Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-35451

5.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 2 days ago Activity log

Created suggestion 2 days ago

Twenty: Stored XSS via BlockNote FileBlock

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

References

https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q exploitx_refsource_CONFIRM
https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523 x_refsource_MISC

Affected products

twenty

==< 1.20.6

Matching in nixpkgs

pkgs.gnome-2048

Obtain the 2048 tile

nixos-unstable 3.38.2
- nixpkgs-unstable 3.38.2
- nixos-unstable-small 3.38.2
nixos-25.11 3.38.2
- nixos-25.11-small 3.38.2
- nixpkgs-25.11-darwin 3.38.2

pkgs.wordpressPackages.themes.twentytwenty

None

nixos-unstable 3.0
- nixpkgs-unstable 3.0
- nixos-unstable-small 3.0
nixos-25.11 2.9
- nixos-25.11-small 2.9
- nixpkgs-25.11-darwin 2.9

pkgs.wordpressPackages.themes.twentynineteen

None

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2
nixos-25.11 3.1
- nixos-25.11-small 3.1
- nixpkgs-25.11-darwin 3.1

pkgs.wordpressPackages.themes.twentytwentyone

None

nixos-unstable 2.7
- nixpkgs-unstable 2.7
- nixos-unstable-small 2.7
nixos-25.11 2.5
- nixos-25.11-small 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.wordpressPackages.themes.twentytwentytwo

None

nixos-unstable 2.1
- nixpkgs-unstable 2.1
- nixos-unstable-small 2.1
nixos-25.11 2.0
- nixos-25.11-small 2.0
- nixpkgs-25.11-darwin 2.0

pkgs.wordpressPackages.themes.twentytwentyfive

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.2
- nixos-25.11-small 1.2
- nixpkgs-25.11-darwin 1.2

pkgs.wordpressPackages.themes.twentytwentyfour

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.3
- nixos-25.11-small 1.3
- nixpkgs-25.11-darwin 1.3

pkgs.wordpressPackages.themes.twentytwentythree

None

nixos-unstable 1.6
- nixpkgs-unstable 1.6
- nixos-unstable-small 1.6
nixos-25.11 1.6
- nixos-25.11-small 1.6
- nixpkgs-25.11-darwin 1.6

Package maintainers

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@bobby285271 Bobby Rong <rjl931189261@126.com>