Nixpkgs Security Tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-27383
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    21 packages
    • metronome
    • gmetronome
    • kmetronome
    • typstPackages.metro
    • haskellPackages.metro
    • typstPackages.metronic
    • typstPackages.metro_0_1_0
    • typstPackages.metro_0_1_1
    • typstPackages.metro_0_2_0
    • typstPackages.metro_0_3_0
    • typstPackages.metropolyst
    • haskellPackages.metro-socket
    • typstPackages.metronic_1_0_0
    • typstPackages.metronic_1_1_0
    • typstPackages.metropolyst_0_1_0
    • typstPackages.metropolis-polylux
    • haskellPackages.mighty-metropolis
    • haskellPackages.metro-transport-xor
    • haskellPackages.metro-transport-crypto
    • typstPackages.metropolis-polylux_0_1_0
    • haskellPackages.metro-transport-websockets
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Metro theme <= 2.13 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through <= 2.13.

References

Affected products

metro
  • =<<= 2.13
Ignored packages (21) 
Not in nixpkgs
Permalink CVE-2026-28023
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    3 packages
    • typstPackages.nutshell
    • typstPackages.nutshell_0_1_0
    • typstPackages.nutshell_0_1_1
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Nuts theme <= 1.10 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nuts nuts allows PHP Local File Inclusion.This issue affects Nuts: from n/a through <= 1.10.

References

Affected products

nuts
  • =<<= 1.10
Ignored packages (3) 
Not in nixpkgs
Permalink CVE-2026-28486
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands

OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.

References

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.14 or older.
Permalink CVE-2026-22412
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    2 packages
    • lomiri.geonames
    • vscode-extensions.leonardssh.vscord
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Eona theme <= 1.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Eona eona allows PHP Local File Inclusion.This issue affects Eona: from n/a through <= 1.3.

References

Affected products

eona
  • =<<= 1.3
Ignored packages (2) 
Not in nixpkgs
Permalink CVE-2026-22399
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    6 packages
    • rubyPackages_4_0.charlock_holmes
    • rubyPackages_3_4.charlock_holmes
    • rubyPackages_3_3.charlock_holmes
    • rubyPackages.charlock_holmes
    • rubyPackages_3_1.charlock_holmes
    • rubyPackages_3_2.charlock_holmes
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Holmes theme <= 1.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Holmes holmes allows PHP Local File Inclusion.This issue affects Holmes: from n/a through <= 1.7.

References

Affected products

holmes
  • =<<= 1.7
Ignored packages (6) 
Not in nixpkgs
Permalink CVE-2026-27375
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed package geckodriver 2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
WordPress Gecko theme <= 1.9.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JanStudio Gecko gecko allows Reflected XSS.This issue affects Gecko: from n/a through <= 1.9.8.

References

Affected products

gecko
  • =<<= 1.9.8
Ignored packages (1) 
Not in nixpkgs
Permalink CVE-2026-28477
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.

References

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.14 or older.
Permalink CVE-2026-28410
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt removed
    5 packages
    • akkuPackages.nytpu-contracts
    • python312Packages.dpcontracts
    • python313Packages.dpcontracts
    • python314Packages.dpcontracts
    • chickenPackages_5.chickenEggs.simple-contracts
    2 weeks, 1 day ago
  • @mweinelt dismissed 2 weeks, 1 day ago
The Graph: Revocable vesting contracts allows early access to locked tokens

The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0.

References

Affected products

contracts
  • ==< 3.0.0
Ignored packages (5) 
Not in nixpkgs
Permalink CVE-2026-28450
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.

References

Affected products

OpenClaw
  • <2026.2.12

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.12 or older.
Permalink CVE-2026-3381
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks, 2 days ago
  • @mweinelt dismissed 2 weeks, 1 day ago
Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib

Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.

References

Affected products

Compress-Raw-Zlib
  • =<2.219

Matching in nixpkgs

Unaffected since we use system zlib.