Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2026-29611
6.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Unafffected, never had 2026.2.14 or older.
Permalink CVE-2026-28041
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    3 packages
    • restic-integrity
    • integrity-scrub
    • grit
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
WordPress Grit theme <= 1.0.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Grit grit allows PHP Local File Inclusion.This issue affects Grit: from n/a through <= 1.0.1.

Affected products

grit
  • =<<= 1.0.1
Ignored packages (3)

pkgs.grit

Multitree-based personal task manager

pkgs.restic-integrity

CLI tool to check the integrity of a restic repository without unlocking it

Not in nixpkgs
Permalink CVE-2026-27023
5.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    8 packages
    • gnome-2048
    • wordpressPackages.themes.twentytwenty
    • wordpressPackages.themes.twentynineteen
    • wordpressPackages.themes.twentytwentyone
    • wordpressPackages.themes.twentytwentytwo
    • wordpressPackages.themes.twentytwentyfive
    • wordpressPackages.themes.twentytwentyfour
    • wordpressPackages.themes.twentytwentythree
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.

Affected products

twenty
  • ==< 1.18
Ignored packages (8) 
Not in nixpkgs
Permalink CVE-2026-28472
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

Affected products

OpenClaw
  • <2026.2.2

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Unafffected, never had 2026.2.2 or older.
Permalink CVE-2026-28020
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    16 packages
    • chroma
    • chromaprint
    • polychromatic
    • gnomeExtensions.achroma
    • python312Packages.chromadb
    • python313Packages.chromadb
    • python312Packages.chroma-hnswlib
    • python313Packages.chroma-hnswlib
    • python314Packages.chroma-hnswlib
    • pkgsRocm.python3Packages.chromadb
    • python312Packages.langchain-chroma
    • python313Packages.langchain-chroma
    • pkgsRocm.python3Packages.langchain-chroma
    • python312Packages.llama-index-vector-stores-chroma
    • python313Packages.llama-index-vector-stores-chroma
    • pkgsRocm.python3Packages.llama-index-vector-stores-chroma
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
WordPress Chroma theme <= 1.11 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Chroma chroma allows PHP Local File Inclusion.This issue affects Chroma: from n/a through <= 1.11.

Affected products

chroma
  • =<<= 1.11
Ignored packages (16)

pkgs.polychromatic

Graphical front-end and tray applet for configuring Razer peripherals on GNU/Linux

pkgs.gnomeExtensions.achroma

Toggle your display to monochrome/grayscale mode with a single click. Useful for reducing eye strain, improving focus, or accessibility.

  • nixos-unstable -
    • nixpkgs-unstable 5
    • nixos-unstable-small 5 
Not in nixpkgs
Permalink CVE-2026-23799
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    12 packages
    • typstPackages.tutor_0_7_0
    • typstPackages.tutor_0_8_0
    • haskellPackages.egison-tutorial
    • perlPackages.TaskCatalystTutorial
    • haskellPackages.timeless-tutorials
    • perl5Packages.TaskCatalystTutorial
    • perl538Packages.TaskCatalystTutorial
    • perl540Packages.TaskCatalystTutorial
    • typstPackages.tutor
    • typstPackages.tutor_0_3_0
    • typstPackages.tutor_0_4_0
    • typstPackages.tutor_0_6_1
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
WordPress Tutor LMS plugin <= 3.9.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.

Affected products

tutor
  • =<<= 3.9.5
Ignored packages (12) 
Not in nixpkgs
Permalink CVE-2026-28394
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
OpenClaw < 2026.2.15 - Denial of Service via Unbounded Response Parsing in web_fetch Tool

OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.

Affected products

OpenClaw
  • <2026.2.15

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Unafffected, never had 2026.2.15 or older.
Permalink CVE-2026-28123
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    2 packages
    • gnomeExtensions.veil
    • veilid
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
WordPress Veil theme <= 1.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Veil veil allows PHP Local File Inclusion.This issue affects Veil: from n/a through <= 1.9.

Affected products

veil
  • =<<= 1.9
Ignored packages (2)

pkgs.veilid

Open-source, peer-to-peer, mobile-first, networked application framework

pkgs.gnomeExtensions.veil

Veil - Modern successor to Hide Items. A cleaner, quieter GNOME panel.

  • nixos-unstable 8
    • nixpkgs-unstable 8
    • nixos-unstable-small 8
  • nixos-25.11 7
    • nixos-25.11-small 7
    • nixpkgs-25.11-darwin 7 
Not in nixpkgs
Permalink CVE-2026-28393
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Unaffected, never had 2026.2.14 or older.
Permalink CVE-2026-28133
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @mweinelt ignored
    6 packages
    • typstPackages.efilrst
    • typstPackages.efilrst_0_1_0
    • typstPackages.efilrst_0_2_0
    • typstPackages.efilrst_0_3_0
    • typstPackages.efilrst_0_3_1
    • typstPackages.efilrst_0_3_2
    2 months, 2 weeks ago
  • @mweinelt dismissed 2 months, 2 weeks ago
WordPress Filr plugin <= 1.2.12 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12.

Affected products

filr-protection
  • =<<= 1.2.12
Ignored packages (6) 
Not in nixpkgs