Description
Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.
Published: 2026-02-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Docmost, an open‑source wiki, contains a stored cross‑site scripting flaw in its public share page function. Page titles are inserted into meta and title tags without proper HTML escaping. An attacker who creates or modifies a shared page can embed malicious JavaScript in the title, which will execute in the browser of any user who later opens that link. The vulnerable code allows arbitrary code execution in the context of legitimately logged‑in or anonymous users, exposing all data that the browser can access.

Affected Systems

The vulnerability affects Docmost versions 0.20.0 up to, but not including, 0.25.0. Earlier releases are unaffected, and any deployment running 0.25.0 or newer has the fix in place. It is a single product—Docmost—distributed under the open‑source license.

Risk and Exploitability

With a CVSS score of 7.3, the flaw is considered a high‑severity risk. The EPSS score is below 1 %, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack vector is remote and the flaw is stored, an attacker can embed a malicious title in a share link that anyone with access to that link can trigger, leading to potential data theft or session hijacking. The risk is moderate to high depending on user exposure to public share links.

Generated by OpenCVE AI on April 15, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Docmost version 0.25.0 or later to receive the security fix.
  • If an immediate upgrade is not possible, implement server‑side escaping for page titles before inserting them into meta and title tags to neutralize injected script payloads.
  • Audit existing shared page titles for suspicious content, revoke or regenerate problematic share links, and monitor access logs for attempts to load or use malicious shared pages.

Generated by OpenCVE AI on April 15, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Docmost is open-source collaborative wiki and documentation software. From g and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0. Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Docmost
Docmost docmost
Vendors & Products Docmost
Docmost docmost

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description Docmost is open-source collaborative wiki and documentation software. From g and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.
Title Docmost Affected by Stored XSS in Public Share Page
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Docmost Docmost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T21:36:07.934Z

Reserved: 2026-01-20T22:30:11.777Z

Link: CVE-2026-24045

cve-icon Vulnrichment

Updated: 2026-02-10T18:55:43.829Z

cve-icon NVD

Status : Modified

Published: 2026-02-10T18:16:36.500

Modified: 2026-04-14T22:16:29.083

Link: CVE-2026-24045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses