Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-5888
created 6 days, 16 hours ago
Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 …

Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5880
created 6 days, 16 hours ago
Insufficient policy enforcement in browser UI in Google Chrome prior …

Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5915
created 6 days, 16 hours ago
Insufficient validation of untrusted input in WebML in Google Chrome …

Insufficient validation of untrusted input in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5861
created 6 days, 16 hours ago
Use after free in V8 in Google Chrome prior to …

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5302
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 days, 16 hours ago
Permissive Cross-domain Policy with Untrusted Domains in coolercontrold

CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites

Affected products

coolercontrold
  • <4.0.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-34720
created 6 days, 17 hours ago
Zammad has an origin validation error in SSO mechanism

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4.

Affected products

zammad
  • ==< 6.5.4
  • ==>= 7.0.0-alpha, < 7.0.1

Matching in nixpkgs

pkgs.zammad

Zammad, a web-based, open source user support/ticketing solution

Package maintainers

Permalink CVE-2026-5911
created 6 days, 17 hours ago
Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 …

Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-34721
created 6 days, 17 hours ago
Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.

Affected products

zammad
  • ==< 6.5.4
  • ==>= 7.0.0-alpha, < 7.0.1

Matching in nixpkgs

pkgs.zammad

Zammad, a web-based, open source user support/ticketing solution

Package maintainers

Permalink CVE-2026-5874
created 6 days, 17 hours ago
Use after free in PrivateAI in Google Chrome prior to …

Use after free in PrivateAI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5885
created 6 days, 17 hours ago
Insufficient validation of untrusted input in WebML in Google Chrome …

Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups