High severity7.5NVD Advisory· Published Dec 29, 2020· Updated Jun 17, 2026
CVE-2020-26286
CVE-2020-26286
Description
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it's possible to block the /uploadimage endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/hedgedoc/hedgedoc/commit/e9306991cdb5ff2752c1eeba3fedba42aec3c2d8nvdPatchThird Party Advisory
- github.com/hedgedoc/hedgedoc/releases/tag/1.7.1nvdThird Party Advisory
- github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxcnvdThird Party Advisory
News mentions
0No linked articles in our index yet.