The vulnerability arises from insecure Content‑Security‑Policy headers on files served under the /uploads/ endpoint in HedgeDoc versions prior to 1.10.6. A too‑open policy allows an attacker to upload interactive web content, such as maliciously crafted SVG files or fake login forms, that the browser will execute within the context of the application. This weakness, identified as CWE‑79, enables cross‑site scripting‑like payloads to run in a logged‑in user’s browser, potentially compromising confidentiality or integrity of that user’s session.

Affected deployments include any HedgeDoc installation running the hedgedoc/hedgedoc package before version 1.10.6, where files are accessible via the /uploads/ URL. The patch is available in release 1.10.6, so any system not yet upgraded to that version is vulnerable.

The CVSS base score of 4.3 indicates a moderate severity. The EPSS score of less than 1% reflects a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to supply a crafted SVG file and for a user to view it, a scenario that often relies on social engineering or internal compromise of the upload functionality. While the risk is primarily to users who view uploaded content they did not create, administrators should treat it as a medium‑risk issue until the patch is applied.