Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-35451

5.7 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 1 month ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse dismissed (not in Nixpkgs) 1 month ago

Twenty: Stored XSS via BlockNote FileBlock

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

References

https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q x_refsource_CONFIRMexploit
https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523 x_refsource_MISC

Affected products

twenty

==< 1.20.6

Matching in nixpkgs

pkgs.gnome-2048

Obtain the 2048 tile

nixos-unstable 3.38.2
- nixpkgs-unstable 3.38.2
- nixos-unstable-small 3.38.2
nixos-25.11 3.38.2
- nixos-25.11-small 3.38.2
- nixpkgs-25.11-darwin 3.38.2

pkgs.wordpressPackages.themes.twentytwenty

None

nixos-unstable 3.0
- nixpkgs-unstable 3.0
- nixos-unstable-small 3.0
nixos-25.11 2.9
- nixos-25.11-small 2.9
- nixpkgs-25.11-darwin 2.9

pkgs.wordpressPackages.themes.twentynineteen

None

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2
nixos-25.11 3.1
- nixos-25.11-small 3.1
- nixpkgs-25.11-darwin 3.1

pkgs.wordpressPackages.themes.twentytwentyone

None

nixos-unstable 2.7
- nixpkgs-unstable 2.7
- nixos-unstable-small 2.7
nixos-25.11 2.5
- nixos-25.11-small 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.wordpressPackages.themes.twentytwentytwo

None

nixos-unstable 2.1
- nixpkgs-unstable 2.1
- nixos-unstable-small 2.1
nixos-25.11 2.0
- nixos-25.11-small 2.0
- nixpkgs-25.11-darwin 2.0

pkgs.wordpressPackages.themes.twentytwentyfive

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.2
- nixos-25.11-small 1.2
- nixpkgs-25.11-darwin 1.2

pkgs.wordpressPackages.themes.twentytwentyfour

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.3
- nixos-25.11-small 1.3
- nixpkgs-25.11-darwin 1.3

pkgs.wordpressPackages.themes.twentytwentythree

None

nixos-unstable 1.6
- nixpkgs-unstable 1.6
- nixos-unstable-small 1.6
nixos-25.11 1.6
- nixos-25.11-small 1.6
- nixpkgs-25.11-darwin 1.6

Package maintainers

@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>