CVE-2026-22867 - Vulnerability Details

- LaSuite Doc affected by Stored XSS via Interlinking Block

Description

LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0.

Published: 2026-01-15

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored Cross‑Site Scripting flaw exists in the Interlinking feature of LaSuite Docs. When a collaborator with edit rights creates a link to another document, the link URL is not validated, allowing injection of a malicious javascript: URL. When other users click the link, the browser executes the embedded script, which can run arbitrary code in the context of the victim’s session.

Affected Systems

The vulnerability affects the LaSuite Docs product from the suitenumerique vendor, specifically versions 3.8.0 through 4.3.0. Support for this issue was added in release 4.4.0, which removes the input validation flaw.

Risk and Exploitability

The CVSS score of 8.7 classifies this issue as high severity. Although the EPSS score is currently below 1 %, indicating a low likelihood of exploitation at present, the vulnerability remains significant because it requires only editing privileges that many users possess. The problem is not listed in the CISA KEV catalog, so no widespread exploitation has been reported, but the risk of insider or compromised user attacks exists.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

suitenumerique

docs

affected

Version	Status	Constraints
`>= 3.8.0, < 4.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:lasuite:docs:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Suitenumerique	Docs	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LaSuite Docs to version 4.4.0 or newer to remove the input validation flaw.
Identify and remove any existing javascript: links from shared documents, or replace them with safe URLs.
Restrict editing permissions on documents to trusted users, or disable the interlinking feature until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77
https://github.com/suitenumerique/docs/releases/tag/v4.4.0
https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6

History

Thu, 12 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lasuite Lasuite docs
CPEs		cpe:2.3:a:lasuite:docs::::::::
Vendors & Products		Lasuite Lasuite docs

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Suitenumerique Suitenumerique docs
Vendors & Products		Suitenumerique Suitenumerique docs

Thu, 15 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 15 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0.
Title		LaSuite Doc affected by Stored XSS via Interlinking Block
Weaknesses		CWE-79
References		https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77 https://github.com/suitenumerique/docs/releases/tag/v4.4.0 https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Lasuite Docs

Suitenumerique Docs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-15T16:31:34.397Z

Updated: 2026-01-15T16:46:57.161Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22867

Vulnrichment

Updated: 2026-01-15T16:46:53.561Z

NVD

Status : Analyzed

Published: 2026-01-15T17:16:07.883

Modified: 2026-03-12T17:29:40.970

Link: CVE-2026-22867

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object