NIXPKGS-2026-1446

GitHub issue published on

Permalink CVE-2026-41653

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 1 day, 15 hours ago
@LeSuisse accepted 1 day, 8 hours ago
@LeSuisse published on GitHub 8 hours ago

BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration

BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3.

References

https://github.com/alam00000/bentopdf/security/advisories/GHSA-6vh8-4frx-647f x_refsource_CONFIRM
https://github.com/alam00000/bentopdf/releases/tag/v2.8.3 x_refsource_MISC

Affected products

bentopdf

==< 2.8.3

Matching in nixpkgs

pkgs.bentopdf

Privacy-first PDF toolkit

nixos-unstable 1.11.2
- nixpkgs-unstable 1.11.2
- nixos-unstable-small 1.11.2

Package maintainers

@Stunkymonkey Felix Bühler <account@buehler.rocks>
@charludo Charlotte Harludo <github@charlotteharludo.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1446

References

Affected products

Matching in nixpkgs

pkgs.bentopdf

Package maintainers