Vulnerability in Nixos Nixpkgs

CVE-2026-25740

captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the system can run arbitrary commands with the CAP_NET_…

EPSS: 0.000 (0.5th percentile) — read the EPSS interpretation.

Affected products

Nixos Nixpkgs — versions <= 25.05

Weakness classification (CWE)

CWE-250

References

https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc (x_refsource_CONFIRM)
https://github.com/NixOS/nixpkgs/pull/487775 (x_refsource_MISC)
https://github.com/NixOS/nixpkgs/pull/487779 (x_refsource_MISC)