NIXPKGS-2026-0981

GitHub issue published on

Permalink CVE-2026-35461

5.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 1 day, 23 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 8 hours ago
@LeSuisse accepted 1 day, 23 hours ago
@LeSuisse published on GitHub 1 day, 23 hours ago

Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.

References

https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq x_refsource_CONFIRM

Affected products

papra

==< 26.4.0

Matching in nixpkgs

pkgs.papra

Open-source document management platform designed to help you organize, secure, and archive your files effortlessly.

nixos-unstable -
- nixpkgs-unstable 26.2.2
- nixos-unstable-small 26.2.2

Package maintainers

@wariuccio Wariuccio

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0981

References

Affected products

Matching in nixpkgs

pkgs.papra

Package maintainers