diff --git a/pkgs/by-name/pa/paperless-ngx/package.nix b/pkgs/by-name/pa/paperless-ngx/package.nix
index 64c3d3c3615cb..52413d025d7fb 100644
--- a/pkgs/by-name/pa/paperless-ngx/package.nix
+++ b/pkgs/by-name/pa/paperless-ngx/package.nix
@@ -3,6 +3,7 @@
   stdenv,
   fetchFromGitHub,
   fetchPypi,
+  fetchpatch,
   node-gyp,
   nodejs_20,
   nixosTests,
@@ -157,6 +158,24 @@ python.pkgs.buildPythonApplication rec {
 
   inherit version src;
 
+  patches = [
+    (fetchpatch {
+      name = "GHSA-24x5-wp64-9fcc.patch";
+      url = "https://github.com/paperless-ngx/paperless-ngx/commit/9bdbfd362f4a15f8de109ca959f04e3a7d8a39d0.patch";
+      hash = "sha256-1iiOeWKvBoHFLa1QySkXYTbX5CVF3VQDWno6A/SinCs=";
+    })
+    (fetchpatch {
+      name = "GHSA-7cq3-mhxq-w946.patch";
+      url = "https://github.com/paperless-ngx/paperless-ngx/commit/bf38ae98f1ac3bae2c6006888a8705e42fbb804f.patch";
+      hash = "sha256-ATjtB7dmrXk/R+zjc0y2jJkmvVN7Gmqf0aWMRG9EN7I=";
+    })
+    (fetchpatch {
+      name = "GHSA-28cf-xvcf-hw6m.patch";
+      url = "https://github.com/paperless-ngx/paperless-ngx/commit/7c457466b76d7a4abeca521043de69d3c1f4eb11.patch";
+      hash = "sha256-t2/3lnhj1eywGiX1zmo7aJ+aOEdTWr0xe7yaFj8NeMs=";
+    })
+  ];
+
   postPatch = ''
     # pytest-xdist with to many threads makes the tests flaky
     if (( $NIX_BUILD_CORES > 3)); then
@@ -243,6 +262,7 @@ python.pkgs.buildPythonApplication rec {
       pyzbar
       rapidfuzz
       redis
+      regex
       scikit-learn
       setproctitle
       tika-client