Description
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to embed a JavaScript URI in a comment on any Docmost page. When a user clicks that link, the browser executes the JavaScript in the context of the Docmost site, enabling the attacker to run arbitrary code, steal session cookies, modify the page or perform actions as the victim. This is a classic reflected or stored XSS with the potential for phishing, credential theft, or downstream exploitation of other services.

Affected Systems

The affected product is Docmost, an open‑source collaborative wiki and documentation platform. All releases prior to version 0.80.0 contain the flaw. The vendor is identified as docmost:docmost.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting limited widespread exploitation to date. The likely attack vector is remote: any user who can leave a comment can inject the malicious link, and any other user who clicks the link triggers the payload. The risk is that internal users may be exposed if they click user‑inserted JavaScript URIs.

Generated by OpenCVE AI on April 22, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Docmost to version 0.80.0 or later, which removes the vulnerable comment handling code.
  • Clean up existing comments that contain JavaScript URIs, either by deleting or escaping them to prevent accidental execution.
  • Implement stricter input sanitization for comment content, ensuring that only safe protocols (e.g., http, https, mailto) are allowed and that JavaScript URIs are blocked or rendered as plain text.

Generated by OpenCVE AI on April 22, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Docmost
Docmost docmost
Vendors & Products Docmost
Docmost docmost

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.
Title Docmost: XSS in Comments with JavaScript URI
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Docmost Docmost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T17:42:15.540Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40927

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:46.110

Modified: 2026-04-21T21:16:46.110

Link: CVE-2026-40927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses