Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2026-48703
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 weeks ago Activity log
  • Created suggestion
Warp: Command Injection via Warp code search tool arguments

Warp is an agentic development environment. From 0.2025.04.09.08.11.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution policy bypass in Agent code search tools. The affected Grep and FileGlob actions are authorized as read/search operations, but their implementations build shell command strings from Agent-controlled inputs (search text, paths, glob patterns) and execute them in the active terminal session. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Affected products

warp
  • ==>= 0.2025.04.09.08.11.stable_00, < 0.2026.05.13.09.15.stable_01

Matching in nixpkgs

pkgs.warp

Fast and secure file transfer

pkgs.warpd

Modal keyboard driven interface for mouse manipulation

pkgs.ts-warp

Transparent proxy server and traffic wrapper

pkgs.warpgate

Smart SSH, HTTPS, MySQL and Postgres bastion that requires no additional client-side software

pkgs.git-warp-time

Utility to reset filesystem timestamps based on Git history

pkgs.gnomeExtensions.warpgnome

Toggle Cloudflare WARP in quick settings.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.mouse-warp

Moves the mouse cursor to the center of the focused window on focus change.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-26.05 2
    • nixos-26.05-small 2
    • nixpkgs-26.05-darwin 2

pkgs.gnomeExtensions.warp-toggle

Toggle Cloudflare WARP connection from Quick Settings menu

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9
  • nixos-26.05 9
    • nixos-26.05-small 9
    • nixpkgs-26.05-darwin 9

pkgs.gnomeExtensions.cloudflare-warp-indicator

System tray indicator and controls for Cloudflare WARP VPN. Shows connection status, info panel, and connect/disconnect toggle via warp-cli.

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-26.05 1
    • nixos-26.05-small 1
    • nixpkgs-26.05-darwin 1

Package maintainers