Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-0129
published on
Permalink CVE-2026-1861
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    28 packages
    • chromedriver
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Heap buffer overflow in libvpx in Google Chrome prior to …

Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <144.0.7559.132

Matching in nixpkgs

Ignored packages (28)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

  • nixos-unstable 2.0.2
    • nixpkgs-unstable 2.0.2
    • nixos-unstable-small 2.0.2
  • nixos-25.11 -
    • nixos-25.11-small 2.0.2
    • nixpkgs-25.11-darwin 2.0.2

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

  • nixos-unstable 0.3.4
    • nixpkgs-unstable 0.3.4
    • nixos-unstable-small 0.3.4
  • nixos-25.11 -
    • nixos-25.11-small 0.3.4
    • nixpkgs-25.11-darwin 0.3.4

pkgs.xf86videoopenchrome

VIA Technologies UniChrome and Chrome9 IGP video driver for the Xorg X server

  • nixos-unstable -

pkgs.chrome-token-signing

Chrome and Firefox extension for signing with your eID on the web

  • nixos-unstable 1.1.5
    • nixpkgs-unstable 1.1.5
    • nixos-unstable-small 1.1.5
  • nixos-25.11 -
    • nixos-25.11-small 1.1.5
    • nixpkgs-25.11-darwin 1.1.5

Package maintainers

https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html
NIXPKGS-2026-0094
published on
Permalink CVE-2026-25517
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Wagtail has improper permission handling on admin preview endpoints

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

Affected products

wagtail
  • === 7.3rc1
  • ==>= 6.4rc1, < 7.0.4
  • ==>= 7.1rc1, < 7.1.3
  • ==>= 7.2rc1, < 7.2.2
  • ==< 6.3.6

Matching in nixpkgs

pkgs.python312Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-25.11 7.2
    • nixos-25.11-small 7.2
    • nixpkgs-25.11-darwin 7.2

Package maintainers

Upstream advisory: https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
NIXPKGS-2026-0093
published on
Permalink CVE-2026-25121
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.

Affected products

apko
  • ==>= 0.14.8, < 1.1.1

Matching in nixpkgs

pkgs.apko

Build OCI images using APK directly without Dockerfile

Package maintainers

Upstream advisory: https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw
Upstream patch: https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14
NIXPKGS-2026-0092
published on
Permalink CVE-2026-24843
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    6 packages
    • ocamlPackages.melange
    • ocamlPackages.melange-json
    • ocamlPackages.melange-json-native
    • ocamlPackages_latest.melange
    • ocamlPackages_latest.melange-json
    • ocamlPackages_latest.melange-json-native
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
melange QEMU runner could write files outside workspace directory

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.

Affected products

melange
  • ==>= 0.11.3, < 0.40.3

Matching in nixpkgs

Ignored packages (6)

Package maintainers

Upstream advisory: https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4
Upstream patch: https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b
NIXPKGS-2026-0128
published on
Permalink CVE-2025-67475
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Stored XSS through edit summaries in MW Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

NIXPKGS-2026-0122
published on
Permalink CVE-2025-11261
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Stored i18n XSS exposed by security patch for T402077

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2.

Affected products

MediaWiki
  • <1.39.15, 1.43.5, 1.44.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

NIXPKGS-2026-0127
published on
Permalink CVE-2025-67476
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Importing leaks IP address of importer via EventStreams

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers

NIXPKGS-2026-0108
published on
Permalink CVE-2026-1622
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    7 packages
    • neo4j-desktop
    • pkgsRocm.python3Packages.llama-index-graph-stores-neo4j
    • python313Packages.llama-index-graph-stores-neo4j
    • python312Packages.llama-index-graph-stores-neo4j
    • python313Packages.neo4j
    • python312Packages.neo4j
    • python314Packages.neo4j
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Unredacted data exposure in query.log

Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.

References

Affected products

neo4j
  • <4.4.48
  • <5.26.21
  • <2026.01.3
Enterprise Edition
  • <4.4.48
  • <5.26.21
  • <2026.01.3

Matching in nixpkgs

Ignored packages (7)

Package maintainers

Upstream advisory: https://neo4j.com/security/CVE-2026-1622/
NIXPKGS-2026-0126
published on
Permalink CVE-2026-24887
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse ignored
    6 packages
    • claude-code-acp
    • claude-code-bin
    • gnomeExtensions.claude-code-switcher
    • vscode-extensions.anthropic.claude-code
    • gnomeExtensions.claude-code-usage-indicator
    • claude-code-router
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Claude Code has a Command Injection in find Command Bypasses User Approval Prompt

Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72.

Affected products

claude-code
  • ==< 2.0.72

Matching in nixpkgs

pkgs.claude-code

An agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

Ignored packages (6)

pkgs.claude-code-bin

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

pkgs.claude-code-router

Tool to route Claude Code requests to different models and customize any request

  • nixos-unstable 2.0.0
    • nixpkgs-unstable 2.0.0
    • nixos-unstable-small 2.0.0
  • nixos-25.11 -

pkgs.gnomeExtensions.claude-code-switcher

A GNOME shell extension for quickly switching Claude Code API providers with enhanced performance and reliability.

  • nixos-unstable 13
    • nixpkgs-unstable 13
    • nixos-unstable-small 13
  • nixos-25.11 -
    • nixos-25.11-small 13
    • nixpkgs-25.11-darwin 13

pkgs.gnomeExtensions.claude-code-usage-indicator

Shows remaining time and usage percentage for Claude Code sessions in the top panel. Displays format like '3h 12m (30%)' showing both time remaining and percentage consumed. Automatically refreshes every 5 minutes.

  • nixos-unstable 3
    • nixpkgs-unstable 3
    • nixos-unstable-small 3
  • nixos-25.11 -
    • nixos-25.11-small 3
    • nixpkgs-25.11-darwin 3

Package maintainers

Upstream advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w
NIXPKGS-2026-0125
published on
Permalink CVE-2025-67484
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Action API xslt option allows JavaScript execution by administrators who are not interface administrators

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

Affected products

MediaWiki
  • <1.39.16, 1.43.6, 1.44.3, 1.45.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

Package maintainers