Docmost’s Zip Import feature allows uploading compressed archives containing files. Because the implementation performs no validation on the listed filenames, an attacker can craft archive entries whose names include directory traversal components or absolute paths, causing the server to write files anywhere on the filesystem that the process can reach. This vulnerability, classified as CWE‑22, permits arbitrary file creation or overwrite, potentially compromising data integrity and confidentiality. Based on the description, it is inferred that if the application later executes or loads the written files, this could enable remote code execution or configuration tampering, though such a consequence has not been demonstrated in the supplied advisory.

The issue affects all Docmost instances running versions 0.21.0 through 0.23.x, inclusive. Any installation that exposes the zip import endpoint to users—whether via the web UI or API—falls within the impacted range. The fix is addressed in release 0.24.0, which adds filename validation before extraction.

With a CVSS score of 7.1, the flaw is considered moderate to high in severity. The EPSS score of less than 1 % indicates a currently low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malicious zip file, presumably via an upload API or web form; the lack of validation allows arbitrary relative paths to map to server locations during extraction. Successful exploitation requires only the ability to upload a zip and that the server process has write permission to the target directories.