Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-28889
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    13 packages
    • xcodes
    • xcodegen
    • xcode-install
    • rubyPackages.xcodeproj
    • rubyPackages_3_1.xcodeproj
    • rubyPackages_3_2.xcodeproj
    • rubyPackages_3_3.xcodeproj
    • rubyPackages_3_4.xcodeproj
    • rubyPackages_4_0.xcodeproj
    • darwin.xcodeProjectCheckHook
    • python312Packages.latexcodec
    • python313Packages.latexcodec
    • python314Packages.latexcodec
    2 months ago
  • @LeSuisse dismissed 2 months ago
A permissions issue was addressed with additional restrictions. This issue …

A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 26.4. An app may be able to read arbitrary files as root.

Affected products

Xcode
  • <26.4
Ignored packages (13)

pkgs.xcodes

Command-line tool to install and switch between multiple versions of Xcode

pkgs.darwin.xcodeProjectCheckHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin 
Not for us, not directly managed by nixpkgs
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25359
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 months ago
WordPress Pendulum theme < 3.1.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.

Affected products

pendulum
  • =<< 3.1.5

Matching in nixpkgs

Permalink CVE-2026-31990
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination

OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.

Affected products

OpenClaw
  • <2026.3.2

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-27670
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition

OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.

Affected products

OpenClaw
  • <2026.3.2

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-32019
6.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard

OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.

Affected products

OpenClaw
  • ==2026.2.22
  • <2026.2.22

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-32031
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway

OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication.

Affected products

OpenClaw
  • ==2026.2.26
  • <2026.2.26

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-32021
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.

Affected products

OpenClaw
  • ==2026.2.22
  • <2026.2.22

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-32025
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass

OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.

Affected products

OpenClaw
  • <2026.2.25
  • ==2026.2.25

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-32006
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.

Affected products

OpenClaw
  • ==2026.2.26
  • <2026.2.26

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable
Permalink CVE-2026-32027
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months ago by @pyrox0 Activity log
  • Created suggestion 2 months, 1 week ago
  • @pyrox0 dismissed 2 months ago
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.

Affected products

OpenClaw
  • ==2026.2.26
  • <2026.2.26

Matching in nixpkgs

Package maintainers

version packaged is not vulnerable