Outline
Products
1- 21 CVEs
Recent CVEs
21| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-43886 | Hig | 0.53 | 8.2 | 0.00 | May 11, 2026 | Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An… | ||
| CVE-2020-37030 | Hig | 0.51 | 7.8 | 0.00 | Jan 30, 2026 | Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that… | ||
| CVE-2026-43888 | Hig | 0.50 | 8.7 | 0.00 | May 11, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When… | ||
| CVE-2026-43887 | Hig | 0.47 | 7.3 | 0.00 | May 11, 2026 | Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result,… | ||
| CVE-2026-43890 | Hig | 0.43 | 7.7 | 0.00 | May 11, 2026 | Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the… | ||
| CVE-2026-41649 | Hig | 0.43 | 7.7 | 0.00 | Apr 28, 2026 | Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the… | ||
| CVE-2026-43889 | Med | 0.35 | 6.5 | 0.00 | May 11, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent… | ||
| CVE-2026-44695 | Med | 0.31 | 5.8 | 0.00 | May 11, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client… | ||
| CVE-2026-33640 | 0.00 | — | 0.00 | Mar 26, 2026 | Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or… | |||
| CVE-2026-28506 | 0.00 | — | 0.00 | Mar 17, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with… | |||
| CVE-2026-24901 | 0.00 | — | 0.00 | Mar 17, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to… | |||
| CVE-2025-68663 | 0.00 | — | 0.00 | Feb 11, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive… | |||
| CVE-2025-64487 | 0.00 | — | 0.00 | Feb 11, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This… | |||
| CVE-2026-25062 | 0.00 | — | 0.00 | Feb 11, 2026 | Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By… | |||
| CVE-2023-54331 | 0.00 | — | 0.00 | Jan 13, 2026 | Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be… | |||
| CVE-2025-58351 | 0.00 | — | 0.00 | Sep 3, 2025 | Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a… | |||
| CVE-2024-40626 | 0.00 | — | 0.01 | Jul 16, 2024 | Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious… | |||
| CVE-2024-37829 | 0.00 | — | 0.01 | Jul 9, 2024 | An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. | |||
| CVE-2024-37830 | 0.00 | — | 0.00 | Jul 9, 2024 | An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and changing the state cookie. | |||
| CVE-2023-3532 | 0.00 | — | 0.00 | Jul 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. |
- risk 0.53cvss 8.2epss 0.00
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An…
- risk 0.51cvss 7.8epss 0.00
Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that…
- risk 0.50cvss 8.7epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When…
- risk 0.47cvss 7.3epss 0.00
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result,…
- risk 0.43cvss 7.7epss 0.00
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the…
- risk 0.43cvss 7.7epss 0.00
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the…
- risk 0.35cvss 6.5epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent…
- risk 0.31cvss 5.8epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client…
- CVE-2026-33640Mar 26, 2026risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or…
- CVE-2026-28506Mar 17, 2026risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with…
- CVE-2026-24901Mar 17, 2026risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to…
- CVE-2025-68663Feb 11, 2026risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive…
- CVE-2025-64487Feb 11, 2026risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This…
- CVE-2026-25062Feb 11, 2026risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By…
- CVE-2023-54331Jan 13, 2026risk 0.00cvss —epss 0.00
Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be…
- CVE-2025-58351Sep 3, 2025risk 0.00cvss —epss 0.00
Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a…
- CVE-2024-40626Jul 16, 2024risk 0.00cvss —epss 0.01
Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious…
- CVE-2024-37829Jul 9, 2024risk 0.00cvss —epss 0.01
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link.
- CVE-2024-37830Jul 9, 2024risk 0.00cvss —epss 0.00
An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and changing the state cookie.
- CVE-2023-3532Jul 7, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1.