Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2013-1689
updated 1 month, 3 weeks ago by @jopejoe1 Activity log
  • Created suggestion 3 months, 1 week ago
  • @jopejoe1 ignored
    10 packages
    • firefoxpwa
    • faust2firefox
    • firefox_decrypt
    • firefox-gnome-theme
    • firefox-sync-client
    • pkgsRocm.firefoxpwa
    • gnomeExtensions.firefox-profiles
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
    1 month, 3 weeks ago
  • @jopejoe1 dismissed 1 month, 3 weeks ago
Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause …

Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a denial of service (crash), related to event handling with frames.

References

Affected products

Firefox
  • ==20.0a1

Matching in nixpkgs

Ignored packages (10)

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account.

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5
  • nixos-25.11 5
    • nixos-25.11-small 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Never affected the current NixOS Release.
Dismissed
(not in Nixpkgs)
Permalink CVE-2012-2078
updated 1 month, 3 weeks ago by @jopejoe1 Activity log
  • Created suggestion 3 months, 1 week ago
  • @jopejoe1 ignored
    18 packages
    • pg_activity
    • activitywatch
    • ocamlPackages.get-activity
    • libsForQt5.kactivitymanagerd
    • kdePackages.kactivitymanagerd
    • ocamlPackages.get-activity-lib
    • ocamlPackages_latest.get-activity
    • plasma5Packages.kactivitymanagerd
    • haskellPackages.gogol-apps-activity
    • haskellPackages.gogol-driveactivity
    • python312Packages.django-pgactivity
    • python313Packages.django-pgactivity
    • python314Packages.django-pgactivity
    • gnomeExtensions.activitywatch-status
    • gnomeExtensions.activity-app-launcher
    • ocamlPackages_latest.get-activity-lib
    • gnomeExtensions.drive-activity-indicator
    • haskellPackages.rdf4h-vocab-activitystreams
    1 month, 3 weeks ago
  • @jopejoe1 dismissed (not in Nixpkgs) 1 month, 3 weeks ago
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for …

Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal.

References

Affected products

Activity
  • ==6.x-1.x
Ignored packages (18)

pkgs.pg_activity

Top like application for PostgreSQL server activity monitoring

pkgs.gnomeExtensions.activitywatch-status

Shows the total time spent on the computer, fork of [activitywatch-status-gnome-shell](https://codeberg.org/cweiske/activitywatch-status-gnome-shell/)

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-25.11 2
    • nixos-25.11-small 2
    • nixpkgs-25.11-darwin 2

pkgs.gnomeExtensions.activity-app-launcher

Integrates a category-based application launcher in the activities window. IMPORTANT: it needs the 'gnome-menus' and 'libgnome-menu-3-dev'; they must be installed in the system before installing this extension.

  • nixos-unstable 47
    • nixpkgs-unstable 47
    • nixos-unstable-small 47
  • nixos-25.11 45
    • nixos-25.11-small 45
    • nixpkgs-25.11-darwin 45

pkgs.gnomeExtensions.drive-activity-indicator

Visualize the activity of storage drives (disk activity LED simulator).

  • nixos-unstable 8
    • nixpkgs-unstable 8
    • nixos-unstable-small 8
  • nixos-25.11 8
    • nixos-25.11-small 8
    • nixpkgs-25.11-darwin 8
Permalink CVE-2011-2668
updated 1 month, 3 weeks ago by @jopejoe1 Activity log
  • Created suggestion 3 months, 1 week ago
  • @jopejoe1 ignored
    10 packages
    • firefoxpwa
    • faust2firefox
    • firefox_decrypt
    • firefox-gnome-theme
    • firefox-sync-client
    • pkgsRocm.firefoxpwa
    • gnomeExtensions.firefox-profiles
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
    1 month, 3 weeks ago
  • @jopejoe1 dismissed 1 month, 3 weeks ago
Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the …

Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the content-length header

References

Affected products

Firefox
  • ==1.5.0.3 and earlier

Matching in nixpkgs

Ignored packages (10)

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account.

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5
  • nixos-25.11 5
    • nixos-25.11-small 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Never affected the current NixOS Release.
Permalink CVE-2011-2669
updated 1 month, 3 weeks ago by @jopejoe1 Activity log
  • Created suggestion 3 months, 1 week ago
  • @jopejoe1 ignored
    10 packages
    • firefoxpwa
    • faust2firefox
    • firefox_decrypt
    • firefox-gnome-theme
    • firefox-sync-client
    • pkgsRocm.firefoxpwa
    • gnomeExtensions.firefox-profiles
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
    1 month, 3 weeks ago
  • @jopejoe1 dismissed 1 month, 3 weeks ago
Mozilla Firefox prior to 3.6 has a DoS vulnerability due …

Mozilla Firefox prior to 3.6 has a DoS vulnerability due to an issue in the validation of certificates.

References

Affected products

Firefox
  • ==prior to 3.6

Matching in nixpkgs

Ignored packages (10)

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account.

