NixOS · fabianhjr · Aug 25, 2025 · Aug 19, 2025 · Aug 19, 2025 · Aug 19, 2025
diff --git a/pkgs/applications/misc/subsurface/default.nix b/pkgs/applications/misc/subsurface/default.nix
@@ -23,7 +23,7 @@
   qtlocation,
   qtsvg,
   qttools,
-  qtwebengine,
+  qtpositioning,
   libXcomposite,
   bluez,
   writeScript,
@@ -142,7 +142,7 @@ stdenv.mkDerivation {
     qtconnectivity
     qtsvg
     qttools
-    qtwebengine
+    qtpositioning
   ];
 
   nativeBuildInputs = [

diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix
@@ -26,6 +26,7 @@
   supercolliderPlugins,
   writeText,
   runCommand,
+  withWebengine ? false, # vulnerable, so disabled by default
 }:
 
 mkDerivation rec {
@@ -64,17 +65,18 @@ mkDerivation rec {
     curl
     libXt
     qtbase
-    qtwebengine
     qtwebsockets
     readline
   ]
+  ++ lib.optional withWebengine qtwebengine
   ++ lib.optional (!stdenv.hostPlatform.isDarwin) alsa-lib;
 
   hardeningDisable = [ "stackprotector" ];
 
   cmakeFlags = [
     "-DSC_WII=OFF"
     "-DSC_EL=${if useSCEL then "ON" else "OFF"}"
+    (lib.cmakeBool "SC_USE_QTWEBENGINE" withWebengine)
   ];
 
   passthru = {

diff --git a/pkgs/development/libraries/qt-5/modules/qtwebengine.nix b/pkgs/development/libraries/qt-5/modules/qtwebengine.nix
@@ -464,6 +464,43 @@ qtModule (
 
       # This build takes a long time; particularly on slow architectures
       timeout = 24 * 3600;
+
+      knownVulnerabilities = [
+        ''
+          qt5 qtwebengine is unmaintained upstream since april 2025.
+          It is based on chromium 87.0.4280.144, and supposedly patched up to 135.0.7049.95 which is outdated.
+
+          Security issues are frequently discovered in chromium.
+          The following list of CVEs was fixed in the life cycle of chromium 138 and likely also affects qtwebengine:
+          - CVE-2025-8879
+          - CVE-2025-8880
+          - CVE-2025-8901
+          - CVE-2025-8881
+          - CVE-2025-8882
+          - CVE-2025-8576
+          - CVE-2025-8577
+          - CVE-2025-8578
+          - CVE-2025-8579
+          - CVE-2025-8580
+          - CVE-2025-8581
+          - CVE-2025-8582
+          - CVE-2025-8583
+          - CVE-2025-8292
+          - CVE-2025-8010
+          - CVE-2025-8011
+          - CVE-2025-7656
+          - CVE-2025-6558 (known to be exploited in the wild)
+          - CVE-2025-7657
+          - CVE-2025-6554
+          - CVE-2025-6555
+          - CVE-2025-6556
+          - CVE-2025-6557
+
+          The actual list of CVEs affecting qtwebengine is likely much longer,
+          as this list is missing issues fixed in chromium 136/137 and even more
+          issues are continuously discovered and lack upstream fixes in qtwebengine.
+        ''
+      ];
     };
 
   }

diff --git a/pkgs/development/python-modules/pyside2/default.nix b/pkgs/development/python-modules/pyside2/default.nix
@@ -8,6 +8,7 @@
   ninja,
   qt5,
   shiboken2,
+  withWebengine ? false, # vulnerable, so omit by default
 }:
 stdenv.mkDerivation rec {
   pname = "pyside2";
@@ -67,13 +68,15 @@ stdenv.mkDerivation rec {
       qtlocation
       qtscript
       qtwebsockets
-      qtwebengine
       qtwebchannel
       qtcharts
       qtsensors
       qtsvg
       qt3d
     ])
+    ++ lib.optionals withWebengine [
+      qt5.qtwebengine
+    ]
     ++ (with python.pkgs; [ setuptools ])
     ++ (lib.optionals (python.pythonOlder "3.9") [
       # see similar issue: 202262