Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1637

NIXPKGS-2026-1637
published on
Permalink CVE-2026-45772
0.0 NONE
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 week ago
  • @LeSuisse ignored
    31 packages
    • aws-workspaces
    • cargo-workspaces
    • hyprland-workspaces
    • turborepo-remote-cache
    • cosmic-workspaces-epoch
    • hyprland-workspaces-tui
    • xfce4-i3-workspaces-plugin
    • hyprland-autoname-workspaces
    • kdePackages.dynamic-workspaces
    • xfce.xfce4-i3-workspaces-plugin
    • gnomeExtensions.named-workspaces
    • gnomeExtensions.reorder-workspaces
    • gnomeExtensions.vertical-workspaces
    • haskellPackages.amazonka-workspaces
    • gnomeExtensions.workspaces-organizer
    • gnomeExtensions.simple-workspaces-bar
    • gnomeExtensions.vscode-workspaces-gnome
    • haskellPackages.amazonka-workspaces-web
    • python312Packages.mypy-boto3-workspaces
    • python313Packages.mypy-boto3-workspaces
    • python314Packages.mypy-boto3-workspaces
    • vscode-extensions.iciclesoft.workspacesort
    • python312Packages.mypy-boto3-workspaces-web
    • python313Packages.mypy-boto3-workspaces-web
    • python314Packages.mypy-boto3-workspaces-web
    • python312Packages.types-aiobotocore-workspaces
    • python313Packages.types-aiobotocore-workspaces
    • gnomeExtensions.workspaces-indicator-by-open-apps
    • python312Packages.types-aiobotocore-workspaces-web
    • python313Packages.types-aiobotocore-workspaces-web
    • gnomeExtensions.switch-workspaces-on-active-monitor
    1 week ago
  • @LeSuisse restored package aws-workspaces 1 week ago
  • @LeSuisse added
    2 maintainers
    • @getchoo
    • @Hythera
    1 week ago maintainer.add
  • @LeSuisse ignored
    2 maintainers
    • @mausch
    • @dylanmtaylor
    1 week ago maintainer.ignore
  • @LeSuisse ignored package aws-workspaces 1 week ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
Turborepo: Unexpected local code execution during Yarn Berry detection

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.

Affected products

codemod
  • ==>= 2.3.4, < 2.9.14
turborepo
  • ==>= 1.1.0, < 2.9.14
workspaces
  • ==>= 2.3.4, < 2.9.14
Ignored packages (31)

pkgs.cargo-workspaces

Tool for managing cargo workspaces and their crates, inspired by lerna

pkgs.turborepo-remote-cache

This project is an open-source implementation of the Turborepo custom remote cache server.

pkgs.gnomeExtensions.named-workspaces

Displays the current workspace name in the top panel with inline editing via double-click

  • nixos-unstable 3
    • nixpkgs-unstable 3
    • nixos-unstable-small 3

pkgs.gnomeExtensions.vertical-workspaces

V-Shell is designed to enhance and customize the user experience by providing flexible workspace orientations and a variety of interface adjustments, including application grid customization and productivity improvements.

  • nixos-unstable 108
    • nixpkgs-unstable 108
    • nixos-unstable-small 108
  • nixos-25.11 100
    • nixos-25.11-small 100
    • nixpkgs-25.11-darwin 100

pkgs.gnomeExtensions.workspaces-organizer

Horizontal workspaces indicator, shows opened apps icons in each workspace, and give you the ability to switch to another workspace by just scrolling over it and move opened windows to a another workspace buy just dragging them to that workspace. Fork of Workspace Indicator by fmuellner. To check for updates and report issues, and see the doccumentation, please visit the extension's GitHub page: https://github.com/giantturtle/workspaces-organizer-workspaces-organizer.giantturtle.github.com

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5
  • nixos-25.11 5
    • nixos-25.11-small 5
    • nixpkgs-25.11-darwin 5

pkgs.gnomeExtensions.simple-workspaces-bar

Replace 'Activities' button by all current workspaces buttons. Switch workspace or toggle overview by clicking on these buttons.

  • nixos-unstable 8
    • nixpkgs-unstable 8
    • nixos-unstable-small 8
  • nixos-25.11 8
    • nixos-25.11-small 8
    • nixpkgs-25.11-darwin 8

pkgs.gnomeExtensions.vscode-workspaces-gnome

A VSCode/Codium Workspace management tool-set for GNOME - This extension is not affiliated, funded, or in any way associated with Microsoft and vscode software.

  • nixos-unstable 16
    • nixpkgs-unstable 16
    • nixos-unstable-small 16
  • nixos-25.11 16
    • nixos-25.11-small 16
    • nixpkgs-25.11-darwin 16

pkgs.gnomeExtensions.switch-workspaces-on-active-monitor

Simulates switching the workspace on the active monitor only. Ctrl+Alt+q switches to the previous workspace, Ctrl+Alt+a switches to the next

  • nixos-unstable 28
    • nixpkgs-unstable 28
    • nixos-unstable-small 28
  • nixos-25.11 28
    • nixos-25.11-small 28
    • nixpkgs-25.11-darwin 28

Package maintainers

Additional maintainers