Nixpkgs security tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-10637
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
Use-after-free of net_pkt in IPv6 MLD send path triggerable by a link-local MLD Query

subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.

References

Affected products

zephyr
  • <4.5.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-53866
7.6 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

Affected products

OpenClaw
  • ==2026.5.12
  • <2026.5.12

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-53857
8.6 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

Affected products

OpenClaw
  • <2026.5.3
  • ==2026.5.3

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-12317
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
Memory safety bug fixed in Thunderbird 152

Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

Affected products

Firefox
  • =<*
Thunderbird
  • =<*

Matching in nixpkgs

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

  • nixos-unstable 1.1.3
    • nixpkgs-unstable 1.1.3
    • nixos-unstable-small 1.1.3
  • nixos-26.05 -
    • nixos-26.05-small 1.1.3
    • nixpkgs-26.05-darwin 1.1.3

pkgs.thunderbird-cli

Low-level CLI to manage Mozilla Thunderbird email from the shell

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-mcp

MCP server for Thunderbird - enables AI assistants to access email, contacts, and calendars

  • nixos-unstable 0.5.0
    • nixpkgs-unstable 0.6.0
    • nixos-unstable-small 0.6.0
  • nixos-26.05 -
    • nixos-26.05-small 0.5.0
    • nixpkgs-26.05-darwin 0.5.0

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

  • nixos-unstable 1.9.0
    • nixpkgs-unstable 1.9.0
    • nixos-unstable-small 1.9.0
  • nixos-26.05 -
    • nixos-26.05-small 1.9.0
    • nixpkgs-26.05-darwin 1.9.0

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.thunderbird-cli-mcp

MCP server that gives full access to your email through Mozilla Thunderbird

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-cli-bridge

HTTP/WebSocket bridge daemon between thunderbird-cli (or any HTTP client) and the Thunderbird-cli WebExtension. Stateless proxy, localhost-only.

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 7
    • nixpkgs-unstable 7
    • nixos-unstable-small 7
  • nixos-26.05 -
    • nixos-26.05-small 7
    • nixpkgs-26.05-darwin 7

pkgs.gnomeExtensions.firefox-pip-always-on-top

Automatically sets Picture-in-Picture windows to always be on top and visible on all workspaces

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-26.05 -
    • nixos-26.05-small 4
    • nixpkgs-26.05-darwin 4

pkgs.gnomeExtensions.pip-alwaysontop-for-firefox

Enable Picture-in-Picture(PIP) mode to always be on for Firefox in Gnome.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 -
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Permalink CVE-2026-12300
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
Memory safety bug fixed in Thunderbird 152

Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

Affected products

Firefox
  • =<*
Thunderbird
  • =<*

Matching in nixpkgs

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

  • nixos-unstable 1.1.3
    • nixpkgs-unstable 1.1.3
    • nixos-unstable-small 1.1.3
  • nixos-26.05 -
    • nixos-26.05-small 1.1.3
    • nixpkgs-26.05-darwin 1.1.3

pkgs.thunderbird-cli

Low-level CLI to manage Mozilla Thunderbird email from the shell

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-mcp

MCP server for Thunderbird - enables AI assistants to access email, contacts, and calendars

  • nixos-unstable 0.5.0
    • nixpkgs-unstable 0.6.0
    • nixos-unstable-small 0.6.0
  • nixos-26.05 -
    • nixos-26.05-small 0.5.0
    • nixpkgs-26.05-darwin 0.5.0

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

  • nixos-unstable 1.9.0
    • nixpkgs-unstable 1.9.0
    • nixos-unstable-small 1.9.0
  • nixos-26.05 -
    • nixos-26.05-small 1.9.0
    • nixpkgs-26.05-darwin 1.9.0

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.thunderbird-cli-mcp

MCP server that gives full access to your email through Mozilla Thunderbird

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-cli-bridge

HTTP/WebSocket bridge daemon between thunderbird-cli (or any HTTP client) and the Thunderbird-cli WebExtension. Stateless proxy, localhost-only.

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 7
    • nixpkgs-unstable 7
    • nixos-unstable-small 7
  • nixos-26.05 -
    • nixos-26.05-small 7
    • nixpkgs-26.05-darwin 7

pkgs.gnomeExtensions.firefox-pip-always-on-top

Automatically sets Picture-in-Picture windows to always be on top and visible on all workspaces

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-26.05 -
    • nixos-26.05-small 4
    • nixpkgs-26.05-darwin 4

pkgs.gnomeExtensions.pip-alwaysontop-for-firefox

Enable Picture-in-Picture(PIP) mode to always be on for Firefox in Gnome.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 -
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Permalink CVE-2026-12303
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component

Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

Affected products

Firefox
  • =<*
Thunderbird
  • =<*

Matching in nixpkgs

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

  • nixos-unstable 1.1.3
    • nixpkgs-unstable 1.1.3
    • nixos-unstable-small 1.1.3
  • nixos-26.05 -
    • nixos-26.05-small 1.1.3
    • nixpkgs-26.05-darwin 1.1.3

pkgs.thunderbird-cli

Low-level CLI to manage Mozilla Thunderbird email from the shell

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-mcp

MCP server for Thunderbird - enables AI assistants to access email, contacts, and calendars

  • nixos-unstable 0.5.0
    • nixpkgs-unstable 0.6.0
    • nixos-unstable-small 0.6.0
  • nixos-26.05 -
    • nixos-26.05-small 0.5.0
    • nixpkgs-26.05-darwin 0.5.0

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

  • nixos-unstable 1.9.0
    • nixpkgs-unstable 1.9.0
    • nixos-unstable-small 1.9.0
  • nixos-26.05 -
    • nixos-26.05-small 1.9.0
    • nixpkgs-26.05-darwin 1.9.0

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.thunderbird-cli-mcp

MCP server that gives full access to your email through Mozilla Thunderbird

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-cli-bridge

HTTP/WebSocket bridge daemon between thunderbird-cli (or any HTTP client) and the Thunderbird-cli WebExtension. Stateless proxy, localhost-only.

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 7
    • nixpkgs-unstable 7
    • nixos-unstable-small 7
  • nixos-26.05 -
    • nixos-26.05-small 7
    • nixpkgs-26.05-darwin 7

pkgs.gnomeExtensions.firefox-pip-always-on-top

Automatically sets Picture-in-Picture windows to always be on top and visible on all workspaces

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-26.05 -
    • nixos-26.05-small 4
    • nixpkgs-26.05-darwin 4

pkgs.gnomeExtensions.pip-alwaysontop-for-firefox

Enable Picture-in-Picture(PIP) mode to always be on for Firefox in Gnome.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 -
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Permalink CVE-2026-12291
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
Use-after-free in the Networking: HTTP component

Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Affected products

Firefox
  • =<140.*
  • =<115.*
  • =<*
Thunderbird
  • =<140.*
  • =<*

Matching in nixpkgs

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

  • nixos-unstable 1.1.3
    • nixpkgs-unstable 1.1.3
    • nixos-unstable-small 1.1.3
  • nixos-26.05 -
    • nixos-26.05-small 1.1.3
    • nixpkgs-26.05-darwin 1.1.3

pkgs.thunderbird-cli

Low-level CLI to manage Mozilla Thunderbird email from the shell

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-mcp

MCP server for Thunderbird - enables AI assistants to access email, contacts, and calendars

  • nixos-unstable 0.5.0
    • nixpkgs-unstable 0.6.0
    • nixos-unstable-small 0.6.0
  • nixos-26.05 -
    • nixos-26.05-small 0.5.0
    • nixpkgs-26.05-darwin 0.5.0

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

  • nixos-unstable 1.9.0
    • nixpkgs-unstable 1.9.0
    • nixos-unstable-small 1.9.0
  • nixos-26.05 -
    • nixos-26.05-small 1.9.0
    • nixpkgs-26.05-darwin 1.9.0

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.thunderbird-cli-mcp

MCP server that gives full access to your email through Mozilla Thunderbird

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-cli-bridge

HTTP/WebSocket bridge daemon between thunderbird-cli (or any HTTP client) and the Thunderbird-cli WebExtension. Stateless proxy, localhost-only.

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 7
    • nixpkgs-unstable 7
    • nixos-unstable-small 7
  • nixos-26.05 -
    • nixos-26.05-small 7
    • nixpkgs-26.05-darwin 7

pkgs.gnomeExtensions.firefox-pip-always-on-top

Automatically sets Picture-in-Picture windows to always be on top and visible on all workspaces

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-26.05 -
    • nixos-26.05-small 4
    • nixpkgs-26.05-darwin 4

pkgs.gnomeExtensions.pip-alwaysontop-for-firefox

Enable Picture-in-Picture(PIP) mode to always be on for Firefox in Gnome.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 -
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Permalink CVE-2026-53863
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy

OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.

Affected products

OpenClaw
  • ==2026.4.25
  • <2026.4.25

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-12305
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
Memory safety bug fixed in Thunderbird 152

Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Affected products

Firefox
  • =<140.*
  • =<*
Thunderbird
  • =<140.*
  • =<*

Matching in nixpkgs

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

  • nixos-unstable 1.1.3
    • nixpkgs-unstable 1.1.3
    • nixos-unstable-small 1.1.3
  • nixos-26.05 -
    • nixos-26.05-small 1.1.3
    • nixpkgs-26.05-darwin 1.1.3

pkgs.thunderbird-cli

Low-level CLI to manage Mozilla Thunderbird email from the shell

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-mcp

MCP server for Thunderbird - enables AI assistants to access email, contacts, and calendars

  • nixos-unstable 0.5.0
    • nixpkgs-unstable 0.6.0
    • nixos-unstable-small 0.6.0
  • nixos-26.05 -
    • nixos-26.05-small 0.5.0
    • nixpkgs-26.05-darwin 0.5.0

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

  • nixos-unstable 1.9.0
    • nixpkgs-unstable 1.9.0
    • nixos-unstable-small 1.9.0
  • nixos-26.05 -
    • nixos-26.05-small 1.9.0
    • nixpkgs-26.05-darwin 1.9.0

pkgs.pkgsRocm.firefoxpwa

Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)

pkgs.thunderbird-cli-mcp

MCP server that gives full access to your email through Mozilla Thunderbird

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.thunderbird-cli-bridge

HTTP/WebSocket bridge daemon between thunderbird-cli (or any HTTP client) and the Thunderbird-cli WebExtension. Stateless proxy, localhost-only.

  • nixos-unstable 1.0.2
    • nixpkgs-unstable 1.0.2
    • nixos-unstable-small 1.0.2
  • nixos-26.05 -
    • nixos-26.05-small 1.0.2
    • nixpkgs-26.05-darwin 1.0.2

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 7
    • nixpkgs-unstable 7
    • nixos-unstable-small 7
  • nixos-26.05 -
    • nixos-26.05-small 7
    • nixpkgs-26.05-darwin 7

pkgs.gnomeExtensions.firefox-pip-always-on-top

Automatically sets Picture-in-Picture windows to always be on top and visible on all workspaces

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-26.05 -
    • nixos-26.05-small 4
    • nixpkgs-26.05-darwin 4

pkgs.gnomeExtensions.pip-alwaysontop-for-firefox

Enable Picture-in-Picture(PIP) mode to always be on for Firefox in Gnome.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 -
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers

Permalink CVE-2026-53844
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 days, 13 hours ago Activity log
  • Created suggestion 3 days, 13 hours ago
OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.

Affected products

OpenClaw
  • <2026.4.29
  • ==2026.4.29

Matching in nixpkgs

Package maintainers