Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: warp-terminal

Found 10 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-48719
8.0 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp branch selector command injection via Git branch names

Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2025.08.06.08.12.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48732
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: Remote SSH cwd can lead to unauthorized remote command execution

Warp is an agentic development environment. From 0.2023.03.21.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for SSH-backed metadata collection. A remote host, repository, or directory name controlled by an attacker could cause that helper command to execute additional shell syntax on the remote host as the victim's authenticated SSH account. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2023.03.21.08.02.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48731
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: Linux external editor command injection

Warp is an agentic development environment. From 0.2024.02.20.08.01.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or system-default editor route can cause shell syntax embedded in that path to execute as the local user. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2024.02.20.08.01.stable_01, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-54686
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: DCS lifecycle hook spoofing can alter terminal session metadata

Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An attacker who could cause a victim to view attacker-controlled terminal output in Warp could spoof selected lifecycle metadata, including the current working directory reported for the active block or SSH session transport metadata. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2021.04.25.23.05.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-54699
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: OS command injection when opening terminal links from WSL

Warp is an agentic development environment. From 0.2024.03.12.08.02.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains an OS command injection vulnerability in the WSL URL-opening fallback. When Warp is running under WSL and cannot open a URL through wslview, it falls back to a Windows command processor path. A URL controlled through terminal output can reach that fallback when the user opens the link. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2024.03.12.08.02.stable_01, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48725
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp may allow terminal output to access the local clipboard through OSC 52

Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp allows terminal output to request access to the local system clipboard. A malicious remote host, remote program, or other attacker-controlled terminal output source can trigger clipboard reads or writes without a separate confirmation step. This crosses the trust boundary between untrusted terminal output and the user's local desktop clipboard. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2021.04.25.23.05.stable_00, < v0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48704
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp Markdown notebook links may open executable local files

Warp is an agentic development environment. From 0.2023.10.24.08.03.stable_00 until 0.2026.05.06.15.42.stable_01, Warp may open executable local files through the operating system default file handler. A malicious Markdown document or project can contain a local-file link that appears as normal rendered content. If a user opens the Markdown in Warp and clicks the link, affected builds may route the resolved local file to a platform file opener instead of limiting the action to safe viewer/editor targets. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2023.10.24.08.03.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48703
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: Command Injection via Warp code search tool arguments

Warp is an agentic development environment. From 0.2025.04.09.08.11.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution policy bypass in Agent code search tools. The affected Grep and FileGlob actions are authorized as read/search operations, but their implementations build shell command strings from Agent-controlled inputs (search text, paths, glob patterns) and execute them in the active terminal session. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2025.04.09.08.11.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48721
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • warp
    • warpd
    • ts-warp
    • warpgate
    • warp-plus
    • minio-warp
    • warpinator
    • git-warp-time
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: Env-var prefixes can lead to denylisted command autoexecution

Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2025.10.08.08.12.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05
Published
Permalink CVE-2026-48720
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 9 hours ago by @LeSuisse Activity log
  • Created suggestion 15 hours ago
  • @LeSuisse ignored
    23 packages
    • git-warp-time
    • warpinator
    • minio-warp
    • warp-plus
    • ts-warp
    • warpd
    • warp
    • warpgate
    • cloudflare-warp
    • haskellPackages.warp
    • haskellPackages.warp-tls
    • gnomeExtensions.warpgnome
    • gnomeExtensions.mouse-warp
    • gnomeExtensions.warp-toggle
    • python312Packages.warp-lang
    • python313Packages.warp-lang
    • python314Packages.warp-lang
    • haskellPackages.jsaddle-warp
    • haskellPackages.warp-systemd
    • haskellPackages.core-webserver-warp
    • gnomeExtensions.cloudflare-warp-toggle
    • gnomeExtensions.cloudflare-warp-indicator
    • haskellPackages.essence-of-live-coding-warp
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Warp: SSH remote output can lead to local file overwrite and persistence

Warp is an agentic development environment. From 0.2025.03.05.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepts non-inline `OSC 1337;File` payloads from terminal output and materialize the decoded payload as a local file without an additional confirmation step. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2025.03.05.08.02.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

Ignored packages (23)

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Needs a backport to 26.05