Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-3934
created 1 week, 4 days ago
Insufficient policy enforcement in ChromeDriver in Google Chrome prior to …

Insufficient policy enforcement in ChromeDriver in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <146.0.7680.71

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-32096
9.3 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 week, 4 days ago
Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.

References

Affected products

plunk
  • ==< 0.7.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-3925
created 1 week, 4 days ago
Incorrect security UI in LookalikeChecks in Google Chrome on Android …

Incorrect security UI in LookalikeChecks in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <146.0.7680.71

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-3534
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 1 week, 4 days ago
Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

Affected products

Astra
  • =<4.12.3

Matching in nixpkgs

pkgs.varunastra

Tool to enhance the security of Docker environments

pkgs.gnomeExtensions.astra-monitor

Astra Monitor is a cutting-edge, fully customizable, and performance-focused system monitoring extension for GNOME's top bar. It's an all-in-one solution for those seeking to keep a close eye on their system's performance metrics like CPU, GPU, RAM, disk usage, network statistics, and sensor readings.

  • nixos-unstable 55
    • nixpkgs-unstable 55
    • nixos-unstable-small 55
  • nixos-25.11 53
    • nixos-25.11-small 53
    • nixpkgs-25.11-darwin 53

Package maintainers

Permalink CVE-2026-3914
created 1 week, 4 days ago
Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 …

Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <146.0.7680.71

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-3930
created 1 week, 4 days ago
Unsafe navigation in Navigation in Google Chrome on iOS prior …

Unsafe navigation in Navigation in Google Chrome on iOS prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <146.0.7680.71

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-32112
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 week, 4 days ago
ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration. This vulnerability is fixed in 7.0.0.

References

Affected products

ha-mcp
  • ==< 7.0.0

Matching in nixpkgs

pkgs.ha-mcp

MCP server for controlling Home Assistant via natural language

Package maintainers

Permalink CVE-2026-3938
created 1 week, 4 days ago
Insufficient policy enforcement in Clipboard in Google Chrome prior to …

Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

References

Affected products

Chrome
  • <146.0.7680.71

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-3915
created 1 week, 4 days ago
Heap buffer overflow in WebML in Google Chrome prior to …

Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <146.0.7680.71

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2025-62878
9.9 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 weeks, 2 days ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 4 days ago
  • @mweinelt removed
    2 packages
    • terraform-providers.rancher2
    • terraform-providers.rancher_rancher2
    2 weeks, 2 days ago
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

References

Affected products

github.com/rancher/local-path-provisioner
  • <0.0.34

Matching in nixpkgs

Ignored packages (2)

Package maintainers