Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-29611
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.

References

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

Package maintainers

Unafffected, never had 2026.2.14 or older.
Permalink CVE-2026-28041
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    3 packages
    • restic-integrity
    • integrity-scrub
    • grit
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Grit theme <= 1.0.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Grit grit allows PHP Local File Inclusion.This issue affects Grit: from n/a through <= 1.0.1.

References

Affected products

grit
  • =<<= 1.0.1
Ignored packages (3) 
Not in nixpkgs
Permalink CVE-2026-27023
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    8 packages
    • gnome-2048
    • wordpressPackages.themes.twentytwenty
    • wordpressPackages.themes.twentynineteen
    • wordpressPackages.themes.twentytwentyone
    • wordpressPackages.themes.twentytwentytwo
    • wordpressPackages.themes.twentytwentyfive
    • wordpressPackages.themes.twentytwentyfour
    • wordpressPackages.themes.twentytwentythree
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.

References

Affected products

twenty
  • ==< 1.18
Ignored packages (8) 
Not in nixpkgs
Permalink CVE-2026-28472
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

References

Affected products

OpenClaw
  • <2026.2.2

Matching in nixpkgs

Package maintainers

Unafffected, never had 2026.2.2 or older.
Permalink CVE-2026-28020
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    16 packages
    • chroma
    • chromaprint
    • polychromatic
    • gnomeExtensions.achroma
    • python312Packages.chromadb
    • python313Packages.chromadb
    • python312Packages.chroma-hnswlib
    • python313Packages.chroma-hnswlib
    • python314Packages.chroma-hnswlib
    • pkgsRocm.python3Packages.chromadb
    • python312Packages.langchain-chroma
    • python313Packages.langchain-chroma
    • pkgsRocm.python3Packages.langchain-chroma
    • python312Packages.llama-index-vector-stores-chroma
    • python313Packages.llama-index-vector-stores-chroma
    • pkgsRocm.python3Packages.llama-index-vector-stores-chroma
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Chroma theme <= 1.11 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Chroma chroma allows PHP Local File Inclusion.This issue affects Chroma: from n/a through <= 1.11.

References

Affected products

chroma
  • =<<= 1.11
Ignored packages (16)

pkgs.gnomeExtensions.achroma

Toggle your display to monochrome/grayscale mode with a single click. Useful for reducing eye strain, improving focus, or accessibility.

  • nixos-unstable -
    • nixpkgs-unstable 5
    • nixos-unstable-small 5 
Not in nixpkgs
Permalink CVE-2026-23799
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    12 packages
    • typstPackages.tutor_0_7_0
    • typstPackages.tutor_0_8_0
    • haskellPackages.egison-tutorial
    • perlPackages.TaskCatalystTutorial
    • haskellPackages.timeless-tutorials
    • perl5Packages.TaskCatalystTutorial
    • perl538Packages.TaskCatalystTutorial
    • perl540Packages.TaskCatalystTutorial
    • typstPackages.tutor
    • typstPackages.tutor_0_3_0
    • typstPackages.tutor_0_4_0
    • typstPackages.tutor_0_6_1
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Tutor LMS plugin <= 3.9.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.

References

Affected products

tutor
  • =<<= 3.9.5
Ignored packages (12) 
Not in nixpkgs
Permalink CVE-2026-28394
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool

OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.

References

Affected products

OpenClaw
  • <2026.2.15

Matching in nixpkgs

Package maintainers

Unafffected, never had 2026.2.15 or older.
Permalink CVE-2026-28123
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    2 packages
    • gnomeExtensions.veil
    • veilid
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Veil theme <= 1.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Veil veil allows PHP Local File Inclusion.This issue affects Veil: from n/a through <= 1.9.

References

Affected products

veil
  • =<<= 1.9
Ignored packages (2)

pkgs.gnomeExtensions.veil

Veil - Modern successor to Hide Items. A cleaner, quieter GNOME panel.

  • nixos-unstable 8
    • nixpkgs-unstable 8
    • nixos-unstable-small 8
  • nixos-25.11 7
    • nixos-25.11-small 7
    • nixpkgs-25.11-darwin 7 
Not in nixpkgs
Permalink CVE-2026-28393
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.

References

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.14 or older.
Permalink CVE-2026-28133
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    6 packages
    • typstPackages.efilrst
    • typstPackages.efilrst_0_1_0
    • typstPackages.efilrst_0_2_0
    • typstPackages.efilrst_0_3_0
    • typstPackages.efilrst_0_3_1
    • typstPackages.efilrst_0_3_2
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Filr plugin <= 1.2.12 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12.

References

Affected products

filr-protection
  • =<<= 1.2.12
Ignored packages (6) 
Not in nixpkgs