Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2026-5866
created 6 days, 18 hours ago
Use after free in Media in Google Chrome prior to …

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5867
created 6 days, 18 hours ago
Heap buffer overflow in WebML in Google Chrome prior to …

Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5208
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 days, 18 hours ago
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold

Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names

Affected products

coolercontrold
  • <4.0.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-39862
created 6 days, 18 hours ago
Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.

Affected products

tophat
  • ==< 2.5.1

Matching in nixpkgs

pkgs.gnomeExtensions.tophat

TopHat aims to be an elegant system resource monitor for the GNOME shell. It displays CPU, memory, disk, and network activity in the GNOME top bar.

  • nixos-unstable 23
    • nixpkgs-unstable 23
    • nixos-unstable-small 23
  • nixos-25.11 23
    • nixos-25.11-small 23
    • nixpkgs-25.11-darwin 23

Package maintainers

Permalink CVE-2026-34722
created 6 days, 18 hours ago
Zammad is missing authorization in ticket create endpoint

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4.

Affected products

zammad
  • ==< 6.5.4
  • ==>= 7.0.0-alpha, < 7.0.1

Matching in nixpkgs

pkgs.zammad

Zammad, a web-based, open source user support/ticketing solution

Package maintainers

Permalink CVE-2026-5909
created 6 days, 18 hours ago
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 …

Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-33350
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 18 hours ago
LORIS has a SQL injection in MRI feedback popup

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.

Affected products

Loris
  • ==>= 28.0.0, < 28.0.1
  • ==< 27.0.3

Matching in nixpkgs

pkgs.florist

Posix Ada Bindings

  • nixos-unstable 24.2
    • nixpkgs-unstable 24.2
    • nixos-unstable-small 24.2
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

Permalink CVE-2026-39409
created 6 days, 18 hours ago
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.

Affected products

hono
  • ==< 4.12.12

Matching in nixpkgs

pkgs.typstPackages.phonokit_0_0_1

Phonology toolkit: IPA transcription (tipa-style), prosodic structures, vowel/consonant charts with language inventories

Package maintainers

Permalink CVE-2026-5862
created 6 days, 18 hours ago
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 …

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups

Permalink CVE-2026-5896
created 6 days, 18 hours ago
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 …

Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)

Affected products

Chrome
  • <147.0.7727.55

Matching in nixpkgs

pkgs.netflix

Open Netflix in Google Chrome app mode

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.chrome-export

Scripts to save Google Chrome's bookmarks and history as HTML bookmarks files

pkgs.go-chromecast

CLI for Google Chromecast, Home devices and Cast Groups