Description
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0.
Published: 2026-01-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary JavaScript execution for any viewer
Action: Immediate Patch
AI Analysis

Impact

In Docmost versions 0.3.0 through 0.23.2, Mermaid code blocks are rendered by the frontend using mermaid.render(), which returns SVG/HTML. That output is inserted into the page via dangerouslySetInnerHTML without any sanitization. The Mermaid API supports in‑diagram %%{init}%% directives that can change securityLevel and enable htmlLabels, permitting an attacker to embed arbitrary HTML or JavaScript. Once a victim views a page containing such a malicious Mermaid block, the code runs in the victim’s browser, potentially compromising confidentiality, integrity, or availability of the user session or data. This is a classic stored XSS flaw, classified as CWE‑79 and CWE‑116. The likely attack vector is a victim opening a page that contains a malicious Mermaid diagram, as inferred from the described stored nature of the flaw. Based on the description, it is inferred that an attacker must create or modify a Mermaid diagram and populate it within a page that a target can view. The flaw is enabled by Mermaid per‑diagram %%{init}%% directives that allow an attacker to override securityLevel and enable htmlLabels, thereby injecting arbitrary HTML or JavaScript. The vulnerability enables arbitrary code execution in the context of any user who views the affected page, allowing the compromise of the user session and potentially data accessed by that session.

Affected Systems

The vulnerability is present in the open‑source collaborative wiki software Docmost. All deployments of Docmost from version 0.3.0 up to and including 0.23.2 are affected. Version 0.24.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need to create or modify a Mermaid diagram in a page that the victim can view. Because the flaw is stored, any user who opens the document can be compromised, making the risk significant for shared or public sites. Prompt patching reduces the attack surface and mitigates the potential for widespread compromise.

Generated by OpenCVE AI on April 18, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Docmost to version 0.24.0 or later to receive the fix for this stored XSS vulnerability.
  • If an upgrade cannot be performed immediately, remove the ability for users to create new Mermaid diagrams or enforce strict sanitization of diagram output to strip out HTML elements.
  • Configure the application to disable Mermaid htmlLabels or set the securityLevel to "strict" for all diagrams, ensuring that no user supplied JavaScript can execute.

Generated by OpenCVE AI on April 18, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Docmost
Docmost docmost
Vendors & Products Docmost
Docmost docmost

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0.
Title Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
Weaknesses CWE-116
CWE-79
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Docmost Docmost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:01.024Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23630

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:17.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T23:15:52.187

Modified: 2026-02-17T16:50:10.463

Link: CVE-2026-23630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses