Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-2759
created 3 weeks, 4 days ago
Incorrect boundary conditions in the Graphics: ImageLib component

Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

References

Affected products

Firefox
  • <148
Firefox ESR
  • <140.8
  • <115.33
Thunderbird
  • <140.8
  • <148

Matching in nixpkgs

Package maintainers

Permalink CVE-2022-1501
created 3 weeks, 4 days ago
Inappropriate implementation in iframe in Google Chrome prior to 101.0.4951.41 …

Inappropriate implementation in iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

References

Affected products

Chrome
  • <101.0.4951.41

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-3054
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 3 weeks, 4 days ago
Alinto SOGo cross site scripting

A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected products

SOGo
  • ==5.12.3
  • ==5.12.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2022-1490
created 3 weeks, 4 days ago
Use after free in Browser Switcher in Google Chrome prior …

Use after free in Browser Switcher in Google Chrome prior to 101.0.4951.41 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

References

Affected products

Chrome
  • <101.0.4951.41

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-25501
created 3 weeks, 4 days ago
free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.DLDR is set but DownlinkDataReport IE is missing

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).

References

Affected products

smf
  • ==<= 1.4.1

Matching in nixpkgs

pkgs.libsmf

C library for reading and writing Standard MIDI Files

Package maintainers

Permalink CVE-2022-1355
created 3 weeks, 4 days ago
A stack buffer overflow flaw was found in Libtiffs' tiffcp.c …

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.

References

Affected products

libtiff
  • ==Not-Known

Matching in nixpkgs

Package maintainers

Permalink CVE-2022-1311
created 3 weeks, 4 days ago
Use after free in shell in Google Chrome on ChromeOS …

Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

References

Affected products

Chrome
  • <100.0.4896.88

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2022-1487
created 3 weeks, 4 days ago
Use after free in Ozone in Google Chrome prior to …

Use after free in Ozone in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via running a Wayland test.

References

Affected products

Chrome
  • <101.0.4951.41

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin
Permalink CVE-2026-2796
updated 3 weeks, 4 days ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 5 days ago
  • @mweinelt removed
    18 packages
    • firefox_decrypt
    • faust2firefox
    • firefoxpwa
    • firefox-gnome-theme
    • firefox-sync-client
    • pkgsRocm.firefoxpwa
    • thunderbird-128-unwrapped
    • firefox-devedition-unwrapped
    • pkgsRocm.firefox-devedition
    • pkgsRocm.firefox-beta
    • firefox-beta-unwrapped
    • pkgsRocm.firefox-beta-unwrapped
    • thunderbirdPackages.thunderbird-128
    • gnomeExtensions.firefox-profiles
    • pkgsRocm.firefox-devedition-unwrapped
    • gnomeExtensions.firefox-pip-always-on-top
    • gnomeExtensions.pip-alwaysontop-for-firefox
    • vscode-extensions.firefox-devtools.vscode-firefox-debug
    3 weeks, 4 days ago
JIT miscompilation in the JavaScript: WebAssembly component

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

References

Affected products

Firefox
  • <148
Thunderbird
  • <148

Matching in nixpkgs

Ignored packages (18)

Package maintainers

Permalink CVE-2026-3061
updated 3 weeks, 6 days ago by @mweinelt Activity log
  • Created automatic suggestion 1 month ago
  • @mweinelt removed
    31 packages
    • chrome-export
    • mkchromecast
    • go-chromecast
    • chromedriver
    • netflix
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • electron-chromedriver
    • xf86-video-openchrome
    • curl-impersonate-chrome
    • undetected-chromedriver
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    3 weeks, 6 days ago
Out of bounds read in Media in Google Chrome prior …

Out of bounds read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <145.0.7632.116

Matching in nixpkgs

Ignored packages (31)

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers