diff --git a/pkgs/build-support/xen/default.nix b/pkgs/build-support/xen/default.nix
index fa9feea91eae..efff9b304544 100644
--- a/pkgs/build-support/xen/default.nix
+++ b/pkgs/build-support/xen/default.nix
@@ -60,6 +60,7 @@
   branch ? lib.versions.majorMinor version,
   version,
   vendor ? "nixos",
+  upstreamVersion,
   withFlask ? false,
   withSeaBIOS ? true,
   withOVMF ? true,
@@ -291,10 +292,10 @@ stdenv.mkDerivation (finalAttrs: {
     '';
 
   passthru = {
-    efi = "boot/xen-${version}.efi";
+    efi = "boot/xen-${upstreamVersion}.efi";
     flaskPolicy =
       if withFlask then
-        "boot/xenpolicy-${version}"
+        warn "This Xen was compiled with FLASK support, but the FLASK file does not match the Xen version number. Please hardcode the path to the FLASK file instead." "boot/xenpolicy-${version}"
       else
         throw "This Xen was compiled without FLASK support.";
     # This test suite is very simple, as Xen's userspace
@@ -339,7 +340,7 @@ stdenv.mkDerivation (finalAttrs: {
         Use with the `qemu_xen` package.
       ''
       + "\nIncludes:\n* `xen.efi`: The Xen Project's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package."
-      + optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package."
+      + optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${upstreamVersion}` file is available on the `boot` output of this package."
       + optionalString withSeaBIOS "\n* `seabios`: Support for the SeaBIOS boot firmware on HVM domains."
       + optionalString withOVMF "\n* `ovmf`: Support for the OVMF UEFI boot firmware on HVM domains."
       + optionalString withIPXE "\n* `ipxe`: Support for the iPXE boot firmware on HVM domains.";
diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix
index 8c574d141ad4..d20abea06ecb 100644
--- a/pkgs/by-name/xe/xen/package.nix
+++ b/pkgs/by-name/xe/xen/package.nix
@@ -6,6 +6,7 @@
 buildXenPackage.override { inherit python3Packages; } {
   pname = "xen";
   version = "4.19.0-unstable-2024-11-12";
+  upstreamVersion = "4.19.1-pre"; # We track the stable branches. Despite the version number, this is actually 4.19.0, not 4.19.1.
   rev = "251a9496485a86f302980a3f8d3c656831b5a62f";
   hash = "sha256-kHuB6kagH3AU+Wsx4oD7HnNsZpxCu7x3v/m4/1xi6lY=";
 }