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5
  • nixos-25.11 5
    • nixos-25.11-small 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Never affected the current NixOS Release.
Dismissed
(not in Nixpkgs)
Permalink CVE-2012-2079
updated 1 month, 3 weeks ago by @jopejoe1 Activity log
  • Created suggestion 3 months, 1 week ago
  • @jopejoe1 ignored
    18 packages
    • pg_activity
    • activitywatch
    • ocamlPackages.get-activity
    • libsForQt5.kactivitymanagerd
    • kdePackages.kactivitymanagerd
    • ocamlPackages.get-activity-lib
    • ocamlPackages_latest.get-activity
    • plasma5Packages.kactivitymanagerd
    • haskellPackages.gogol-apps-activity
    • haskellPackages.gogol-driveactivity
    • python312Packages.django-pgactivity
    • python313Packages.django-pgactivity
    • python314Packages.django-pgactivity
    • gnomeExtensions.activitywatch-status
    • gnomeExtensions.activity-app-launcher
    • ocamlPackages_latest.get-activity-lib
    • gnomeExtensions.drive-activity-indicator
    • haskellPackages.rdf4h-vocab-activitystreams
    1 month, 3 weeks ago
  • @jopejoe1 dismissed (not in Nixpkgs) 1 month, 3 weeks ago
A cross-site request forgery (CSRF) vulnerability in the Activity module …

A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.

References

Affected products

Activity
  • ==6.x-1.x
Ignored packages (18)

pkgs.pg_activity

Top like application for PostgreSQL server activity monitoring

pkgs.gnomeExtensions.activitywatch-status

Shows the total time spent on the computer, fork of [activitywatch-status-gnome-shell](https://codeberg.org/cweiske/activitywatch-status-gnome-shell/)

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-25.11 2
    • nixos-25.11-small 2
    • nixpkgs-25.11-darwin 2

pkgs.gnomeExtensions.activity-app-launcher

Integrates a category-based application launcher in the activities window. IMPORTANT: it needs the 'gnome-menus' and 'libgnome-menu-3-dev'; they must be installed in the system before installing this extension.

  • nixos-unstable 47
    • nixpkgs-unstable 47
    • nixos-unstable-small 47
  • nixos-25.11 45
    • nixos-25.11-small 45
    • nixpkgs-25.11-darwin 45

pkgs.gnomeExtensions.drive-activity-indicator

Visualize the activity of storage drives (disk activity LED simulator).

  • nixos-unstable 8
    • nixpkgs-unstable 8
    • nixos-unstable-small 8
  • nixos-25.11 8
    • nixos-25.11-small 8
    • nixpkgs-25.11-darwin 8
Permalink CVE-2011-2670
updated 1 month, 3 weeks ago by @jopejoe1 Activity log
  • Created suggestion 3 months, 1 week ago
  • @jopejoe1 ignored
    10 packages
    • firefoxpwa
    • firefox_decrypt
    • faust2firefox
    • firefox-sync-client
    • firefox-gnome-theme
    • pkgsRocm.firefoxpwa
    • gnomeExtensions.firefox-profiles
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
    1 month, 3 weeks ago
  • @jopejoe1 dismissed 1 month, 3 weeks ago
Mozilla Firefox before 3.6 is vulnerable to XSS via the …

Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets

References

Affected products

Firefox
  • ==before 3.6

Matching in nixpkgs

Ignored packages (10)

pkgs.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account.

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 5
    • nixpkgs-unstable 5
    • nixos-unstable-small 5
  • nixos-25.11 5
    • nixos-25.11-small 5
    • nixpkgs-25.11-darwin 5

Package maintainers

Never affected the current Release.
Permalink CVE-2026-33868
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 1 month, 4 weeks ago
  • @mweinelt ignored
    11 packages
    • mastodon-bot
    • bitlbee-mastodon
    • mastodon-archive
    • nodePackages.mastodon-bot
    • python312Packages.mastodon-py
    • python313Packages.mastodon-py
    • python314Packages.mastodon-py
    • nodePackages_latest.mastodon-bot
    • home-assistant-component-tests.mastodon
    • tests.home-assistant-component-tests.mastodon
    • wordpressPackages.plugins.simple-mastodon-verification
    1 month, 3 weeks ago
  • @mweinelt dismissed 1 month, 3 weeks ago
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

Affected products

mastodon
  • ==< 4.3.21
  • ==>= 4.5.0, < 4.5.8
  • ==>= 4.4.0, < 4.4.15

Matching in nixpkgs

pkgs.mastodon

Self-hosted, globally interconnected microblogging software based on ActivityPub

Ignored packages (11)

pkgs.mastodon-bot

Bot to publish twitter, tumblr or rss posts to an mastodon account.

Package maintainers

Fixed in https://github.com/nixos/nixpkgs/pull/503089.
Permalink CVE-2026-32067
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months ago
  • @mweinelt dismissed 1 month, 3 weeks ago
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store

OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.

Affected products

OpenClaw
  • ==2026.2.26
  • <2026.2.26

Matching in nixpkgs

Package maintainers

Fixed in https://github.com/nixos/nixpkgs/pull/499141
Permalink CVE-2026-32055
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months ago
  • @mweinelt dismissed 1 month, 3 weeks ago
OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink

OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation to escape the workspace boundary and create files in arbitrary locations.

Affected products

OpenClaw
  • ==2026.2.26
  • <2026.2.26

Matching in nixpkgs

Package maintainers

Fixed in https://github.com/nixos/nixpkgs/pull/499141
Permalink CVE-2026-32048
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months ago
  • @mweinelt dismissed 1 month, 3 weeks ago
OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn

OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.

Affected products

OpenClaw
  • ==2026.3.1
  • <2026.3.1

Matching in nixpkgs

Package maintainers

Fixed in https://github.com/nixos/nixpkgs/pull/499141