Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-3536
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @mweinelt removed
    31 packages
    • netflix
    • chromedriver
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • electron-chromedriver
    • xf86-video-openchrome
    • curl-impersonate-chrome
    • undetected-chromedriver
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 …

Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)

References

Affected products

Chrome
  • <145.0.7632.159

Matching in nixpkgs

Ignored packages (31)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

NixOS unstable: https://github.com/nixos/nixpkgs/pull/496346
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/496393
Permalink CVE-2026-3539
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @mweinelt removed
    31 packages
    • netflix
    • chromedriver
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • electron-chromedriver
    • xf86-video-openchrome
    • curl-impersonate-chrome
    • undetected-chromedriver
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
Object lifecycle issue in DevTools in Google Chrome prior to …

Object lifecycle issue in DevTools in Google Chrome prior to 145.0.7632.159 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

References

Affected products

Chrome
  • <145.0.7632.159

Matching in nixpkgs

Ignored packages (31)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

NixOS unstable: https://github.com/nixos/nixpkgs/pull/496346
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/496393
Permalink CVE-2026-3544
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @mweinelt removed
    31 packages
    • netflix
    • chromedriver
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • electron-chromedriver
    • xf86-video-openchrome
    • curl-impersonate-chrome
    • undetected-chromedriver
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
Heap buffer overflow in WebCodecs in Google Chrome prior to …

Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <145.0.7632.159

Matching in nixpkgs

Ignored packages (31)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

NixOS unstable: https://github.com/nixos/nixpkgs/pull/496346
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/496393
Permalink CVE-2026-3541
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 3 days ago
  • @mweinelt removed
    31 packages
    • chromedriver
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • electron-chromedriver
    • xf86-video-openchrome
    • curl-impersonate-chrome
    • undetected-chromedriver
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
Inappropriate implementation in CSS in Google Chrome prior to 145.0.7632.159 …

Inappropriate implementation in CSS in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <145.0.7632.159

Matching in nixpkgs

Ignored packages (31)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

NixOS unstable: https://github.com/nixos/nixpkgs/pull/496346
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/496393
Permalink CVE-2026-28464
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks ago
OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication

OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.

References

Affected products

OpenClaw
  • <2026.2.12

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.12 or older.
Permalink CVE-2026-22455
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    3 packages
    • python312Packages.sphinx-thebe
    • python313Packages.sphinx-thebe
    • python314Packages.sphinx-thebe
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
WordPress Thebe theme <= 1.3.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thebe thebe allows Reflected XSS.This issue affects Thebe: from n/a through <= 1.3.0.

References

Affected products

thebe
  • =<<= 1.3.0
Ignored packages (3) 
Not in nixpkgs
Permalink CVE-2026-28454
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks ago
OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

References

Affected products

OpenClaw
  • <2026.2.2

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.2 or older.
Permalink CVE-2026-28478
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks ago
OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.

References

Affected products

OpenClaw
  • <2026.2.13

Matching in nixpkgs

Package maintainers

Unafffected, never had 2026.2.13 or older.
Permalink CVE-2026-28470
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks ago
OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes

OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.

References

Affected products

OpenClaw
  • <2026.2.2

Matching in nixpkgs

Package maintainers

Unafffected, never had 2026.2.2 or older.
Permalink CVE-2026-28089
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    3 packages
    • python312Packages.daiquiri
    • python313Packages.daiquiri
    • python314Packages.daiquiri
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
WordPress Daiquiri theme <= 1.2.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Daiquiri daiquiri allows PHP Local File Inclusion.This issue affects Daiquiri: from n/a through <= 1.2.4.

References

Affected products

daiquiri
  • =<<= 1.2.4
Ignored packages (3) 
Not in nixpkgs