CVE-2025-66099 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): NONE Availability impact (A): NONE created 2 weeks, 1 day ago WordPress Chat Help plugin <= 3.1.3 - Broken Access Control vulnerability Missing Authorization vulnerability in ThemeAtelier Chat Help chat-help allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chat Help: from n/a through <= 3.1.3. Affected products chat-help =<<= 3.1.3 Matching in nixpkgs pkgs.aider-chat-with-help AI pair programming in your terminal nixos-unstable 0.85.2 nixos-unstable-small 0.85.2 nixpkgs-unstable 0.85.2 Package maintainers: 2 @yzx9 Zexin Yuan <yuan.zx@outlook.com> @happysalada Raphael Megzari <raphael@megzari.com>
pkgs.aider-chat-with-help AI pair programming in your terminal nixos-unstable 0.85.2 nixos-unstable-small 0.85.2 nixpkgs-unstable 0.85.2
CVE-2025-11934 created 2 weeks, 1 day ago Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. Affected products wolfssl ==v5.8.2 <5.8.4 Matching in nixpkgs pkgs.wolfssl Small, fast, portable implementation of TLS/SSL for embedded devices nixos-25.05 ??? nixos-25.05-small 5.8.2 nixos-unstable 5.7.6 nixos-unstable-small 5.8.2 nixpkgs-unstable 5.7.6 Package maintainers: 2 @vifino Adrian Pistol <vifino@tty.sh> @fabaff Fabian Affolter <mail@fabian-affolter.ch>
pkgs.wolfssl Small, fast, portable implementation of TLS/SSL for embedded devices nixos-25.05 ??? nixos-25.05-small 5.8.2 nixos-unstable 5.7.6 nixos-unstable-small 5.8.2 nixpkgs-unstable 5.7.6
CVE-2024-8939 6.2 MEDIUM CVSS version: 3.1 Attack vector (AV): LOCAL Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): HIGH created 2 weeks, 1 day ago Vllm: denials of service in vllm json web api A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service. Affected products vllm <0.5.0.post1 rhelai1/bootc-nvidia-rhel9 rhelai1/instructlab-nvidia-rhel9 Matching in nixpkgs pkgs.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.0.1 pkgs.python312Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.0.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.0.1 pkgs.python313Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.0.1 nixos-unstable-small 0.8.3 nixpkgs-unstable 0.8.3 Package maintainers: 2 @happysalada Raphael Megzari <raphael@megzari.com> @CertainLach Yaroslav Bolyukin <iam@lach.pw>
pkgs.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.0.1
pkgs.python312Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.0.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.0.1
pkgs.python313Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.0.1 nixos-unstable-small 0.8.3 nixpkgs-unstable 0.8.3
CVE-2024-8768 7.5 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): NONE Availability impact (A): HIGH created 2 weeks, 1 day ago Vllm: a completions api request with an empty prompt will crash the vllm api server. A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service. Affected products vllm <0.5.5 rhelai1/bootc-nvidia-rhel9 rhelai1/instructlab-nvidia-rhel9 Matching in nixpkgs pkgs.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.1 pkgs.python312Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.0.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.0.1 pkgs.python313Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.8.3 nixos-unstable-small 0.8.3 nixpkgs-unstable 0.8.3 Package maintainers: 2 @happysalada Raphael Megzari <raphael@megzari.com> @CertainLach Yaroslav Bolyukin <iam@lach.pw>
pkgs.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.1
pkgs.python312Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.9.0.1 nixos-unstable-small 0.9.1 nixpkgs-unstable 0.9.0.1
pkgs.python313Packages.vllm High-throughput and memory-efficient inference and serving engine for LLMs nixos-25.05 ??? nixos-25.05-small 0.8.3 nixos-unstable 0.8.3 nixos-unstable-small 0.8.3 nixpkgs-unstable 0.8.3
CVE-2024-3154 7.2 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): HIGH User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 2 weeks, 1 day ago Cri-o: arbitrary command injection via pod annotation A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. Affected products cri-o ==1.28.5 ==1.27.6 ==1.28.6 ==1.29.4 ==1.27.5 ==1.30.0 * ==1.29.3 Matching in nixpkgs pkgs.cri-o Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-25.05 ??? nixos-25.05-small 1.32.4 nixos-unstable 1.33.2 nixos-unstable-small 1.33.2 nixpkgs-unstable 1.33.2 pkgs.cri-o-unwrapped Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-25.05 ??? nixos-25.05-small 1.32.4 nixos-unstable 1.33.2 nixos-unstable-small 1.33.2 nixpkgs-unstable 1.33.2 Package maintainers: 2 @vdemeester Vincent Demeester <vincent@sbr.pm> @saschagrunert Sascha Grunert <mail@saschagrunert.de>
pkgs.cri-o Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-25.05 ??? nixos-25.05-small 1.32.4 nixos-unstable 1.33.2 nixos-unstable-small 1.33.2 nixpkgs-unstable 1.33.2
pkgs.cri-o-unwrapped Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface nixos-25.05 ??? nixos-25.05-small 1.32.4 nixos-unstable 1.33.2 nixos-unstable-small 1.33.2 nixpkgs-unstable 1.33.2
CVE-2025-64277 5.3 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): NONE Integrity impact (I): LOW Availability impact (A): NONE created 2 weeks, 1 day ago WordPress ChatBot plugin <= 7.3.9 - Broken Access Control vulnerability Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.9. Affected products chatbot =<<= 7.3.9 Matching in nixpkgs pkgs.gnomeExtensions.penguin-ai-chatbot A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality. nixos-25.05 ??? nixos-25.05-small 22 nixos-unstable 22 nixos-unstable-small 22 nixpkgs-unstable 22 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
pkgs.gnomeExtensions.penguin-ai-chatbot A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality. nixos-25.05 ??? nixos-25.05-small 22 nixos-unstable 22 nixos-unstable-small 22 nixpkgs-unstable 22
CVE-2025-64259 6.5 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): NONE created 2 weeks, 1 day ago WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8. Affected products theatre =<<= 0.18.8 Matching in nixpkgs pkgs.haskellPackages.theatre Minimalistic actor library nixos-unstable 1.0.0.2 nixos-unstable-small 1.0.0.2 nixpkgs-unstable 1.0.0.2 pkgs.haskellPackages.theatre-dev Minimalistic actor library experiments nixos-25.05 ??? nixos-25.05-small 0.5.0.1 nixos-unstable 0.5.0.1 nixos-unstable-small 0.5.0.1 nixpkgs-unstable 0.5.0.1
pkgs.haskellPackages.theatre Minimalistic actor library nixos-unstable 1.0.0.2 nixos-unstable-small 1.0.0.2 nixpkgs-unstable 1.0.0.2
pkgs.haskellPackages.theatre-dev Minimalistic actor library experiments nixos-25.05 ??? nixos-25.05-small 0.5.0.1 nixos-unstable 0.5.0.1 nixos-unstable-small 0.5.0.1 nixpkgs-unstable 0.5.0.1
CVE-2025-11060 5.7 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE created 2 weeks, 1 day ago Surrealdb: surrealdb is vulnerable to unauthorized data exposure via live query subscriptions A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records. Affected products surrealdb <3.3.0-alpha.7 <2.3.8 <2.1.9 <2.2.8 openshift-service-mesh/istio-cni-rhel9 openshift-service-mesh/istio-pilot-rhel9 openshift-service-mesh/istio-proxyv2-rhel9 openshift-service-mesh/istio-rhel9-operator openshift-service-mesh/istio-must-gather-rhel9 openshift-service-mesh/istio-sail-operator-bundle openshift-service-mesh-tech-preview/istio-ztunnel-rhel9 openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 Matching in nixpkgs pkgs.surrealdb Scalable, distributed, collaborative, document-graph database, for the realtime web nixos-25.05 ??? nixos-25.05-small 2.3.2 nixos-unstable 2.3.2 nixos-unstable-small 2.3.7 nixpkgs-unstable 2.3.7 pkgs.surrealdb-migrations Awesome SurrealDB migration tool, with a user-friendly CLI and a versatile Rust library that enables seamless integration into any project nixos-25.05 ??? nixos-25.05-small 2.2.2 nixos-unstable 2.2.2 nixos-unstable-small 2.3.0 nixpkgs-unstable 2.3.0 Package maintainers: 3 @happysalada Raphael Megzari <raphael@megzari.com> @sikmir Nikolay Korotkiy <sikmir@disroot.org> @siriobalmelli Sirio Balmelli <sirio@b-ad.ch>
pkgs.surrealdb Scalable, distributed, collaborative, document-graph database, for the realtime web nixos-25.05 ??? nixos-25.05-small 2.3.2 nixos-unstable 2.3.2 nixos-unstable-small 2.3.7 nixpkgs-unstable 2.3.7
pkgs.surrealdb-migrations Awesome SurrealDB migration tool, with a user-friendly CLI and a versatile Rust library that enables seamless integration into any project nixos-25.05 ??? nixos-25.05-small 2.2.2 nixos-unstable 2.2.2 nixos-unstable-small 2.3.0 nixpkgs-unstable 2.3.0
CVE-2025-54721 7.1 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): NONE User interaction (UI): REQUIRED Scope (S): CHANGED Confidentiality impact (C): LOW Integrity impact (I): LOW Availability impact (A): LOW created 2 weeks, 1 day ago WordPress Resca theme <= 3.0.2 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Resca resca allows Reflected XSS.This issue affects Resca: from n/a through <= 3.0.2. Affected products resca =<<= 3.0.2 Matching in nixpkgs pkgs.jpegrescan Losslessly shrink any JPEG file nixos-25.05 ??? nixos-25.05-small 2019-03-27 nixos-unstable 2019-03-27 nixos-unstable-small 2019-03-27 nixpkgs-unstable 2019-03-27 Package maintainers: 1 @RamKromberg Ram Kromberg <ramkromberg@mail.com>
pkgs.jpegrescan Losslessly shrink any JPEG file nixos-25.05 ??? nixos-25.05-small 2019-03-27 nixos-unstable 2019-03-27 nixos-unstable-small 2019-03-27 nixpkgs-unstable 2019-03-27
CVE-2025-62035 8.8 HIGH CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): NONE Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): HIGH Availability impact (A): HIGH created 2 weeks, 1 day ago WordPress Togo theme < 1.0.4 - PHP Object Injection vulnerability Deserialization of Untrusted Data vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4. Affected products togo =<< 1.0.4 Matching in nixpkgs pkgs.gnomeExtensions.cryptogoldbitcoin-rate it just shows the rate of crypto gold(bitcoin) The extension uses coingecko services nixos-25.05 ??? nixos-25.05-small 3 nixos-unstable 3 nixos-unstable-small 3 nixpkgs-unstable 3 Package maintainers: 1 @honnip Jung seungwoo <me@honnip.page>
pkgs.gnomeExtensions.cryptogoldbitcoin-rate it just shows the rate of crypto gold(bitcoin) The extension uses coingecko services nixos-25.05 ??? nixos-25.05-small 3 nixos-unstable 3 nixos-unstable-small 3 nixpkgs-unstable 3