{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34212", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-04-14T21:42:44.202Z", "dateUpdated": "2026-04-14T21:42:44.202Z"}, "containers": {"cna": {"title": "Docmost page content has stored XSS via unsanitized attachment URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-cf68-cff9-hq4w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-cf68-cff9-hq4w"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": "< 0.71.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:42:44.202Z"}, "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue."}], "source": {"advisory": "GHSA-cf68-cff9-hq4w", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue."}], "id": "CVE-2026-34212", "lastModified": "2026-04-14T22:16:31.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:31.020", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/docmost/docmost/security/advisories/GHSA-cf68-cff9-hq4w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.71.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "docmost", "source": "cna", "vendor": "docmost"}, "product": "docmost", "vendor": "docmost"}], "analysis": {"en": {"generated_at": "2026-04-14T23:26:12.708022+00:00", "value": {"mitigation_remediation": ["Upgrade Docmost to version 0.71.0 or later, which removes the unsanitized attachment URL handling.", "If upgrade cannot be performed immediately, disable or restrict the ability of low\u2011privileged users to add attachments or edit page content.", "Implement a Content Security Policy that blocks execution of inline scripts and restricts the allowed source for URLs."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all Docmost releases older than 0.71.0, the earliest affected version being 0.70.x. All documented users of these older releases who allow authenticated users to add attachment nodes are impacted.", "description_and_impact": "Docmost is an open\u2011source wiki that allows users to attach files to page content. A low\u2011privileged authenticated user can embed a javascript: URL inside an attachment node. When any user opens the attachment link, the browser executes the attacker\u2019s code in the Docmost origin. The result is client\u2011side script execution that can steal session cookies, modify displayed content, or perform actions on behalf of the victim. The weakness identified is reflected input leading to stored XSS (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. Because the flaw requires authentication, only users who can log in to the application are required to launch the exploit. No network exploitation is necessary; the patch has been released and is not listed as a known exploited vulnerability. Without an applied fix, attackers can embed malicious URLs and cause arbitrary code execution when other users view affected pages. The overall risk remains moderate until the affected software is updated."}}}}, "created": "2026-04-15T13:48:23.622123+00:00", "updated": "2026-04-15T14:31:57.032051+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}