High severity7.3NVD Advisory· Published Feb 10, 2026· Updated Apr 14, 2026

CVE-2026-24045

Description

Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.

Affected products

Docmost/Docmost
cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*
Range: >=0.20.0,<0.25.0

Patches

f3f74c591f32

https://github.com/docmost/docmostvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9nvdPatch
github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wqnvdExploitThird Party Advisory
github.com/docmost/docmost/releases/tag/v0.25.0nvdProductRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000