diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix
index d09f0fc9fbd3..f8478b497a28 100644
--- a/pkgs/by-name/xe/xen/package.nix
+++ b/pkgs/by-name/xe/xen/package.nix
@@ -1,5 +1,6 @@
 {
   buildXenPackage,
+  fetchpatch,
   python3Packages,
 }:
 
@@ -8,4 +9,30 @@ buildXenPackage.override { inherit python3Packages; } {
   version = "4.19.3";
   rev = "077419f04a3125c58dcf9724c954f98d1e927392";
   hash = "sha256-e9aPLgzNVxUn7WnLbBHwFIN02DAObfA24VjiqdiP+jA=";
+
+  patches = [
+    # XSA 472
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa472-1.patch";
+      hash = "sha256-6k/X7KFno9uBG0mUtJxl7TMavaRs2Xlj9JlW9ai6p0k=";
+    })
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa472-2.patch";
+      hash = "sha256-BisdztU9Wa5nIGmHo4IikqYPHdEhBehHaNqj1IuBe6I=";
+    })
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa472-3.patch";
+      hash = "sha256-rikOofQeuLNMBkdQS3xzmwh7BlgMOTMSsQcAOEzNOso=";
+    })
+
+    # XSA 473
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa473-1.patch";
+      hash = "sha256-594tTalWcGJSLj3++4QB/ADkHH1qJNrdvg7FG6kOuB8=";
+    })
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa473-2.patch";
+      hash = "sha256-tGuIGxJFBXbckIruSUeTyrM6GabdIj6Pr3cVxeDvNNY=";
+    })
+  ];
 }