Description
CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad's intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as "restricted" rather than "forbidden." Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0.
Published: 2026-05-20
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CryptPad's Diffmarked.js sanitizer can be bypassed because it only checks the src attribute of restricted tags such as iframe, video, and audio, leaving other attributes unchecked. By supplying an innocuous src value together with a malicious srcdoc, an attacker can inject arbitrary HTML that bypasses the intended sandbox, allowing link injection and other interactive content. This flaw is an injection vulnerability that can lead to reflected or stored cross‑site scripting, compromising the confidentiality and integrity of user documents.

Affected Systems

CryptPad releases prior to 2026.2.0, including all versions through 2026.1.x, are vulnerable. The issue resides in the Diffmarked.js component that sanitizes user‑controlled content and is present in any document stored in those earlier releases.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker injecting crafted content into a shared document that is later opened by other users; the exploitation requires user interaction within the document viewer, but the flaw can affect many users if a document is widely shared, raising the risk of widespread XSS exposure.

Generated by OpenCVE AI on May 20, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CryptPad 2026.2.0 or later to obtain the fixed sanitizer.
  • If an upgrade cannot be performed immediately, configure the application to disallow iframe, video, and audio elements in documents by setting the appropriate sanitization rules or content policy.
  • Deploy a content‑security‑policy that blocks malicious srcdoc usage or restricts iframe sources to trusted origins.

Generated by OpenCVE AI on May 20, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cryptpad
Cryptpad cryptpad
Vendors & Products Cryptpad
Cryptpad cryptpad

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad's intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as "restricted" rather than "forbidden." Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0.
Title CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cryptpad Cryptpad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T19:33:12.902Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26028

cve-icon Vulnrichment

Updated: 2026-05-20T19:32:16.127Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:36.760

Modified: 2026-05-20T20:16:36.760

Link: CVE-2026-26028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:00:12Z

Weaknesses