VYPR
Vendor

Requarks

Products
1
CVEs
15
Across products
15
Status
Private

Products

1

Recent CVEs

15
  • CVE-2024-34710HigMay 20, 2024
    risk 0.39cvss 7.1epss 0.00

    Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible…

  • CVE-2024-45298MedSep 18, 2024
    risk 0.21cvss 4.3epss 0.00

    Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only…

  • CVE-2025-56643Nov 18, 2025
    risk 0.00cvss epss 0.00

    Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow…

  • CVE-2022-1681HigMay 12, 2022
    risk 0.00cvss 7.2epss 0.02

    Authentication Bypass Using an Alternate Path or Channel in GitHub repository requarks/wiki prior to 2.5.281. User can get root user permissions

  • CVE-2022-23654HigFeb 22, 2022
    risk 0.00cvss 8.1epss 0.01

    Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly…

  • CVE-2021-25993MedDec 29, 2021
    risk 0.00cvss 5.4epss 0.01

    In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s…

  • CVE-2021-43856HigDec 27, 2021
    risk 0.00cvss 8.2epss 0.01

    Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through non-image file uploads for file types that can be viewed directly inline in the browser. By creating a malicious file which can execute inline JS when viewed…

  • CVE-2021-43855HigDec 27, 2021
    risk 0.00cvss 8.2epss 0.01

    Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through a SVG file upload made via a custom request with a fake MIME type. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site…

  • CVE-2021-43842MedDec 20, 2021
    risk 0.00cvss 5.4epss 0.01

    Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker…

  • CVE-2021-43800HigDec 6, 2021
    risk 0.00cvss 7.5epss 0.02

    Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled on a Windows host. A malicious user can potentially read any file on the file system by…

  • CVE-2021-21383HigMar 18, 2021
    risk 0.00cvss 7.6epss 0.01

    Wiki.js an open-source wiki app built on Node.js. Wiki.js before version 2.5.191 is vulnerable to stored cross-site scripting through mustache expressions in code blocks. This vulnerability exists due to mustache expressions being parsed by Vue during content injection even…

  • CVE-2020-15274MedOct 26, 2020
    risk 0.00cvss 5.8epss 0.01

    In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit…

  • CVE-2020-15236HigOct 5, 2020
    risk 0.00cvss 8.6epss 0.02

    In Wiki.js before version 2.5.151, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled. A malicious user can potentially read any file on the file system by crafting a special URL that allows for directory…

  • CVE-2020-4052MedJun 16, 2020
    risk 0.00cvss 6.3epss 0.01

    In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page,…

  • CVE-2020-11051MedMay 5, 2020
    risk 0.00cvss 6.9epss 0.01

    In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the…