Description
Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue.
Published: 2026-04-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Docmost is an open‑source wiki that allows users to attach files to page content. A low‑privileged authenticated user can embed a javascript: URL inside an attachment node. When any user opens the attachment link, the browser executes the attacker’s code in the Docmost origin. The result is client‑side script execution that can steal session cookies, modify displayed content, or perform actions on behalf of the victim. The weakness identified is reflected input leading to stored XSS (CWE‑79).

Affected Systems

The vulnerability exists in all Docmost releases older than 0.71.0, the earliest affected version being 0.70.x. All documented users of these older releases who allow authenticated users to add attachment nodes are impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. Because the flaw requires authentication, only users who can log in to the application are required to launch the exploit. No network exploitation is necessary; the patch has been released and is not listed as a known exploited vulnerability. Without an applied fix, attackers can embed malicious URLs and cause arbitrary code execution when other users view affected pages. The overall risk remains moderate until the affected software is updated.

Generated by OpenCVE AI on April 14, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Docmost to version 0.71.0 or later, which removes the unsanitized attachment URL handling.
  • If upgrade cannot be performed immediately, disable or restrict the ability of low‑privileged users to add attachments or edit page content.
  • Implement a Content Security Policy that blocks execution of inline scripts and restricts the allowed source for URLs.

Generated by OpenCVE AI on April 14, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Docmost
Docmost docmost
Vendors & Products Docmost
Docmost docmost

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue.
Title Docmost page content has stored XSS via unsanitized attachment URLs
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Docmost Docmost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:02:55.239Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34212

cve-icon Vulnrichment

Updated: 2026-04-15T18:56:36.047Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T22:16:31.020

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-34212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses