VYPR
Vendor

Docmost

Products
1
CVEs
9
Across products
9
Status
Private

Products

1

Recent CVEs

9
  • CVE-2026-24045HigFeb 10, 2026
    risk 0.40cvss 7.3epss 0.00

    Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site…

  • CVE-2026-40927MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.

  • CVE-2026-34213MedApr 14, 2026
    risk 0.28cvss 5.4epss 0.00

    Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying…

  • CVE-2026-34212MedApr 14, 2026
    risk 0.28cvss 5.4epss 0.00

    Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content.…

  • CVE-2026-33193MedApr 14, 2026
    risk 0.23cvss 4.6epss 0.00

    Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious…

  • CVE-2026-33146MedApr 14, 2026
    risk 0.21cvss 4.3epss 0.00

    Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly…

  • CVE-2026-23630Jan 21, 2026
    risk 0.00cvss epss 0.00

    Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then…

  • CVE-2026-22249Jan 15, 2026
    risk 0.00cvss epss 0.01

    Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename.…

  • CVE-2025-55574Aug 25, 2025
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in docmost v.0.21.0 and before allows an attacker to execute arbitrary code