Nixpkgs security tracker

Untriaged

Permalink CVE-2026-39862

created 6 days, 20 hours ago

Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.

References

https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2 x_refsource_CONFIRM
https://github.com/Shopify/tophat/pull/139 x_refsource_MISC

Affected products

tophat

==< 2.5.1

Matching in nixpkgs

pkgs.gnomeExtensions.tophat

TopHat aims to be an elegant system resource monitor for the GNOME shell. It displays CPU, memory, disk, and network activity in the GNOME top bar.

nixos-unstable 23
- nixpkgs-unstable 23
- nixos-unstable-small 23
nixos-25.11 23
- nixos-25.11-small 23
- nixpkgs-25.11-darwin 23

pkgs.haskellPackages.tophat

Template-to-Haskell preprocessor, and templating language

nixos-unstable 1.0.8.0
- nixpkgs-unstable 1.0.8.0
- nixos-unstable-small 1.0.8.0
nixos-25.11 1.0.8.0
- nixos-25.11-small 1.0.8.0
- nixpkgs-25.11-darwin 1.0.8.0

Package maintainers