diff --git a/pkgs/applications/misc/hugo/default.nix b/pkgs/applications/misc/hugo/default.nix
index bf5fe070cbf..bb925ceb2fb 100644
--- a/pkgs/applications/misc/hugo/default.nix
+++ b/pkgs/applications/misc/hugo/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "hugo";
-  version = "0.84.1";
+  version = "0.84.2";
 
   src = fetchFromGitHub {
     owner = "gohugoio";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-ULZa0tepq00v2VHDR3+aYYvRfbxYKcjcltRgRmbVmRA=";
+    sha256 = "sha256-NE4vXtczzcL5f0/aDYeGnleBwsDBTzojSaek/LzowFo=";
   };
 
-  vendorSha256 = "sha256-jY/g92ON5OxjuZzPHJNduXYMgPU8/0ioAYvp4iqjGnU=";
+  vendorSha256 = "sha256-ImXTOtN6kQL7Q8IBlmK7+i47cWtyZT0xcnQdCw3NvWM=";
 
   doCheck = false;
 
diff --git a/pkgs/development/libraries/kde-frameworks/kimageformats.nix b/pkgs/development/libraries/kde-frameworks/kimageformats.nix
index 3d9c5851f24..f78d8168b45 100644
--- a/pkgs/development/libraries/kde-frameworks/kimageformats.nix
+++ b/pkgs/development/libraries/kde-frameworks/kimageformats.nix
@@ -1,5 +1,5 @@
 {
-  mkDerivation, lib,
+  mkDerivation, lib, fetchpatch,
   extra-cmake-modules,
   ilmbase, karchive, openexr, qtbase
 }:
@@ -8,8 +8,21 @@ let inherit (lib) getDev; in
 
 mkDerivation {
   name = "kimageformats";
+
+  patches = [
+    (fetchpatch { # included in kimageformats >= 5.82
+      name = "CVE-2021-36083.patch";
+      url = "https://invent.kde.org/frameworks/kimageformats/-/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f.diff";
+      sha256 = "16axaljgaar0j5796x1mjps93y92393x8zywh3nzw7rm9w2qxzml";
+    })
+  ];
+
   nativeBuildInputs = [ extra-cmake-modules ];
   buildInputs = [ karchive openexr qtbase ];
   outputs = [ "out" ]; # plugins only
   CXXFLAGS = "-I${getDev ilmbase}/include/OpenEXR";
+
+  meta = with lib; {
+    broken = versionOlder qtbase.version "5.14";
+  };
 }