Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: ghostty

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-26982
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt accepted 2 months, 2 weeks ago
  • @mweinelt ignored
    3 packages
    • tree-sitter-grammars.tree-sitter-ghostty
    • python313Packages.tree-sitter-grammars.tree-sitter-ghostty
    • python314Packages.tree-sitter-grammars.tree-sitter-ghostty
    2 months, 1 week ago
  • @mweinelt published on GitHub 2 months, 1 week ago
Ghostty affected by arbitrary command execution via control characters in paste and drag-and-drop operations

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.

Affected products

ghostty
  • ==< 1.3.0

Matching in nixpkgs

pkgs.ghostty

Fast, native, feature-rich terminal emulator pushing modern features

pkgs.ghostty-bin

Fast, native, feature-rich terminal emulator pushing modern features

Ignored packages (3)

Package maintainers

Unstable: https://github.com/NixOS/nixpkgs/pull/498283
25.11: Unfixed
Untriaged
Permalink CVE-2026-26980
9.4 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
created 3 months ago Activity log
  • Created suggestion 3 months ago
Ghost has a SQL Injection in its Content API

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Affected products

Ghost
  • ==>= 3.24.0, < 6.19.1

Matching in nixpkgs

pkgs.ghostie

Github notifications in your terminal

pkgs.ghostty

Fast, native, feature-rich terminal emulator pushing modern features

pkgs.ghostunnel

TLS proxy with mutual authentication support for securing non-TLS backend applications

pkgs.ghostty-bin

Fast, native, feature-rich terminal emulator pushing modern features

Package maintainers

Untriaged
Permalink CVE-2026-24778
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 months, 3 weeks ago Activity log
  • Created suggestion 3 months, 3 weeks ago
Ghost vulnerable to XSS via malicious Portal preview links

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version.

Affected products

Ghost
  • ==@tryghost/portal >= 2.29.1, < 2.51.5
  • ==@tryghost/portal >= 2.52.0, < 2.57.1
  • ==ghost >= 6.0.0, < 6.15.0
  • ==ghost >= 5.43.0, < 5.121.0

Matching in nixpkgs

pkgs.ghost

Android post-exploitation framework

pkgs.ghostie

Github notifications in your terminal

pkgs.ghostty

Fast, native, feature-rich terminal emulator pushing modern features

pkgs.ghostunnel

TLS proxy with mutual authentication support for securing non-TLS backend applications

pkgs.ghostty-bin

Fast, native, feature-rich terminal emulator pushing modern features

Package maintainers