Description
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Outline’s comment section allows users to mention others, but the server fails to validate or sanitize the href attribute of these mentions. Because dangerous protocols such as javascript: are not filtered, malicious users can embed client‑side code that executes when other users view the comment. This can lead to theft of credentials, phishing, or other malicious activity carried out in the victim’s browser. The vulnerability is a direct instance of CWE‑79: Improper Neutralization of Input During Web Page Generation.

Affected Systems

The affected product is Outline from version 0.84.0 through 1.6.1. The fix that removes the insecure handling of href attributes was released in version 1.7.0.

Risk and Exploitability

The CVSS score of 7.3 indicates a medium‑to‑high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, so the overall risk cannot be precisely quantified but remains significant. The likely attack vector is client‑side, where an attacker posts a crafted comment mentioning a user with a malicious href. Any user who views the comment would then have the script executed in their browser session. Attack conditions require the attacker to have comment posting privileges and the victim to open the comment. Once exploited, the attacker can compromise the victim’s browser session but not the server itself.

Generated by OpenCVE AI on May 11, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.7.0 or newer to apply the vendor‑fixed sanitization of comment mention hrefs.
  • If an upgrade is not yet possible, implement server‑side sanitization for the href attribute in comment mentions, allowing only safe protocols such as http and https.
  • Configure a reverse proxy or web‑application firewall to block URLs with dangerous protocols like javascript: from rendering in comments.
  • As a last resort, disable the comment mention feature until a patch is available.

Generated by OpenCVE AI on May 11, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.
Title Outline: Stored XSS via Comment Mentions
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T21:05:42.302Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43887

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:13.493

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-43887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses