Description
Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.
Published: 2026-04-14
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by Docmost’s improper handling of MIME type spoofing. An attacker can inject malicious JavaScript into the system, which will execute in the browsers of users who view the affected content. This could lead to theft of session cookies, execution of unauthorized actions, and wider compromise of the collaborative environment.

Affected Systems

Docmost 0.69.x and earlier versions of the open‑source wiki and documentation platform. The fix is included in version 0.70.0. Users running older releases are vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate risk, and the lack of an EPSS score or KEV listing means that exploitation is not known to be actively leveraged. The likely attack path involves an attacker with the ability to add or modify content, possibly through unauthenticated uploads, triggering the MIME type spoofing that stores malicious scripts. Once stored, the scripts run whenever other users view the content.

Generated by OpenCVE AI on April 14, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Docmost 0.70.0 or later.
  • If an immediate upgrade is not feasible, disable or tightly restrict public uploads and enforce strict MIME type validation to prevent spoofing.
  • Conduct a web application security scan to locate any injected scripts and remove them.

Generated by OpenCVE AI on April 14, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Docmost
Docmost docmost
Vendors & Products Docmost
Docmost docmost

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.
Title Docmost vulnerable to stored XSS via MIME type spoofing
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Docmost Docmost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:51:42.724Z

Reserved: 2026-03-17T22:16:36.721Z

Link: CVE-2026-33193

cve-icon Vulnrichment

Updated: 2026-04-16T13:51:34.684Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T22:16:30.867

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-33193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses