Nixpkgs security tracker

Published

Permalink CVE-2026-32260

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 weeks, 6 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 6 days ago
@LeSuisse removed package speech-denoiser 3 weeks, 6 days ago
@LeSuisse removed package openimagedenoise 3 weeks, 6 days ago
@LeSuisse removed package terraform-providers.deno 3 weeks, 6 days ago
@LeSuisse removed package python312Packages.denonavr 3 weeks, 6 days ago
@LeSuisse removed package python313Packages.denonavr 3 weeks, 6 days ago
@LeSuisse removed package haskellPackages.pandoc-sidenote 3 weeks, 6 days ago
@LeSuisse removed package terraform-providers.denoland_deno 3 weeks, 6 days ago
@LeSuisse removed package gnomeExtensions.denon-avr-controler 3 weeks, 6 days ago
@LeSuisse removed package python312Packages.bnunicodenormalizer 3 weeks, 6 days ago
@LeSuisse removed package python313Packages.bnunicodenormalizer 3 weeks, 6 days ago
@LeSuisse removed package python314Packages.bnunicodenormalizer 3 weeks, 6 days ago
@LeSuisse removed package vscode-extensions.denoland.vscode-deno 3 weeks, 6 days ago
@LeSuisse removed package home-assistant-component-tests.denonavr 3 weeks, 6 days ago
@LeSuisse removed package tests.home-assistant-component-tests.denonavr 3 weeks, 6 days ago
@LeSuisse removed package gnomeExtensions.marantz-and-denon-avr-controller 3 weeks, 6 days ago
@LeSuisse accepted 3 weeks, 6 days ago
@LeSuisse published on GitHub 3 weeks, 6 days ago

Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.

References

https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j x_refsource_CONFIRM

Affected products

deno

==>= 2.7.0, < 2.7.2

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.6.10
- nixpkgs-unstable 2.6.10
- nixos-unstable-small 2.6.10
nixos-25.11 2.6.10
- nixos-25.11-small 2.6.10
- nixpkgs-25.11-darwin 2.6.10

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j

Published

Permalink CVE-2026-27190

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 2 weeks ago
@LeSuisse removed package speech-denoiser 1 month, 2 weeks ago
@LeSuisse removed package openimagedenoise 1 month, 2 weeks ago
@LeSuisse removed package terraform-providers.deno 1 month, 2 weeks ago
@LeSuisse removed package python312Packages.denonavr 1 month, 2 weeks ago
@LeSuisse removed package python313Packages.denonavr 1 month, 2 weeks ago
@LeSuisse removed package haskellPackages.pandoc-sidenote 1 month, 2 weeks ago
@LeSuisse removed package terraform-providers.denoland_deno 1 month, 2 weeks ago
@LeSuisse removed package gnomeExtensions.denon-avr-controler 1 month, 2 weeks ago
@LeSuisse removed package python312Packages.bnunicodenormalizer 1 month, 2 weeks ago
@LeSuisse removed package python313Packages.bnunicodenormalizer 1 month, 2 weeks ago
@LeSuisse removed package python314Packages.bnunicodenormalizer 1 month, 2 weeks ago
@LeSuisse removed package vscode-extensions.denoland.vscode-deno 1 month, 2 weeks ago
@LeSuisse removed package home-assistant-component-tests.denonavr 1 month, 2 weeks ago
@LeSuisse removed package tests.home-assistant-component-tests.denonavr 1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

References

https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr x_refsource_CONFIRM
https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c x_refsource_MISC
https://github.com/denoland/deno/releases/tag/v2.6.8 x_refsource_MISC

Affected products

deno

==< 2.6.8

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.6.9
- nixpkgs-unstable 2.6.8
- nixos-unstable-small 2.6.9
nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr
Upstream patch: https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c

Published

Permalink CVE-2026-22863

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 months, 3 weeks ago
@LeSuisse removed package speech-denoiser 2 months, 3 weeks ago
@LeSuisse removed package openimagedenoise 2 months, 3 weeks ago
@LeSuisse removed package terraform-providers.deno 2 months, 3 weeks ago
@LeSuisse removed package python312Packages.denonavr 2 months, 3 weeks ago
@LeSuisse removed package python313Packages.denonavr 2 months, 3 weeks ago
@LeSuisse removed package haskellPackages.pandoc-sidenote 2 months, 3 weeks ago
@LeSuisse removed package terraform-providers.denoland_deno 2 months, 3 weeks ago
@LeSuisse removed package gnomeExtensions.denon-avr-controler 2 months, 3 weeks ago
@LeSuisse removed package python312Packages.bnunicodenormalizer 2 months, 3 weeks ago
@LeSuisse removed package python313Packages.bnunicodenormalizer 2 months, 3 weeks ago
@LeSuisse removed package vscode-extensions.denoland.vscode-deno 2 months, 3 weeks ago
@LeSuisse removed package home-assistant-component-tests.denonavr 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 3 weeks ago
@LeSuisse published on GitHub 2 months, 3 weeks ago

Deno node:crypto doesn't finalize cipher

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

References

https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v x_refsource_CONFIRM
https://github.com/denoland/deno/releases/tag/v2.6.0 x_refsource_MISC
https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v x_refsource_CONFIRM
https://github.com/denoland/deno/releases/tag/v2.6.0 x_refsource_MISC

Affected products

deno

==< 2.6.0

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.5.6
- nixpkgs-unstable 2.5.6
- nixos-unstable-small 2.5.6

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v

Dismissed

Permalink CVE-2026-22864

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 months, 3 weeks ago
@LeSuisse removed package speech-denoiser 2 months, 3 weeks ago
@LeSuisse removed package openimagedenoise 2 months, 3 weeks ago
@LeSuisse removed package terraform-providers.deno 2 months, 3 weeks ago
@LeSuisse removed package python312Packages.denonavr 2 months, 3 weeks ago
@LeSuisse removed package python313Packages.denonavr 2 months, 3 weeks ago
@LeSuisse removed package haskellPackages.pandoc-sidenote 2 months, 3 weeks ago
@LeSuisse removed package terraform-providers.denoland_deno 2 months, 3 weeks ago
@LeSuisse removed package gnomeExtensions.denon-avr-controler 2 months, 3 weeks ago
@LeSuisse removed package python312Packages.bnunicodenormalizer 2 months, 3 weeks ago
@LeSuisse removed package python313Packages.bnunicodenormalizer 2 months, 3 weeks ago
@LeSuisse removed package vscode-extensions.denoland.vscode-deno 2 months, 3 weeks ago
@LeSuisse removed package home-assistant-component-tests.denonavr 2 months, 3 weeks ago
@LeSuisse dismissed 2 months, 3 weeks ago

Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

References

https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 x_refsource_CONFIRM
https://github.com/denoland/deno/releases/tag/v2.5.6 x_refsource_MISC
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 x_refsource_CONFIRM
https://github.com/denoland/deno/releases/tag/v2.5.6 x_refsource_MISC

Affected products

deno

==< 2.5.6

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.5.6
- nixpkgs-unstable 2.5.6
- nixos-unstable-small 2.5.6

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

No Windows support

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers