixpkgs-25.11-darwin 20240606 nixos-unstable 20240606 nixpkgs-unstable 20240606 nixos-unstable-small 20240606
CVE-2025-67921 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 9 hours ago WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6. Affected products lobo =<< 2.8.6 Matching in nixpkgs pkgs.colobot Real-time strategy game with programmable bots nixos-25.05 0.2.2-alpha nixos-25.05-small 0.2.2-alpha nixpkgs-25.05-darwin 0.2.2-alpha nixos-25.11 0.2.2-alpha nixos-25.11-small 0.2.2-alpha nixpkgs-25.11-darwin 0.2.2-alpha nixos-unstable 0.2.2-alpha nixpkgs-unstable 0.2.2-alpha nixos-unstable-small 0.2.2-alpha Package maintainers: 1 @freezeboy freezeboy
pkgs.colobot Real-time strategy game with programmable bots nixos-25.05 0.2.2-alpha nixos-25.05-small 0.2.2-alpha nixpkgs-25.05-darwin 0.2.2-alpha nixos-25.11 0.2.2-alpha nixos-25.11-small 0.2.2-alpha nixpkgs-25.11-darwin 0.2.2-alpha nixos-unstable 0.2.2-alpha nixpkgs-unstable 0.2.2-alpha nixos-unstable-small 0.2.2-alpha
CVE-2025-15346 created 9 hours ago wolfSSL Python library `CERT_REQUIRED` mode fails to enforce client certificate requirement A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2. Affected products wolfssl =<5.8.2 Matching in nixpkgs pkgs.wolfssl Small, fast, portable implementation of TLS/SSL for embedded devices nixos-25.05 5.8.2 nixos-25.05-small 5.8.2 nixpkgs-25.05-darwin 5.8.2 nixos-25.11 5.8.2 nixos-25.11-small 5.8.2 nixpkgs-25.11-darwin 5.8.2 nixos-unstable 5.8.2 nixpkgs-unstable 5.8.2 nixos-unstable-small 5.8.2 Package maintainers: 2 @fabaff Fabian Affolter <mail@fabian-affolter.ch> @vifino Adrian Pistol <vifino@tty.sh>
pkgs.wolfssl Small, fast, portable implementation of TLS/SSL for embedded devices nixos-25.05 5.8.2 nixos-25.05-small 5.8.2 nixpkgs-25.05-darwin 5.8.2 nixos-25.11 5.8.2 nixos-25.11-small 5.8.2 nixpkgs-25.11-darwin 5.8.2 nixos-unstable 5.8.2 nixpkgs-unstable 5.8.2 nixos-unstable-small 5.8.2
CVE-2025-69331 4.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE created 9 hours ago WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. Affected products theatre =<<= 0.19 Matching in nixpkgs pkgs.haskellPackages.theatre-dev Minimalistic actor library experiments nixos-25.05 0.5.0.1 nixos-25.05-small 0.5.0.1 nixpkgs-25.05-darwin 0.5.0.1 nixos-25.11 0.5.0.1 nixos-25.11-small 0.5.0.1 nixpkgs-25.11-darwin 0.5.0.1 nixos-unstable 0.5.0.1 nixpkgs-unstable 0.5.0.1 nixos-unstable-small 0.5.0.1
pkgs.haskellPackages.theatre-dev Minimalistic actor library experiments nixos-25.05 0.5.0.1 nixos-25.05-small 0.5.0.1 nixpkgs-25.05-darwin 0.5.0.1 nixos-25.11 0.5.0.1 nixos-25.11-small 0.5.0.1 nixpkgs-25.11-darwin 0.5.0.1 nixos-unstable 0.5.0.1 nixpkgs-unstable 0.5.0.1 nixos-unstable-small 0.5.0.1
CVE-2025-68985 9.8 CRITICAL CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 9 hours ago WordPress Aora theme <= 1.3.15 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15. Affected products aora =<<= 1.3.15 Matching in nixpkgs pkgs.typstPackages.aoran Helper to determine proper articles, like 'a or an nixos-unstable - nixos-unstable-small 0.1.0 pkgs.typstPackages.aoran_0_1_0 Helper to determine proper articles, like 'a or an nixos-unstable 0.1.0 nixpkgs-unstable 0.1.0 nixos-unstable-small 0.1.0 Package maintainers: 1 @cherrypiejam Gongqi Huang
pkgs.typstPackages.aoran Helper to determine proper articles, like 'a or an nixos-unstable - nixos-unstable-small 0.1.0
pkgs.typstPackages.aoran_0_1_0 Helper to determine proper articles, like 'a or an nixos-unstable 0.1.0 nixpkgs-unstable 0.1.0 nixos-unstable-small 0.1.0
CVE-2025-69031 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE created 9 hours ago WordPress Arcane theme <= 3.6.6 - Broken Access Control vulnerability Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6. Affected products arcane =<<= 3.6.6 Matching in nixpkgs pkgs.arcanechat-tui Lightweight Delta Chat client nixos-25.05 0.11.1 nixos-25.05-small 0.11.1 nixpkgs-25.05-darwin 0.11.1 nixos-25.11 0.11.1 nixos-25.11-small 0.11.1 nixpkgs-25.11-darwin 0.11.1 nixos-unstable 0.11.1 nixpkgs-unstable 0.11.1 nixos-unstable-small 0.11.1 pkgs.deltachat-cursed Lightweight Delta Chat client nixos-unstable 0.11.1 nixpkgs-unstable 0.11.1 nixos-unstable-small 0.11.1 Package maintainers: 1 @dotlambda Robert Schütz <rschuetz17@gmail.com>
pkgs.arcanechat-tui Lightweight Delta Chat client nixos-25.05 0.11.1 nixos-25.05-small 0.11.1 nixpkgs-25.05-darwin 0.11.1 nixos-25.11 0.11.1 nixos-25.11-small 0.11.1 nixpkgs-25.11-darwin 0.11.1 nixos-unstable 0.11.1 nixpkgs-unstable 0.11.1 nixos-unstable-small 0.11.1
pkgs.deltachat-cursed Lightweight Delta Chat client nixos-unstable 0.11.1 nixpkgs-unstable 0.11.1 nixos-unstable-small 0.11.1
CVE-2025-14946 4.8 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW created 9 hours ago Libnbd: libnbd: arbitrary code execution via ssh argument injection through a malicious uri A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd. Affected products libnbd <1.23.9 <1.22.5 virt:rhel/libnbd container-native-virtualization/virt-cdi-cloner container-native-virtualization/virt-cdi-importer container-native-virtualization/virt-cdi-operator container-native-virtualization/virt-cdi-apiserver container-native-virtualization/virt-cdi-controller container-native-virtualization/virt-cdi-uploadproxy container-native-virtualization/virt-cdi-cloner-rhel9 container-native-virtualization/virt-cdi-uploadserver container-native-virtualization/virt-cdi-importer-rhel9 container-native-virtualization/virt-cdi-operator-rhel9 container-native-virtualization/virt-cdi-apiserver-rhel9 container-native-virtualization/virt-cdi-controller-rhel9 container-native-virtualization/virt-cdi-uploadproxy-rhel9 container-native-virtualization/virt-cdi-uploadserver-rhel9 Matching in nixpkgs pkgs.libnbd Network Block Device client library in userspace nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 pkgs.ocamlPackages.nbd Network Block Device client library in userspace nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 pkgs.python312Packages.libnbd Network Block Device client library in userspace nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 pkgs.python313Packages.libnbd Network Block Device client library in userspace nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 Package maintainers: 1 @akshatagarwl Akshat Agarwal <humancalico@disroot.org>
pkgs.libnbd Network Block Device client library in userspace nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1
pkgs.ocamlPackages.nbd Network Block Device client library in userspace nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1
pkgs.python312Packages.libnbd Network Block Device client library in userspace nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1
pkgs.python313Packages.libnbd Network Block Device client library in userspace nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1
CVE-2025-53445 8.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): HIGH Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 9 hours ago WordPress Catwalk theme <= 1.4 - Local File Inclusion vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catwalk catwalk allows PHP Local File Inclusion.This issue affects Catwalk: from n/a through <= 1.4. Affected products catwalk =<<= 1.4 Matching in nixpkgs pkgs.catppuccin-catwalk CLI for Catppuccin that takes in four showcase images and displays them all at once nixos-25.05 1.3.2 nixos-25.05-small 1.3.2 nixpkgs-25.05-darwin 1.3.2 nixos-25.11 1.3.2 nixos-25.11-small 1.3.2 nixpkgs-25.11-darwin 1.3.2 nixos-unstable 1.3.2 nixpkgs-unstable 1.3.2 nixos-unstable-small 1.3.2 Package maintainers: 1 @ryanccn Ryan Cao <hello@ryanccn.dev>
pkgs.catppuccin-catwalk CLI for Catppuccin that takes in four showcase images and displays them all at once nixos-25.05 1.3.2 nixos-25.05-small 1.3.2 nixpkgs-25.05-darwin 1.3.2 nixos-25.11 1.3.2 nixos-25.11-small 1.3.2 nixpkgs-25.11-darwin 1.3.2 nixos-unstable 1.3.2 nixpkgs-unstable 1.3.2 nixos-unstable-small 1.3.2