Nixpkgs security tracker

Permalink CVE-2026-10850

6.9 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 2 days, 14 hours ago Activity log

Created suggestion 2 days, 14 hours ago

Plane 1.3.1 - Stored XSS in intake issue description_html

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

References

https://fluidattacks.com/es/advisories/earth third-party-advisoryexploit
https://github.com/makeplane/plane product

Affected products

Plane

==1.3.1

Matching in nixpkgs

pkgs.xplanet

Renders an image of the earth or other planets into the X root window

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-26.05 1.3.1
- nixos-26.05-small 1.3.1
- nixpkgs-26.05-darwin 1.3.1

pkgs.freeplane

None

nixos-unstable 1.12.16
- nixos-unstable-small 1.12.16
nixos-26.05 1.12.16
- nixos-26.05-small 1.12.16
- nixpkgs-26.05-darwin 1.12.16

pkgs.headplane

Feature-complete Web UI for Headscale

nixos-unstable 0.6.2
- nixpkgs-unstable 0.6.2
- nixos-unstable-small 0.6.2
nixos-26.05 0.6.2
- nixos-26.05-small 0.6.2
- nixpkgs-26.05-darwin 0.6.2

pkgs.m2-planet

PLAtform NEutral Transpiler

nixos-unstable 1.13.1
- nixpkgs-unstable 1.13.1
- nixos-unstable-small 1.13.1
nixos-26.05 1.13.1
- nixos-26.05-small 1.13.1
- nixpkgs-26.05-darwin 1.13.1

pkgs.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-26.05 0.5.8
- nixos-26.05-small 0.5.8
- nixpkgs-26.05-darwin 0.5.8

pkgs.microplane

CLI tool to make git changes across many repos

nixos-unstable 0.0.37
- nixpkgs-unstable 0.0.37
- nixos-unstable-small 0.0.37
nixos-26.05 0.0.37
- nixos-26.05-small 0.0.37
- nixpkgs-26.05-darwin 0.0.37

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

nixos-unstable 1.7.1
- nixpkgs-unstable 1.7.1
- nixos-unstable-small 1.7.1
nixos-26.05 1.7.1
- nixos-26.05-small 1.7.1
- nixpkgs-26.05-darwin 1.7.1

pkgs.m2-mesoplanet

Macro Expander Saving Our m2-PLANET

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0
nixos-26.05 1.11.0
- nixos-26.05-small 1.11.0
- nixpkgs-26.05-darwin 1.11.0

pkgs.crossplane-cli

Utility to make using Crossplane easier

nixos-unstable 2.3.0
- nixpkgs-unstable 2.3.1
- nixos-unstable-small 2.3.1
nixos-26.05 2.3.0
- nixos-26.05-small 2.3.0
- nixpkgs-26.05-darwin 2.3.0

pkgs.headplane-agent

None

nixos-unstable 0.6.3
- nixos-unstable-small 0.6.3
nixos-26.05 0.6.3
- nixos-26.05-small 0.6.3
- nixpkgs-26.05-darwin 0.6.3

pkgs.biplanes-revival

Old cellphone arcade recreated for PC

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-26.05 1.2.1
- nixos-26.05-small 1.2.1
- nixpkgs-26.05-darwin 1.2.1

pkgs.planetary_annihilation

Next-generation RTS that takes the genre to a planetary scale

nixos-unstable 62857
- nixpkgs-unstable 62857
- nixos-unstable-small 62857
nixos-26.05 62857
- nixos-26.05-small 62857
- nixpkgs-26.05-darwin 62857

pkgs.perlPackages.MathPlanePath

Points on a path through the 2-D plane

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129
nixos-26.05 129
- nixos-26.05-small 129
- nixpkgs-26.05-darwin 129

pkgs.perl5Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129
nixos-26.05 129
- nixos-26.05-small 129
- nixpkgs-26.05-darwin 129

pkgs.dprint-plugins.g-plane-malva

None

nixos-unstable 0.15.1
- nixos-unstable-small 0.15.1
nixos-26.05 0.15.1
- nixos-26.05-small 0.15.1
- nixpkgs-26.05-darwin 0.15.1

pkgs.python313Packages.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-26.05 0.5.8
- nixos-26.05-small 0.5.8
- nixpkgs-26.05-darwin 0.5.8

pkgs.python314Packages.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-26.05 0.5.8
- nixos-26.05-small 0.5.8
- nixpkgs-26.05-darwin 0.5.8

pkgs.dprint-plugins.g-plane-markup_fmt

None

nixos-unstable 0.25.3
- nixos-unstable-small 0.25.3
nixos-26.05 0.25.3
- nixos-26.05-small 0.25.3
- nixpkgs-26.05-darwin 0.25.3

pkgs.dprint-plugins.g-plane-pretty_yaml

YAML formatter

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-26.05 0.6.0
- nixos-26.05-small 0.6.0
- nixpkgs-26.05-darwin 0.6.0

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3
nixos-26.05 1.0.3
- nixos-26.05-small 1.0.3
- nixpkgs-26.05-darwin 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3
nixos-26.05 1.0.3
- nixos-26.05-small 1.0.3
- nixpkgs-26.05-darwin 1.0.3

pkgs.python313Packages.planetary-computer

Planetary Computer SDK for Python

nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
nixos-26.05 1.0.0.post0
- nixos-26.05-small 1.0.0.post0
- nixpkgs-26.05-darwin 1.0.0.post0

pkgs.python314Packages.planetary-computer

Planetary Computer SDK for Python

nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
nixos-26.05 1.0.0.post0
- nixos-26.05-small 1.0.0.post0
- nixpkgs-26.05-darwin 1.0.0.post0

pkgs.dprint-plugins.g-plane-pretty_graphql

GraphQL formatter

nixos-unstable 0.2.3
- nixpkgs-unstable 0.2.3
- nixos-unstable-small 0.2.3
nixos-26.05 0.2.3
- nixos-26.05-small 0.2.3
- nixpkgs-26.05-darwin 0.2.3

pkgs.azure-cli-extensions.planetarycomputer

Microsoft Azure Command-Line Tools Planetary Computer Extension

nixos-unstable 1.0.0b1
- nixpkgs-unstable 1.0.0b1
- nixos-unstable-small 1.0.0b1
nixos-26.05 1.0.0b1
- nixos-26.05-small 1.0.0b1
- nixpkgs-26.05-darwin 1.0.0b1