Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-2318
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 …

Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2322
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Inappropriate implementation in File input in Google Chrome prior to …

Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2316
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Insufficient policy enforcement in Frames in Google Chrome prior to …

Insufficient policy enforcement in Frames in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2314
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Heap buffer overflow in Codecs in Google Chrome prior to …

Heap buffer overflow in Codecs in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2320
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Inappropriate implementation in File input in Google Chrome prior to …

Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2020-37182
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    37 packages
    • usbredir
    • reredirect
    • libredirect
    • perlPackages.FileShareDir
    • nixos-render-docs-redirects
    • perl538Packages.FileShareDir
    • perl540Packages.FileShareDir
    • perlPackages.FileShareDirDist
    • perlPackages.TestFileShareDir
    • perl538Packages.FileShareDirDist
    • perl538Packages.TestFileShareDir
    • perl540Packages.FileShareDirDist
    • perl540Packages.TestFileShareDir
    • perlPackages.FileShareDirInstall
    • rubyPackages.jekyll-redirect-from
    • gnomeExtensions.disable-unredirect
    • python312Packages.mkdocs-redirects
    • python313Packages.mkdocs-redirects
    • python314Packages.mkdocs-redirects
    • perl538Packages.FileShareDirInstall
    • perl540Packages.FileShareDirInstall
    • python312Packages.sphinx-reredirects
    • python313Packages.sphinx-reredirects
    • python314Packages.sphinx-reredirects
    • haskellPackages.system-posix-redirect
    • python312Packages.sphinxext-rediraffe
    • python313Packages.sphinxext-rediraffe
    • python314Packages.sphinxext-rediraffe
    • rubyPackages_3_1.jekyll-redirect-from
    • rubyPackages_3_2.jekyll-redirect-from
    • rubyPackages_3_3.jekyll-redirect-from
    • rubyPackages_3_4.jekyll-redirect-from
    • rubyPackages_4_0.jekyll-redirect-from
    • perlPackages.PlackMiddlewareFixMissingBodyInRedirect
    • gnomeExtensions.disable-unredirect-fullscreen-windows
    • perl538Packages.PlackMiddlewareFixMissingBodyInRedirect
    • perl540Packages.PlackMiddlewareFixMissingBodyInRedirect
    1 month, 1 week ago
Redir 3.3 - Denial of Service

Redir 3.3 contains a stack overflow vulnerability in the doproxyconnect() function that allows attackers to crash the application by sending oversized input. Attackers can exploit the sprintf() buffer without proper length checking to overwrite memory and cause a segmentation fault, resulting in program termination.

References

Affected products

Redir
  • ==3.3

Matching in nixpkgs

Permalink CVE-2026-2319
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Race in DevTools in Google Chrome prior to 145.0.7632.45 allowed …

Race in DevTools in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures and install a malicious extension to potentially exploit object corruption via a malicious file. (Chromium security severity: Medium)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2315
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 1 week ago
  • @LeSuisse removed
    27 packages
    • netflix
    • mkchromecast
    • chrome-export
    • go-chromecast
    • xf86videoopenchrome
    • chrome-token-signing
    • chrome-pak-customizer
    • curl-impersonate-chrome
    • electron-chromedriver_33
    • electron-chromedriver_34
    • electron-chromedriver_35
    • electron-chromedriver_36
    • electron-chromedriver_37
    • electron-chromedriver_38
    • electron-chromedriver_39
    • electron-chromedriver_40
    • xorg.xf86videoopenchrome
    • ocamlPackages.chrome-trace
    • noto-fonts-monochrome-emoji
    • python312Packages.pychromecast
    • python313Packages.pychromecast
    • python314Packages.pychromecast
    • ocamlPackages_latest.chrome-trace
    • python312Packages.undetected-chromedriver
    • python313Packages.undetected-chromedriver
    • python314Packages.undetected-chromedriver
    • grafanaPlugins.ventura-psychrometric-panel
    1 month, 1 week ago
Inappropriate implementation in WebGPU in Google Chrome prior to 145.0.7632.45 …

Inappropriate implementation in WebGPU in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

References

Affected products

Chrome
  • <145.0.7632.45

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-25646
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    5 packages
    • libpng12
    • perlPackages.ImagePNGLibpng
    • perl538Packages.ImagePNGLibpng
    • perl540Packages.ImagePNGLibpng
    • tests.pkg-config.defaultPkgConfigPackages.libpng
    1 month, 1 week ago
LIBPNG has a heap buffer overflow in png_set_quantize

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

References

Affected products

libpng
  • ==< 1.6.55

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-15572
3.3 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    2 packages
    • tests.buildRustCrate.tests.crateLibOutputsWasm32
    • tests.buildRustCrate.tests.crateWasm32BinHyphens
    1 month, 2 weeks ago
wasm3 NewCodePage memory leak

A vulnerability has been found in wasm3 up to 0.5.0. The affected element is the function NewCodePage. The manipulation leads to memory leak. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. Unfortunately, the project has no active maintainer at the moment.

References

Affected products

wasm3
  • ==0.2
  • ==0.1
  • ==0.5.0
  • ==0.3
  • ==0.4

Matching in nixpkgs

Package maintainers