Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: electron-chromedriver_40

Found 472 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-5887
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Insufficient validation of untrusted input in Downloads in Google Chrome …

Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Untriaged
Permalink CVE-2026-5862
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 …

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Untriaged
Permalink CVE-2026-5910
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 …

Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Untriaged
Permalink CVE-2026-5896
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 …

Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Untriaged
Permalink CVE-2026-5876
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Side-channel information leakage in Navigation in Google Chrome prior to …

Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Untriaged
Permalink CVE-2026-5903
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 …

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Untriaged
Permalink CVE-2026-34765
6.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Electron named window.open targets not scoped to the opener's browsing context

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.

Affected products

electron
  • ==< 39.8.5
  • ==>= 40.0.0-alpha.1, < 40.8.5
  • ==>= 41.0.0-alpha.1, < 41.1.0
  • ==>= 42.0.0-alpha.1, < 42.0.0-alpha.5

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail

Untriaged
Permalink CVE-2026-34781
2.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Electron crashes in clipboard.readImage() on malformed clipboard image data

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.

Affected products

electron
  • ==< 39.8.5
  • ==>= 40.0.0-alpha.1, < 40.8.5
  • ==>= 41.0.0-alpha.1, < 41.1.0
  • ==>= 42.0.0-alpha.1, < 42.0.0-alpha.5

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail

Untriaged
Permalink CVE-2026-34777
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Electron: Incorrect origin passed to permission request handler for iframe requests

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Affected products

electron
  • ==>= 41.0.0-alpha.1, < 41.0.0
  • ==>= 40.0.0-alpha.1, < 40.8.1
  • ==>= 39.0.0-alpha.1, < 39.8.1
  • ==< 38.8.6

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail

Untriaged
Permalink CVE-2026-34778
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Electron: Service worker can spoof executeJavaScript IPC replies

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Affected products

electron
  • ==>= 41.0.0-alpha.1, < 41.0.0
  • ==>= 40.0.0-alpha.1, < 40.8.1
  • ==>= 39.0.0-alpha.1, < 39.8.1
  • ==< 38.8.6

Matching in nixpkgs

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail