diff --git a/pkgs/by-name/wh/whisper/package.nix b/pkgs/by-name/wh/whisper/package.nix
index 9ce1836b25d3..ae12ed7140d3 100644
--- a/pkgs/by-name/wh/whisper/package.nix
+++ b/pkgs/by-name/wh/whisper/package.nix
@@ -51,6 +51,15 @@ stdenv.mkDerivation rec {
     broken = stdenv.hostPlatform.isDarwin;
     description = "Short read sequence mapper";
     license = licenses.gpl3;
+    # vendored libraries acof, aelf, deflate, bzip2, zlib
+    # https://github.com/refresh-bio/Whisper/issues/18
+    knownVulnerabilities = [
+      # src/libs/libz.a from 2017
+      "CVE-2018-25032"
+      "CVE-2022-37434"
+      # src/libs/libbzip2.lib
+      "CVE-2019-12900"
+    ];
     homepage = "https://github.com/refresh-bio/whisper";
     maintainers = with maintainers; [ jbedo ];
     platforms = platforms.x86_64;