Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-30242

8.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

updated 2 weeks, 2 days ago by @mweinelt Activity log

Created automatic suggestion 2 weeks, 2 days ago
@mweinelt removed
35 packages
- xplanet
- freeplane
- m2-planet
- crossplane
- microplane
- paper-plane
- invoiceplane
- m2-mesoplanet
- crossplane-cli
- biplanes-revival
- planetary_annihilation
- perlPackages.MathPlanePath
- perl5Packages.MathPlanePath
- dprint-plugins.g-plane-malva
- python312Packages.crossplane
- python313Packages.crossplane
- python314Packages.crossplane
- perl538Packages.MathPlanePath
- perl540Packages.MathPlanePath
- dprint-plugins.g-plane-markup_fmt
- dprint-plugins.g-plane-pretty_yaml
- gnomeExtensions.sane-airplane-mode
- python313Packages.envoy-data-plane
- python314Packages.envoy-data-plane
- python312Packages.planetary-computer
- python313Packages.planetary-computer
- python314Packages.planetary-computer
- dprint-plugins.g-plane-pretty_graphql
- haskellPackages.amazonka-iot-dataplane
- python313Packages.greenplanet-energy-api
- python314Packages.greenplanet-energy-api
- haskellPackages.amazonka-iot-jobs-dataplane
- vscode-extensions.gplane.wasm-language-tools
- haskellPackages.amazonka-mediastore-dataplane
- tests.home-assistant-component-tests.green_planet_energy
2 weeks, 2 days ago
@mweinelt dismissed 2 weeks, 2 days ago

Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.

References

https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73 x_refsource_CONFIRM
https://github.com/makeplane/plane/releases/tag/v1.2.3 x_refsource_MISC

Affected products

plane

==< 1.2.3

Ignored packages (35)

pkgs.xplanet

Renders an image of the earth or other planets into the X root window

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

pkgs.freeplane

Mind-mapping software

nixos-unstable 1.12.16
- nixpkgs-unstable 1.12.16
- nixos-unstable-small 1.12.16
nixos-25.11 1.12.12
- nixos-25.11-small 1.12.12
- nixpkgs-25.11-darwin 1.12.12

pkgs.m2-planet

PLAtform NEutral Transpiler

nixos-unstable 1.13.1
- nixpkgs-unstable 1.13.1
- nixos-unstable-small 1.13.1
nixos-25.11 1.13.1
- nixos-25.11-small 1.13.1
- nixpkgs-25.11-darwin 1.13.1

pkgs.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-25.11 0.5.8
- nixos-25.11-small 0.5.8
- nixpkgs-25.11-darwin 0.5.8

pkgs.microplane

CLI tool to make git changes across many repos

nixos-unstable 0.0.37
- nixpkgs-unstable 0.0.37
- nixos-unstable-small 0.0.37
nixos-25.11 0.0.37
- nixos-25.11-small 0.0.37
- nixpkgs-25.11-darwin 0.0.37

pkgs.paper-plane

Chat over Telegram on a modern and elegant client

nixos-25.11 0.1.0-beta.5
- nixos-25.11-small 0.1.0-beta.5
- nixpkgs-25.11-darwin 0.1.0-beta.5

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

nixos-unstable 1.7.1
- nixpkgs-unstable 1.7.1
- nixos-unstable-small 1.7.1

pkgs.m2-mesoplanet

Macro Expander Saving Our m2-PLANET

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0
nixos-25.11 1.11.0
- nixos-25.11-small 1.11.0
- nixpkgs-25.11-darwin 1.11.0

pkgs.crossplane-cli

Utility to make using Crossplane easier

nixos-unstable 2.2.0
- nixpkgs-unstable 2.2.0
- nixos-unstable-small 2.2.0
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

pkgs.biplanes-revival

Old cellphone arcade recreated for PC

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-25.11 1.2.1
- nixos-25.11-small 1.2.1
- nixpkgs-25.11-darwin 1.2.1

pkgs.planetary_annihilation

Next-generation RTS that takes the genre to a planetary scale

nixos-unstable 62857
- nixpkgs-unstable 62857
- nixos-unstable-small 62857
nixos-25.11 62857
- nixos-25.11-small 62857
- nixpkgs-25.11-darwin 62857

pkgs.perlPackages.MathPlanePath

Points on a path through the 2-D plane

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129
nixos-25.11 129
- nixos-25.11-small 129
- nixpkgs-25.11-darwin 129

pkgs.perl5Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129

pkgs.dprint-plugins.g-plane-malva

CSS, SCSS, Sass and Less formatter

nixos-unstable 0.15.1
- nixpkgs-unstable 0.15.1
- nixos-unstable-small 0.15.1
nixos-25.11 0.15.1
- nixos-25.11-small 0.15.1
- nixpkgs-25.11-darwin 0.15.1

pkgs.python312Packages.crossplane

NGINX configuration file parser and builder

nixos-25.11 0.5.8
- nixos-25.11-small 0.5.8
- nixpkgs-25.11-darwin 0.5.8

pkgs.python313Packages.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-25.11 0.5.8
- nixos-25.11-small 0.5.8
- nixpkgs-25.11-darwin 0.5.8

pkgs.python314Packages.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8

pkgs.perl538Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-25.11 129
- nixos-25.11-small 129
- nixpkgs-25.11-darwin 129

pkgs.perl540Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-25.11 129
- nixos-25.11-small 129
- nixpkgs-25.11-darwin 129

pkgs.dprint-plugins.g-plane-markup_fmt

HTML, Vue, Svelte, Astro, Angular, Jinja, Twig, Nunjucks, and Vento formatter

nixos-unstable 0.25.3
- nixpkgs-unstable 0.25.3
- nixos-unstable-small 0.25.3
nixos-25.11 0.25.3
- nixos-25.11-small 0.25.3
- nixpkgs-25.11-darwin 0.25.3

pkgs.dprint-plugins.g-plane-pretty_yaml

YAML formatter

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.gnomeExtensions.sane-airplane-mode

Make airplane mode sane again! This extension gives you better control over the airplane mode and lets you turn off the annoying "Bluetooth gets turned on when I disable airplane mode" behaviour.

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python312Packages.planetary-computer

Planetary Computer SDK for Python

nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0

pkgs.python313Packages.planetary-computer

Planetary Computer SDK for Python

nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0