Nixpkgs security tracker

Permalink CVE-2025-61663

4.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 3 months, 3 weeks ago

Grub2: missing unregister call for normal commands may lead to use-after-free

A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.

References

https://access.redhat.com/security/cve/CVE-2025-61663 vdb-entryx_refsource_REDHAT
RHBZ#2414684 issue-trackingx_refsource_REDHAT

Affected products

grub2

=<2.14

rhcos

Matching in nixpkgs

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

Package maintainers

@hehongbo Hongbo
@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@digitalrane Rane <rane+git@junkyard.systems>
@SigmaSquadron Fernando Rodrigues <alpha@sigmasquadron.net>

Permalink CVE-2025-58933

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 months ago

WordPress Anubis theme <= 1.25 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Anubis anubis allows PHP Local File Inclusion.This issue affects Anubis: from n/a through <= 1.25.

References

Affected products

anubis

=<<= 1.25

Matching in nixpkgs

pkgs.anubis

Weighs the soul of incoming HTTP requests using proof-of-work to stop AI crawlers

nixos-unstable 1.21.3
- nixpkgs-unstable 1.21.3
- nixos-unstable-small 1.21.3
nixos-25.11 1.23.1
- nixpkgs-25.11-darwin 1.23.1

pkgs.anubis-xess

Xess files for Anubis

nixos-unstable 1.19.1
- nixpkgs-unstable 1.19.1
- nixos-unstable-small 1.19.1

Package maintainers

@knightpp Danylo Kondratiev <knightpp@proton.me>
@SigmaSquadron Fernando Rodrigues <alpha@sigmasquadron.net>
@soopyc Cassie Cheung <me@soopy.moe>
@ryand56 Ryan Omasta <git@ryand.ca>

Permalink CVE-2025-53443

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 months ago

WordPress Smash theme <= 1.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Smash smash allows PHP Local File Inclusion.This issue affects Smash: from n/a through <= 1.7.

References

Affected products

smash

=<<= 1.7

Matching in nixpkgs

pkgs.l-smash

MP4 container utilities

nixos-unstable 2.14.5
- nixpkgs-unstable 2.14.5
- nixos-unstable-small 2.14.5
nixos-25.11 2.14.5
- nixpkgs-25.11-darwin 2.14.5

pkgs.git-smash

Smash staged changes into previous commits to support your Git workflow, pull request and feature branch maintenance

nixos-unstable 0.1.1
- nixpkgs-unstable 0.1.1
- nixos-unstable-small 0.1.1
nixos-25.11 0.1.1
- nixpkgs-25.11-darwin 0.1.1

Package maintainers

@bcyran Bazyli Cyran <bazyli@cyran.dev>

Permalink CVE-2025-53439

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 months ago

WordPress Harper theme <= 1.13 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13.

References

Affected products

harper

=<<= 1.13

Matching in nixpkgs

pkgs.harper

Grammar Checker for Developers

nixos-unstable 0.56.0
- nixpkgs-unstable 0.56.0
- nixos-unstable-small 0.56.0
nixos-25.11 0.71.0
- nixpkgs-25.11-darwin 0.71.0

pkgs.emacsPackages.sharper

None

nixos-unstable 20230129.1827
- nixpkgs-unstable 20230129.1827
- nixos-unstable-small 20230129.1827

pkgs.vscode-extensions.elijah-potter.harper

The grammar checker for developers as a Visual Studio Code extension

nixos-25.11 0.71.0
- nixpkgs-25.11-darwin 0.71.0

Package maintainers

@pbsds Peder Bergebakken Sundt <pbsds@hotmail.com>
@MasterEvarior MasterEvarior <nix-maintainer@giannin.ch>

Permalink CVE-2025-58947

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 4 months ago

WordPress Athos theme <= 1.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9.

References

Affected products

athos

=<<= 1.9

Matching in nixpkgs

pkgs.python311Packages.pathos

Parallel graph management and execution in heterogeneous computing

nixos-unstable 0.3.3
- nixpkgs-unstable 0.3.3
- nixos-unstable-small 0.3.3

pkgs.python312Packages.pathos

Parallel graph management and execution in heterogeneous computing

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4
nixos-25.11 0.3.4
- nixpkgs-25.11-darwin 0.3.4

pkgs.python313Packages.pathos

Parallel graph management and execution in heterogeneous computing

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4
nixos-25.11 0.3.4
- nixpkgs-25.11-darwin 0.3.4

Permalink CVE-2025-53449

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 months ago

WordPress Convex theme <= 1.11 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11.

