VYPR
Unrated severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026

HedgeDoc security headers for uploaded files were not working

CVE-2026-25642

Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • HedgeDoc/HedgeDocllm-create2 versions
    <1.10.6+ 1 more
    • (no CPE)range: <1.10.6
    • (no CPE)range: < 1.10.6

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.