Nixpkgs security tracker

Permalink CVE-2026-40102

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 4 days, 5 hours ago Activity log

Created suggestion 4 days, 5 hours ago

Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1.

References

https://github.com/makeplane/plane/security/advisories/GHSA-93x3-ghh7-72j3 x_refsource_CONFIRM
https://github.com/makeplane/plane/releases/tag/v1.3.1 x_refsource_MISC

Affected products

plane

==< 1.3.1

Matching in nixpkgs

pkgs.xplanet

Renders an image of the earth or other planets into the X root window

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

pkgs.freeplane

Mind-mapping software

nixos-unstable 1.12.16
- nixpkgs-unstable 1.12.16
- nixos-unstable-small 1.12.16
nixos-25.11 1.12.12
- nixos-25.11-small 1.12.12
- nixpkgs-25.11-darwin 1.12.12

pkgs.headplane

Feature-complete Web UI for Headscale

nixos-unstable 0.6.2
- nixpkgs-unstable 0.6.2
- nixos-unstable-small 0.6.2

pkgs.m2-planet

PLAtform NEutral Transpiler

nixos-unstable 1.13.1
- nixpkgs-unstable 1.13.1
- nixos-unstable-small 1.13.1
nixos-25.11 1.13.1
- nixos-25.11-small 1.13.1
- nixpkgs-25.11-darwin 1.13.1

pkgs.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-25.11 0.5.8
- nixos-25.11-small 0.5.8
- nixpkgs-25.11-darwin 0.5.8

pkgs.microplane

CLI tool to make git changes across many repos

nixos-unstable 0.0.37
- nixpkgs-unstable 0.0.37
- nixos-unstable-small 0.0.37
nixos-25.11 0.0.37
- nixos-25.11-small 0.0.37
- nixpkgs-25.11-darwin 0.0.37

pkgs.paper-plane

Chat over Telegram on a modern and elegant client

nixos-25.11 0.1.0-beta.5
- nixos-25.11-small 0.1.0-beta.5
- nixpkgs-25.11-darwin 0.1.0-beta.5

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

nixos-unstable 1.7.1
- nixpkgs-unstable 1.7.1
- nixos-unstable-small 1.7.1

pkgs.m2-mesoplanet

Macro Expander Saving Our m2-PLANET

nixos-unstable 1.11.0
- nixpkgs-unstable 1.11.0
- nixos-unstable-small 1.11.0
nixos-25.11 1.11.0
- nixos-25.11-small 1.11.0
- nixpkgs-25.11-darwin 1.11.0

pkgs.crossplane-cli

Utility to make using Crossplane easier

nixos-unstable 2.2.1
- nixpkgs-unstable 2.2.1
- nixos-unstable-small 2.2.1
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

pkgs.headplane-agent

Optional sidecar process providing additional features for headplane

nixos-unstable 0.6.2
- nixpkgs-unstable 0.6.2
- nixos-unstable-small 0.6.3

pkgs.biplanes-revival

Old cellphone arcade recreated for PC

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-25.11 1.2.1
- nixos-25.11-small 1.2.1
- nixpkgs-25.11-darwin 1.2.1

pkgs.planetary_annihilation

Next-generation RTS that takes the genre to a planetary scale

nixos-unstable 62857
- nixpkgs-unstable 62857
- nixos-unstable-small 62857
nixos-25.11 62857
- nixos-25.11-small 62857
- nixpkgs-25.11-darwin 62857

pkgs.perlPackages.MathPlanePath

Points on a path through the 2-D plane

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129
nixos-25.11 129
- nixos-25.11-small 129
- nixpkgs-25.11-darwin 129

pkgs.perl5Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129

pkgs.dprint-plugins.g-plane-malva

CSS, SCSS, Sass and Less formatter

nixos-unstable 0.15.1
- nixpkgs-unstable 0.15.1
- nixos-unstable-small 0.15.1
nixos-25.11 0.15.1
- nixos-25.11-small 0.15.1
- nixpkgs-25.11-darwin 0.15.1

pkgs.python312Packages.crossplane

NGINX configuration file parser and builder

nixos-25.11 0.5.8
- nixos-25.11-small 0.5.8
- nixpkgs-25.11-darwin 0.5.8

pkgs.python313Packages.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8
nixos-25.11 0.5.8
- nixos-25.11-small 0.5.8
- nixpkgs-25.11-darwin 0.5.8

pkgs.python314Packages.crossplane

NGINX configuration file parser and builder

nixos-unstable 0.5.8
- nixpkgs-unstable 0.5.8
- nixos-unstable-small 0.5.8

pkgs.perl538Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-25.11 129
- nixos-25.11-small 129
- nixpkgs-25.11-darwin 129

pkgs.perl540Packages.MathPlanePath

Points on a path through the 2-D plane

nixos-25.11 129
- nixos-25.11-small 129
- nixpkgs-25.11-darwin 129

pkgs.dprint-plugins.g-plane-markup_fmt

HTML, Vue, Svelte, Astro, Angular, Jinja, Twig, Nunjucks, and Vento formatter

nixos-unstable 0.25.3
- nixpkgs-unstable 0.25.3
- nixos-unstable-small 0.25.3
nixos-25.11 0.25.3
- nixos-25.11-small 0.25.3
- nixpkgs-25.11-darwin 0.25.3

pkgs.dprint-plugins.g-plane-pretty_yaml

YAML formatter

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.6.0
- nixos-25.11-small 0.6.0
- nixpkgs-25.11-darwin 0.6.0

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python312Packages.planetary-computer

Planetary Computer SDK for Python

nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0

pkgs.python313Packages.planetary-computer

Planetary Computer SDK for Python

nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0