Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-22476
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WordPress Etchy theme <= 1.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0.

Affected products

etchy
  • =<<= 1.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-28479
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration

OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse.

Affected products

OpenClaw
  • <2026.2.15

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Permalink CVE-2026-28133
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WordPress Filr plugin <= 1.2.12 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12.

Affected products

filr-protection
  • =<<= 1.2.12

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-27369
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WordPress Celeste theme <= 1.3.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.

Affected products

celeste
  • =<<= 1.3.6

Matching in nixpkgs

pkgs.celeste

GUI file synchronization client that can sync with any cloud provider

Package maintainers

Permalink CVE-2026-28484
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
OpenClaw 2026.2.15 - Option Injection in pre-commit Hook via Malicious Filenames

OpenClaw versions prior to 2026.2.15 contain an option injection vulnerability in the git-hooks/pre-commit hook that allows attackers to stage ignored files by creating maliciously-named files beginning with dashes. The hook fails to use a -- separator when piping filenames through xargs to git add, enabling attackers to inject git flags and add sensitive ignored files like .env to git history.

Affected products

OpenClaw
  • <2026.2.15

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Permalink CVE-2026-29606
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility

OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Permalink CVE-2026-28478
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.

Affected products

OpenClaw
  • <2026.2.13

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Permalink CVE-2026-28476
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication

OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses.

Affected products

OpenClaw
  • <2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

Package maintainers

Permalink CVE-2026-29077
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
Frappe: Broken Access Control in DocShare

Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.

Affected products

frappe
  • ==< 15.98.0
  • ==< 14.100.0

Matching in nixpkgs

Permalink CVE-2026-23799
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
WordPress Tutor LMS plugin <= 3.9.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.

Affected products

tutor
  • =<<= 3.9.5

Matching in nixpkgs

Package maintainers