References

Affected products

convex

=<<= 1.11

Matching in nixpkgs

pkgs.haskellPackages.convexHullNd

Convex hull

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0

Permalink CVE-2025-58929

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 4 months ago

WordPress Pantry theme <= 1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4.

References

Affected products

pantry

=<<= 1.4

Matching in nixpkgs

pkgs.haskellPackages.pantry

Content addressable Haskell package management

nixos-unstable 0.10.1
- nixpkgs-unstable 0.10.1
- nixos-unstable-small 0.10.1
nixos-25.11 0.10.1
- nixpkgs-25.11-darwin 0.10.1

Permalink CVE-2025-58940

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 4 months ago

WordPress Basil theme <= 1.3.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12.

References

Affected products

basil

=<<= 1.3.12

Matching in nixpkgs

pkgs.basilk

Terminal User Interface (TUI) to manage your tasks with minimal kanban logic

nixos-unstable 0.2.1
- nixpkgs-unstable 0.2.1
- nixos-unstable-small 0.2.1
nixos-25.11 0.2.1
- nixpkgs-25.11-darwin 0.2.1

pkgs.basiliskii

68k Macintosh emulator

nixos-unstable 2025-07-16
- nixpkgs-unstable 2025-07-16
- nixos-unstable-small 2025-07-16
nixos-25.11 2025-07-16
- nixpkgs-25.11-darwin 2025-07-16

pkgs.typstPackages.dmi-basilea-thesis

A thesis template for the dmi at the university of basel

nixos-25.11 0.1.1

pkgs.typstPackages.dmi-basilea-thesis_0_1_0

A thesis template for the dmi at the university of basel

nixos-25.11 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.typstPackages.dmi-basilea-thesis_0_1_1

A thesis template for the dmi at the university of basel

nixos-25.11 0.1.1
- nixpkgs-25.11-darwin 0.1.1

Package maintainers

@quag Jonathan Wright <quaggy@gmail.com>
@thtrf thtrf <thtrf@proton.me>
@cherrypiejam Gongqi Huang

Permalink CVE-2025-58949

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 4 months ago

WordPress Spock theme <= 1.17 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17.

References

Affected products

spock

=<<= 1.17

Matching in nixpkgs

pkgs.chickenPackages_5.chickenEggs.spock

A compiler and runtime system for R5RS Scheme on top of JavaScript

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2
nixos-25.11 0.2
- nixpkgs-25.11-darwin 0.2

Permalink CVE-2025-60061

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 months ago

WordPress Kicker theme <= 2.2.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Kicker kicker allows PHP Local File Inclusion.This issue affects Kicker: from n/a through <= 2.2.0.

References

Affected products

kicker

=<<= 2.2.0

Matching in nixpkgs

pkgs.elfkickers

Collection of programs that access and manipulate ELF files

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2
nixos-25.11 3.2
- nixpkgs-25.11-darwin 3.2

Automatically generated suggestions

References

Affected products

Matching in nixpkgs

pkgs.grub2_pvgrub_image

pkgs.grub2_pvhgrub_image

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.anubis

pkgs.anubis-xess

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.l-smash

pkgs.git-smash

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.harper

pkgs.emacsPackages.sharper

pkgs.vscode-extensions.elijah-potter.harper

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python311Packages.pathos

pkgs.python312Packages.pathos

pkgs.python313Packages.pathos

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.convexHullNd

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.pantry

References

Affected products

Matching in nixpkgs

pkgs.basilk

pkgs.basiliskii

pkgs.typstPackages.dmi-basilea-thesis

pkgs.typstPackages.dmi-basilea-thesis_0_1_0

pkgs.typstPackages.dmi-basilea-thesis_0_1_1

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.chickenPackages_5.chickenEggs.spock

References

Affected products

Matching in nixpkgs

pkgs.elfkickers