CVE-2026-26028

Vulnerability

CryptPad versions prior to 2026.2.0 contain a sanitizer bypass in Diffmarked.js. The HTML sanitizer defines IFRAME, VIDEO, and AUDIO as restricted tags but only validates the src attribute, leaving other attributes such as srcdoc unchecked [2]. Because IFRAME is treated as restricted rather than forbidden, an attacker can include a benign blob: src while injecting arbitrary HTML via srcdoc, completely defeating CryptPad's intended bounce sandboxing [2]. The issue is fixed in version 2026.2.0 [1].

Exploitation

An attacker needs write access to a document or content that is processed by the sanitizer. The attacker supplies an ` element with a legitimate src (e.g., blob:) and a malicious srcdoc attribute containing arbitrary HTML [2]. The sanitizer passes the element because the src matches the allowed pattern, while the srcdoc` content is rendered without restriction. No special network position or user interaction beyond accessing the crafted document is required.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML, including clickable links, images, or interactive content, within user-controlled documents [2]. Although CSP is strict, CryptPad exposes same-origin gadgets (e.g., jscolor.js) that can execute attacker-controlled JavaScript, potentially leading to cross-site scripting (XSS) [2]. This undermines the confidentiality and integrity of end-to-end encrypted collaborative documents.

Mitigation

The vulnerability is fixed in CryptPad version 2026.2.0 [1]. Users should upgrade to this version immediately. No workaround is available; the fix updates the sanitizer to also validate or strip the srcdoc attribute on restricted elements. There is no indication this CVE is listed in KEV.