Docmost
Products
1- 9 CVEs
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24045 | Hig | 0.40 | 7.3 | 0.00 | Feb 10, 2026 | Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site… | ||
| CVE-2026-40927 | Med | 0.28 | 5.4 | 0.00 | Apr 21, 2026 | Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0. | ||
| CVE-2026-34213 | Med | 0.28 | 5.4 | 0.00 | Apr 14, 2026 | Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying… | ||
| CVE-2026-34212 | Med | 0.28 | 5.4 | 0.00 | Apr 14, 2026 | Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content.… | ||
| CVE-2026-33193 | Med | 0.23 | 4.6 | 0.00 | Apr 14, 2026 | Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious… | ||
| CVE-2026-33146 | Med | 0.21 | 4.3 | 0.00 | Apr 14, 2026 | Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly… | ||
| CVE-2026-23630 | 0.00 | — | 0.00 | Jan 21, 2026 | Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then… | |||
| CVE-2026-22249 | 0.00 | — | 0.01 | Jan 15, 2026 | Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename.… | |||
| CVE-2025-55574 | 0.00 | — | 0.00 | Aug 25, 2025 | Cross Site Scripting vulnerability in docmost v.0.21.0 and before allows an attacker to execute arbitrary code |
- risk 0.40cvss 7.3epss 0.00
Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site…
- risk 0.28cvss 5.4epss 0.00
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.
- risk 0.28cvss 5.4epss 0.00
Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying…
- risk 0.28cvss 5.4epss 0.00
Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content.…
- risk 0.23cvss 4.6epss 0.00
Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious…
- risk 0.21cvss 4.3epss 0.00
Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly…
- CVE-2026-23630Jan 21, 2026risk 0.00cvss —epss 0.00
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then…
- CVE-2026-22249Jan 15, 2026risk 0.00cvss —epss 0.01
Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename.…
- CVE-2025-55574Aug 25, 2025risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in docmost v.0.21.0 and before allows an attacker to execute arbitrary code