Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: papra

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-35462
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse accepted 2 days ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
Papra Does Not Reject Expired API Keys

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.

Affected products

papra
  • ==< 26.4.0

Matching in nixpkgs

pkgs.papra

Open-source document management platform designed to help you organize, secure, and archive your files effortlessly.

  • nixos-unstable -

Package maintainers

Permalink CVE-2026-35461
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.

Affected products

papra
  • ==< 26.4.0

Matching in nixpkgs

pkgs.papra

Open-source document management platform designed to help you organize, secure, and archive your files effortlessly.

  • nixos-unstable -

Package maintainers

Permalink CVE-2026-35460
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.

Affected products

papra
  • ==< 26.4.0

Matching in nixpkgs

pkgs.papra

Open-source document management platform designed to help you organize, secure, and archive your files effortlessly.

  • nixos-unstable -

Package maintainers