Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-27190

created 20 hours ago

Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

Affected products

deno

==< 2.6.8

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.6.9
- nixpkgs-unstable 2.6.8
- nixos-unstable-small 2.6.9
nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

pkgs.speech-denoiser

Speech denoise lv2 plugin based on RNNoise library

nixos-unstable 0-unstable-2018-10-08
- nixpkgs-unstable 0-unstable-2018-10-08
- nixos-unstable-small 0-unstable-2018-10-08
nixos-25.11 0-unstable-2018-10-08
- nixos-25.11-small 0-unstable-2018-10-08
- nixpkgs-25.11-darwin 0-unstable-2018-10-08

pkgs.openimagedenoise

High-Performance Denoising Library for Ray Tracing

nixos-unstable 2.3.3
- nixpkgs-unstable 2.3.3
- nixos-unstable-small 2.3.3
nixos-25.11 2.3.3
- nixos-25.11-small 2.3.3
- nixpkgs-25.11-darwin 2.3.3

pkgs.terraform-providers.deno

None

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python312Packages.denonavr

Automation Library for Denon AVR receivers

nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.python313Packages.denonavr

Automation Library for Denon AVR receivers

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.haskellPackages.pandoc-sidenote

Convert Pandoc Markdown-style footnotes into sidenotes

nixos-unstable 0.23.0.0
- nixpkgs-unstable 0.23.0.0
- nixos-unstable-small 0.23.0.0
nixos-25.11 0.23.0.0
- nixos-25.11-small 0.23.0.0
- nixpkgs-25.11-darwin 0.23.0.0

pkgs.terraform-providers.denoland_deno

None

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.gnomeExtensions.denon-avr-controler

Denon AVR controler

nixos-unstable 12
- nixpkgs-unstable 12
- nixos-unstable-small 12
nixos-25.11 12
- nixos-25.11-small 12
- nixpkgs-25.11-darwin 12

pkgs.python312Packages.bnunicodenormalizer

Bangla Unicode Normalization Toolkit

nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python313Packages.bnunicodenormalizer

Bangla Unicode Normalization Toolkit

nixos-unstable 0.1.7
- nixpkgs-unstable 0.1.7
- nixos-unstable-small 0.1.7
nixos-25.11 0.1.7
- nixos-25.11-small 0.1.7
- nixpkgs-25.11-darwin 0.1.7

pkgs.python314Packages.bnunicodenormalizer

Bangla Unicode Normalization Toolkit

nixos-unstable 0.1.7
- nixpkgs-unstable 0.1.7
- nixos-unstable-small 0.1.7

pkgs.vscode-extensions.denoland.vscode-deno

Language server client for Deno

nixos-unstable 3.50.0
- nixpkgs-unstable 3.50.0
- nixos-unstable-small 3.50.0
nixos-25.11 3.46.1
- nixos-25.11-small 3.46.1
- nixpkgs-25.11-darwin 3.46.1

pkgs.home-assistant-component-tests.denonavr

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.denonavr

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.2
- nixpkgs-unstable 2026.2.2
- nixos-unstable-small 2026.2.2

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@honnip Jung seungwoo <me@honnip.page>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@LeshaInc Alexey Nikashkin <leshainc@fomalhaut.me>
@Mic92 Jörg Thalheim <joerg@thalheim.io>
@magnetophon Bart Brouns <bart@magnetophon.nl>
@ratsclub Victor Freire <victor@freire.dev.br>

Published

(browse all)

Permalink CVE-2026-22863

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
12 packages
- speech-denoiser
- openimagedenoise
- terraform-providers.deno
- python312Packages.denonavr
- python313Packages.denonavr
- haskellPackages.pandoc-sidenote
- terraform-providers.denoland_deno
- gnomeExtensions.denon-avr-controler
- python312Packages.bnunicodenormalizer
- python313Packages.bnunicodenormalizer
- vscode-extensions.denoland.vscode-deno
- home-assistant-component-tests.denonavr
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Deno node:crypto doesn't finalize cipher

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

Affected products

deno

==< 2.6.0

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.5.6
- nixpkgs-unstable 2.5.6
- nixos-unstable-small 2.5.6

Package maintainers

@06kellyjac Jack <hello+nixpkgs@j-k.io>
@ofalvai Olivér Falvai <ofalvai@gmail.com>

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v

Dismissed

(browse all)

Permalink CVE-2026-22864

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
12 packages
- speech-denoiser
- openimagedenoise
- terraform-providers.deno
- python312Packages.denonavr
- python313Packages.denonavr
- haskellPackages.pandoc-sidenote
- terraform-providers.denoland_deno
- gnomeExtensions.denon-avr-controler
- python312Packages.bnunicodenormalizer
- python313Packages.bnunicodenormalizer
- vscode-extensions.denoland.vscode-deno
- home-assistant-component-tests.denonavr
1 month ago
@LeSuisse dismissed 1 month ago

Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Affected products

deno

==< 2.5.6

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.5.6
- nixpkgs-unstable 2.5.6
- nixos-unstable-small 2.5.6

Package maintainers

@06kellyjac Jack <hello+nixpkgs@j-k.io>
@ofalvai Olivér Falvai <ofalvai@gmail.com>

No Windows support

Suggestions search

Affected products

Matching in nixpkgs

pkgs.deno

pkgs.speech-denoiser

pkgs.openimagedenoise

pkgs.terraform-providers.deno

pkgs.python312Packages.denonavr

pkgs.python313Packages.denonavr

pkgs.haskellPackages.pandoc-sidenote

pkgs.terraform-providers.denoland_deno

pkgs.gnomeExtensions.denon-avr-controler

pkgs.python312Packages.bnunicodenormalizer

pkgs.python313Packages.bnunicodenormalizer

pkgs.python314Packages.bnunicodenormalizer

pkgs.vscode-extensions.denoland.vscode-deno

pkgs.home-assistant-component-tests.denonavr

pkgs.tests.home-assistant-component-tests.denonavr

Package maintainers

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers