The Hydra package has a persistent XSS vulnerability when serving HTML files, registered as CVE-2024-32657.
This has already been patched for https://hydra.nixos.org and corresponding PRs have been opened to nixpkgs.
Details about the vulnerability can be found on GitHub