Unrated severityOSV Advisory· Published Jan 21, 2026· Updated Jan 22, 2026
Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
CVE-2026-23630
Description
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427dafmitrex_refsource_MISC
- github.com/docmost/docmost/releases/tag/v0.24.0mitrex_refsource_MISC
- github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwjmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.