Unrated severityOSV Advisory· Published Jan 15, 2026· Updated Jan 15, 2026

LaSuite Doc affected by Stored XSS via Interlinking Block

CVE-2026-22867

Description

LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0.

Affected products

Suitenumerique/DocsOSV
Range: v3.10.0, v3.10.0-preprod, v3.8.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77mitrex_refsource_MISC
github.com/suitenumerique/docs/releases/tag/v4.4.0mitrex_refsource_MISC
github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000